Debian 10225 Published by

A pcre2 security update has been released for Debian GNU/Linux 9 Extended LTS to address multiple out-of-bounds read vulnerabilities.



ELA-816-1 pcre2 security update

Package : pcre2
Version : 10.22-3+deb9u1 (stretch)

Related CVEs :
CVE-2022-1586

Multiple out-of-bounds read vulnerabilities were found in pcre2, a Perl
Compatible Regular Expression library, which could result in information
disclosure or denial or service.

CVE-2022-1586
An out-of-bounds read vulnerability was discovered in the PCRE2 library
in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c
file. This involves a unicode property matching issue in JIT-compiled
regular expressions. The issue occurs because the character was not
fully read in case-less matching within JIT.

Additionally, this upload also fixes a subject buffer overread in JIT
when UTF is disabled and \X or \R has a greater than 1 fixed quantifier.
This issue was found by Yunho Kim.

  ELA-816-1 pcre2 security update