Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717920 (CVE-2019-20838, CVE-2020-14155) - <dev-libs/libpcre-8.44: Multiple vulnerabilities (CVE-2019-20838, CVE-2020-14155)
Summary: <dev-libs/libpcre-8.44: Multiple vulnerabilities (CVE-2019-20838, CVE-2020-14...
Status: IN_PROGRESS
Alias: CVE-2019-20838, CVE-2020-14155
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.pcre.org/original/changelo...
Whiteboard: B3 [glsa? cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-17 17:23 UTC by Sam James
Modified: 2020-09-18 10:40 UTC (History)
1 user (show)

See Also:
Package list:
=dev-libs/libpcre-8.44
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-17 17:23:29 UTC
Quoting from ChangeLog (8.44):
"6. Check the size of the number after (?C as it is read, in order to avoid
integer overflow."
"7. Tidy up left shifts to avoid sanitize warnings; also fix one NULL deference
in pcretest."


Quoting from ChangeLog (8.43):
"7. Fix subject buffer overread in JIT when UTF is disabled and \X or \R has
a greater than 1 fixed quantifier. This issue was found by Yunho Kim."
Comment 1 Sam James archtester gentoo-dev Security 2020-04-17 17:23:54 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself
Comment 2 Sam James archtester gentoo-dev Security 2020-06-04 17:00:43 UTC
ping
Comment 3 jylipeng 2020-06-29 07:51:03 UTC
@Sam James hi,I found this testcase could reproduce the bug in pcre2, but in pcre 8.42, I could not reproduce it.

/\X*/
    \xF3aaa\xE4\xEA\xEB\XFEa

Could you provide the suitable testcase for me to veritfy this change?
Comment 4 Sam James archtester gentoo-dev Security 2020-08-19 09:06:38 UTC
arm64 done
Comment 5 Agostino Sarubbo gentoo-dev 2020-08-21 15:27:43 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-08-22 05:50:55 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-08-22 11:26:48 UTC
amd64 stable
Comment 8 Sam James archtester gentoo-dev Security 2020-08-29 04:44:12 UTC
ppc done
Comment 9 Sergei Trofimovich gentoo-dev 2020-08-29 07:57:32 UTC
sparc stable
Comment 10 Sergei Trofimovich gentoo-dev 2020-09-04 11:54:04 UTC
commit 4b467aaca13059e5b4438bc98de65f00c45dc8f1
Author: Sam James <sam@gentoo.org>
Date:   Thu Sep 3 23:42:29 2020 +0000

    dev-libs/libpcre: ppc64 stable (bug #717920)
Comment 11 Sergei Trofimovich gentoo-dev 2020-09-06 08:18:31 UTC
hppa stable
Comment 12 Sam James archtester gentoo-dev Security 2020-09-06 14:21:44 UTC
s390: ping
Comment 13 Agostino Sarubbo gentoo-dev 2020-09-18 08:11:24 UTC
s390 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Larry the Git Cow gentoo-dev 2020-09-18 10:30:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=577e461933395f3e973e0c153e3a1080cdf0a284

commit 577e461933395f3e973e0c153e3a1080cdf0a284
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-09-18 10:29:29 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-09-18 10:30:10 +0000

    dev-libs/libpcre: Security cleanup
    
    Bug: https://bugs.gentoo.org/717920
    Package-Manager: Portage-3.0.7, Repoman-3.0.1
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 dev-libs/libpcre/Manifest            |  2 -
 dev-libs/libpcre/libpcre-8.42.ebuild | 96 ------------------------------------
 dev-libs/libpcre/libpcre-8.43.ebuild | 96 ------------------------------------
 3 files changed, 194 deletions(-)