[kirkstone] libpcre2: upgrade 10.39 -> 10.40

Minor bug fixes and security updates.
Delete CVE-2022-1586.patch, wrong CVE code (patch included in 10.40).

CVE: CVE-2022-1587

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
---
 .../libpcre/libpcre2/CVE-2022-1586.patch      | 58 -------------------
 .../{libpcre2_10.39.bb => libpcre2_10.40.bb}  |  5 +-
 2 files changed, 2 insertions(+), 61 deletions(-)
 delete mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
 rename meta/recipes-support/libpcre/{libpcre2_10.39.bb => libpcre2_10.40.bb} (90%)

On Mon, May 30, 2022 at 2:13 AM Davide Gardenal
<davidegarde2000@gmail.com> wrote:
>
> Minor bug fixes and security updates.

There is a similar patch in master:

https://git.openembedded.org/openembedded-core/commit/?id=a4fed908dbb53f7e03257bf317af534dda6a471c

I wasn't going to take it unless requested, since the release notes said:

"Mainly a bug-fix release, but also includes an update to Unicode
property handling"

Would like some feedback from others on whether this is likely to be
an issue or not.

> Delete CVE-2022-1586.patch, wrong CVE code (patch included in 10.40).
>
> CVE: CVE-2022-1587

If this is the case then you should submit a patch for master to
correct this.  If people agree that the version bump is suitable for
LTS I would then take the upgrade patch from master along with your
patch to fix the CVE confusion.

Thanks for helping with CVEs!

Steve

> Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
> ---
>  .../libpcre/libpcre2/CVE-2022-1586.patch      | 58 -------------------
>  .../{libpcre2_10.39.bb => libpcre2_10.40.bb}  |  5 +-
>  2 files changed, 2 insertions(+), 61 deletions(-)
>  delete mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
>  rename meta/recipes-support/libpcre/{libpcre2_10.39.bb => libpcre2_10.40.bb} (90%)
>
> diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
> deleted file mode 100644
> index 10d88d7b73..0000000000
> --- a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
> +++ /dev/null
> @@ -1,58 +0,0 @@
> -From e881ed5028622959cf8859c053501fb1b16387f1 Mon Sep 17 00:00:00 2001
> -From: Hitendra Prajapati <hprajapati@mvista.com>
> -Date: Mon, 23 May 2022 13:52:39 +0530
> -Subject: [PATCH] CVE-2022-1586
> -
> -Upstream-Status: Backport from https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a
> -
> -Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> ----
> - ChangeLog               | 3 +++
> - src/pcre2_jit_compile.c | 2 +-
> - src/pcre2_jit_test.c    | 3 +++
> - 3 files changed, 7 insertions(+), 1 deletion(-)
> -
> -diff --git a/ChangeLog b/ChangeLog
> -index d27542d..cd3da65 100644
> ---- a/ChangeLog
> -+++ b/ChangeLog
> -@@ -63,6 +63,9 @@ Version 10.39 29-October-2021
> -
> -   Reformat slightly to make it C89 compatible again.
> -
> -+23. Fixed a unicode properrty matching issue in JIT. The character was not
> -+fully read in caseless matching.
> -+
> -
> - Version 10.38 01-October-2021
> - -----------------------------
> -diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
> -index db2ce65..5baca9b 100644
> ---- a/src/pcre2_jit_compile.c
> -+++ b/src/pcre2_jit_compile.c
> -@@ -7473,7 +7473,7 @@ while (*cc != XCL_END)
> -     {
> -     SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
> -     cc++;
> --    if (*cc == PT_CLIST)
> -+    if (*cc == PT_CLIST && *cc == XCL_PROP)
> -       {
> -       other_cases = PRIV(ucd_caseless_sets) + cc[1];
> -       while (*other_cases != NOTACHAR)
> -diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
> -index 8dee16e..7bb307e 100644
> ---- a/src/pcre2_jit_test.c
> -+++ b/src/pcre2_jit_test.c
> -@@ -412,6 +412,9 @@ static struct regression_test_case regression_test_cases[] = {
> -       { MUP, A, 0, 0 | F_PROPERTY, "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" },
> -       { PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB  baaa" },
> -       { MUP, 0, 0, 0 | F_NOMATCH, "[^\\p{Hangul}\\p{Z}]", " " },
> -+      { MUP, 0, 0, 0, "[\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
> -+      { MUP, 0, 0, 0, "[\\x{a92e}\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
> -+      { CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" },
> -
> -       /* Possible empty brackets. */
> -       { MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" },
> ---
> -2.35.3
> -
> diff --git a/meta/recipes-support/libpcre/libpcre2_10.39.bb b/meta/recipes-support/libpcre/libpcre2_10.40.bb
> similarity index 90%
> rename from meta/recipes-support/libpcre/libpcre2_10.39.bb
> rename to meta/recipes-support/libpcre/libpcre2_10.40.bb
> index 36c51d700a..3843d43b69 100644
> --- a/meta/recipes-support/libpcre/libpcre2_10.39.bb
> +++ b/meta/recipes-support/libpcre/libpcre2_10.40.bb
> @@ -8,14 +8,13 @@ SUMMARY = "Perl Compatible Regular Expressions version 2"
>  HOMEPAGE = "http://www.pcre.org"
>  SECTION = "devel"
>  LICENSE = "BSD-3-Clause"
> -LIC_FILES_CHKSUM = "file://LICENCE;md5=43cfa999260dd853cd6cb174dc396f3d"
> +LIC_FILES_CHKSUM = "file://LICENCE;md5=41bfb977e4933c506588724ce69bf5d2"
>
>  SRC_URI = "https://github.com/PhilipHazel/pcre2/releases/download/pcre2-${PV}/pcre2-${PV}.tar.bz2 \
> -           file://CVE-2022-1586.patch \
>  "
>  UPSTREAM_CHECK_URI = "https://github.com/PhilipHazel/pcre2/releases"
>
> -SRC_URI[sha256sum] = "0f03caf57f81d9ff362ac28cd389c055ec2bf0678d277349a1a4bee00ad6d440"
> +SRC_URI[sha256sum] = "14e4b83c4783933dc17e964318e6324f7cae1bc75d8f3c79bc6969f00c159d68"
>
>  CVE_PRODUCT = "pcre2"
>
> --
> 2.32.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#166283): https://lists.openembedded.org/g/openembedded-core/message/166283
> Mute This Topic: https://lists.openembedded.org/mt/91429211/3617601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sakoman@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

