Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717920 (CVE-2019-20838, CVE-2020-14155) - <dev-libs/libpcre-8.44: Multiple vulnerabilities (CVE-2019-20838, CVE-2020-14155)
Summary: <dev-libs/libpcre-8.44: Multiple vulnerabilities (CVE-2019-20838, CVE-2020-14...
Alias: CVE-2019-20838, CVE-2020-14155
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [stable? cve]
Depends on:
Reported: 2020-04-17 17:23 UTC by Sam James
Modified: 2020-06-29 07:51 UTC (History)
1 user (show)

See Also:
Package list:
=dev-libs/libpcre-8.44 *
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-04-17 17:23:29 UTC
Quoting from ChangeLog (8.44):
"6. Check the size of the number after (?C as it is read, in order to avoid
integer overflow."
"7. Tidy up left shifts to avoid sanitize warnings; also fix one NULL deference
in pcretest."

Quoting from ChangeLog (8.43):
"7. Fix subject buffer overread in JIT when UTF is disabled and \X or \R has
a greater than 1 fixed quantifier. This issue was found by Yunho Kim."
Comment 1 Sam James gentoo-dev Security 2020-04-17 17:23:54 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself
Comment 2 Sam James gentoo-dev Security 2020-06-04 17:00:43 UTC
Comment 3 jylipeng 2020-06-29 07:51:03 UTC
@Sam James hi,I found this testcase could reproduce the bug in pcre2, but in pcre 8.42, I could not reproduce it.


Could you provide the suitable testcase for me to veritfy this change?