Bug 1848444 (CVE-2019-20838)
Summary: | CVE-2019-20838 pcre: Buffer over-read in JIT when UTF is disabled and \X or \R has fixed quantifier greater than 1 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | adam.stokes, andrew, csutherl, erik-fedora, gghezzo, gparvin, gzaronik, jclere, jramanat, jwon, kasal, krathod, lkundrak, mbabacek, mturk, pjindal, ppisar, stcannon, thoger |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pcre 8.43 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-02 17:06:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1848445, 1848446, 1852252, 1980114 | ||
Bug Blocks: | 1848447 |
Description
Dhananjay Arunesh
2020-06-18 11:26:43 UTC
Created mingw-pcre tracking bugs for this issue: Affects: fedora-all [bug 1848446] Created pcre tracking bugs for this issue: Affects: fedora-all [bug 1848445] Upstream fix <https://vcs.pcre.org/pcre?view=revision&revision=1740>. The flaw is in the file pcre_jit_compile.c routine, compile_iterator_matchingpath(). The affected code is not in versions of pcre shipped with Red Hat Enterprise Linux 5, 6, or 7. Upstream bug report for this is: https://bugs.exim.org/show_bug.cgi?id=2320 Mitigation: Do not use more than one fixed quantifier with \R or \X with UTF disabled in PCRE or PCRE2, as these are the conditions needed to trigger the flaw. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4373 https://access.redhat.com/errata/RHSA-2021:4373 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2021:4613 https://access.redhat.com/errata/RHSA-2021:4613 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:4614 https://access.redhat.com/errata/RHSA-2021:4614 |