On Mon, May 30, 2022 at 08:49 AM, Steve Sakoman wrote:

> 
> 
>> Delete CVE-2022-1586.patch, wrong CVE code (patch included in 10.40).
>> 
>> CVE: CVE-2022-1587
> 
> If this is the case then you should submit a patch for master to
> correct this. If people agree that the version bump is suitable for
> LTS I would then take the upgrade patch from master along with your
> patch to fix the CVE confusion.

Do you mean for kirkstone? Because master doesn't have that patch.

Also if this update is a problem I can just rename the patch so that cve-check can work properly.

Davide

On Mon, May 30, 2022 at 5:58 AM Davide Gardenal
<davidegarde2000@gmail.com> wrote:
>
> On Mon, May 30, 2022 at 08:49 AM, Steve Sakoman wrote:
>
> Delete CVE-2022-1586.patch, wrong CVE code (patch included in 10.40).
>
> CVE: CVE-2022-1587
>
> If this is the case then you should submit a patch for master to
> correct this. If people agree that the version bump is suitable for
> LTS I would then take the upgrade patch from master along with your
> patch to fix the CVE confusion.
>
> Do you mean for kirkstone? Because master doesn't have that patch.

My bad! Juggling three branches and looked at the wrong one :-(

> Also if this update is a problem I can just rename the patch so that cve-check can work properly.

Yes, could you fix the CVE namning issue in kirkstone with a separate
patch, and then resubmit the version bump patch based on this change?

I'll definitely take the CVE naming fix, and if there are no
objections to the version bump I'll take that one too.

Thanks again!

Steve

On Mon, May 30, 2022 at 09:08 AM, Steve Sakoman wrote:

> 
> Yes, could you fix the CVE namning issue in kirkstone with a separate
> patch, and then resubmit the version bump patch based on this change?

I was checking the patch and realize that the CVE number is not wrong (I searched for the wrong CVE online),
I'm going to backport a patch for CVE-2022-1587 and then I will send the revision bump.