CVE-2019-20454 (https://nvd.nist.gov/vuln/detail/CVE-2019-20454): An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. ---- @maintainer(s), please advise if ready for stabilisation, or call yourself
hppa/sparc stable
amd64 stable
arm64 stable
arm stable
s390 stable
x86 stable
ppc stable
ppc64 stable
m68k dropped stable keywords
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c31891f8ad1b877fc318fea751dfe9a199e6623 commit 2c31891f8ad1b877fc318fea751dfe9a199e6623 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-04-21 07:34:26 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-04-21 07:34:26 +0000 dev-libs/libpcre2: Security cleanup Bug: https://bugs.gentoo.org/717800 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> dev-libs/libpcre2/Manifest | 2 - dev-libs/libpcre2/libpcre2-10.33-r1.ebuild | 83 ------------------------------ 2 files changed, 85 deletions(-)
This issue was resolved and addressed in GLSA 202006-16 at https://security.gentoo.org/glsa/202006-16 by GLSA coordinator Aaron Bauman (b-man).