Lucene search

K
debianDebianDEBIAN:DLA-3363-1:6221D
HistoryMar 16, 2023 - 2:35 a.m.

[SECURITY] [DLA 3363-1] pcre2 security update

2023-03-1602:35:51
lists.debian.org
21
pcre2
out-of-bounds read
information disclosure
denial of service
security update
debian 10 buster
unicode property matching
regular expression
jit

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

9.1

Confidence

Low

EPSS

0.004

Percentile

72.0%


Debian LTS Advisory DLA-3363-1 [email protected]
https://www.debian.org/lts/security/ Guilhem Moulin
March 16, 2023 https://wiki.debian.org/LTS

Package : pcre2
Version : 10.32-5+deb10u1
CVE ID : CVE-2019-20454 CVE-2022-1586 CVE-2022-1587
Debian Bug : 1011954

Multiple out-of-bounds read vulnerabilities were found in pcre2, a Perl
Compatible Regular Expression library, which could result in information
disclosure or denial or service.

CVE-2019-20454

Out-of-bounds read when the pattern \X is JIT compiled and used to
match specially crafted subjects in non-UTF mode.

CVE-2022-1586

Out-of-bounds read involving unicode property matching in
JIT-compiled regular expressions. The issue occurs because the
character was not fully read in case-less matching within JIT.

CVE-2022-1587

Out-of-bounds read affecting recursions in JIT-compiled regular
expressions caused by duplicate data transfers.

This upload also fixes a subject buffer overread in JIT when UTF is
disabled and \X or \R has a greater than 1 fixed quantifier. This issue
was found by Yunho Kim.

For Debian 10 buster, these problems have been fixed in version
10.32-5+deb10u1.

We recommend that you upgrade your pcre2 packages.

For the detailed security status of pcre2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pcre2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

9.1

Confidence

Low

EPSS

0.004

Percentile

72.0%