Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717800 (CVE-2019-20454) - <dev-libs/libpcre2-10.34: Denial of service vulnerability (CVE-2019-20454)
Summary: <dev-libs/libpcre2-10.34: Denial of service vulnerability (CVE-2019-20454)
Status: RESOLVED FIXED
Alias: CVE-2019-20454
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-17 05:37 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-15 15:49 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/libpcre2-10.34
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 05:37:41 UTC 
CVE-2019-20454 (https://nvd.nist.gov/vuln/detail/CVE-2019-20454):
  An out-of-bounds read was discovered in PCRE before 10.34 when the pattern
  \X is JIT compiled and used to match specially crafted subjects in non-UTF
  mode. Applications that use PCRE to parse untrusted input may be vulnerable
  to this flaw, which would allow an attacker to crash the application. The
  flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.


----
@maintainer(s), please advise if ready for stabilisation, or call yourself
Comment 1 Rolf Eike Beer archtester 2020-04-17 19:21:38 UTC 
hppa/sparc stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-04-18 09:19:02 UTC 
amd64 stable
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-19 11:20:06 UTC 
arm64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-04-19 12:14:37 UTC 
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-04-19 12:15:12 UTC 
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-04-19 12:16:37 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-20 09:48:19 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-04-20 09:50:41 UTC 
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2020-04-21 07:14:43 UTC 
m68k dropped stable keywords
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-21 07:19:06 UTC 
@maintainer(s), please cleanup
Comment 11 Larry the Git Cow gentoo-dev 2020-04-21 07:44:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c31891f8ad1b877fc318fea751dfe9a199e6623

commit 2c31891f8ad1b877fc318fea751dfe9a199e6623
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-04-21 07:34:26 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-04-21 07:34:26 +0000

    dev-libs/libpcre2: Security cleanup
    
    Bug: https://bugs.gentoo.org/717800
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/libpcre2/Manifest                 |  2 -
 dev-libs/libpcre2/libpcre2-10.33-r1.ebuild | 83 ------------------------------
 2 files changed, 85 deletions(-)
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-06-15 15:49:42 UTC 
This issue was resolved and addressed in
 GLSA 202006-16 at https://security.gentoo.org/glsa/202006-16
by GLSA coordinator Aaron Bauman (b-man).