Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717800 (CVE-2019-20454) - <dev-libs/libpcre2-10.34: Denial of service vulnerability (CVE-2019-20454)
Summary: <dev-libs/libpcre2-10.34: Denial of service vulnerability (CVE-2019-20454)
Alias: CVE-2019-20454
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa+ cve]
Depends on:
Reported: 2020-04-17 05:37 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-15 15:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 05:37:41 UTC
CVE-2019-20454 (
  An out-of-bounds read was discovered in PCRE before 10.34 when the pattern
  \X is JIT compiled and used to match specially crafted subjects in non-UTF
  mode. Applications that use PCRE to parse untrusted input may be vulnerable
  to this flaw, which would allow an attacker to crash the application. The
  flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c.

@maintainer(s), please advise if ready for stabilisation, or call yourself
Comment 1 Rolf Eike Beer archtester 2020-04-17 19:21:38 UTC
hppa/sparc stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-04-18 09:19:02 UTC
amd64 stable
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-19 11:20:06 UTC
arm64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-04-19 12:14:37 UTC
arm stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-04-19 12:15:12 UTC
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-04-19 12:16:37 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-04-20 09:48:19 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-04-20 09:50:41 UTC
ppc64 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2020-04-21 07:14:43 UTC
m68k dropped stable keywords
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-21 07:19:06 UTC
@maintainer(s), please cleanup
Comment 11 Larry the Git Cow gentoo-dev 2020-04-21 07:44:27 UTC
The bug has been referenced in the following commit(s):

commit 2c31891f8ad1b877fc318fea751dfe9a199e6623
Author:     Lars Wendler <>
AuthorDate: 2020-04-21 07:34:26 +0000
Commit:     Lars Wendler <>
CommitDate: 2020-04-21 07:34:26 +0000

    dev-libs/libpcre2: Security cleanup
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Lars Wendler <>

 dev-libs/libpcre2/Manifest                 |  2 -
 dev-libs/libpcre2/libpcre2-10.33-r1.ebuild | 83 ------------------------------
 2 files changed, 85 deletions(-)
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-06-15 15:49:42 UTC
This issue was resolved and addressed in
 GLSA 202006-16 at
by GLSA coordinator Aaron Bauman (b-man).