Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717920 (CVE-2019-20838, CVE-2020-14155)

Summary: <dev-libs/libpcre-8.44: Multiple vulnerabilities (CVE-2019-20838, CVE-2020-14155)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: base-system
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.pcre.org/original/changelog.txt
Whiteboard: B3 [noglsa cve]
Package list:
=dev-libs/libpcre-8.44
 Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 17:23:29 UTC 
Quoting from ChangeLog (8.44):
"6. Check the size of the number after (?C as it is read, in order to avoid
integer overflow."
"7. Tidy up left shifts to avoid sanitize warnings; also fix one NULL deference
in pcretest."


Quoting from ChangeLog (8.43):
"7. Fix subject buffer overread in JIT when UTF is disabled and \X or \R has
a greater than 1 fixed quantifier. This issue was found by Yunho Kim."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 17:23:54 UTC 
@maintainer(s), please advise if ready for stabilisation, or call yourself
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 17:00:43 UTC 
ping
Comment 3 jylipeng 2020-06-29 07:51:03 UTC 
@Sam James hi,I found this testcase could reproduce the bug in pcre2, but in pcre 8.42, I could not reproduce it.

/\X*/
    \xF3aaa\xE4\xEA\xEB\XFEa

Could you provide the suitable testcase for me to veritfy this change?
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-19 09:06:38 UTC 
arm64 done
Comment 5 Agostino Sarubbo gentoo-dev 2020-08-21 15:27:43 UTC 
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-08-22 05:50:55 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-08-22 11:26:48 UTC 
amd64 stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-29 04:44:12 UTC 
ppc done
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2020-08-29 07:57:32 UTC 
sparc stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2020-09-04 11:54:04 UTC 
commit 4b467aaca13059e5b4438bc98de65f00c45dc8f1
Author: Sam James <sam@gentoo.org>
Date:   Thu Sep 3 23:42:29 2020 +0000

    dev-libs/libpcre: ppc64 stable (bug #717920)
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2020-09-06 08:18:31 UTC 
hppa stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-06 14:21:44 UTC 
s390: ping
Comment 13 Agostino Sarubbo gentoo-dev 2020-09-18 08:11:24 UTC 
s390 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Larry the Git Cow gentoo-dev 2020-09-18 10:30:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=577e461933395f3e973e0c153e3a1080cdf0a284

commit 577e461933395f3e973e0c153e3a1080cdf0a284
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-09-18 10:29:29 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-09-18 10:30:10 +0000

    dev-libs/libpcre: Security cleanup
    
    Bug: https://bugs.gentoo.org/717920
    Package-Manager: Portage-3.0.7, Repoman-3.0.1
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/libpcre/Manifest            |  2 -
 dev-libs/libpcre/libpcre-8.42.ebuild | 96 ------------------------------------
 dev-libs/libpcre/libpcre-8.43.ebuild | 96 ------------------------------------
 3 files changed, 194 deletions(-)
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-23 16:27:08 UTC 
GLSA Vote: No

Repository is clean, all done!