Bug 1848444 (CVE-2019-20838)

Summary: CVE-2019-20838 pcre: Buffer over-read in JIT when UTF is disabled and \X or \R has fixed quantifier greater than 1
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adam.stokes, andrew, csutherl, erik-fedora, gghezzo, gparvin, gzaronik, jclere, jramanat, jwon, kasal, krathod, lkundrak, mbabacek, mturk, pjindal, ppisar, stcannon, thoger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pcre 8.43 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 17:06:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1848445, 1848446, 1852252, 1980114    
Bug Blocks: 1848447    

Description Dhananjay Arunesh 2020-06-18 11:26:43 UTC
A vulnerability was found in libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454.

References:
https://bugs.gentoo.org/717920
https://www.pcre.org/original/changelog.txt

Comment 1 Dhananjay Arunesh 2020-06-18 11:27:24 UTC
Created mingw-pcre tracking bugs for this issue:

Affects: fedora-all [bug 1848446]


Created pcre tracking bugs for this issue:

Affects: fedora-all [bug 1848445]

Comment 2 Petr Pisar 2020-06-18 13:03:37 UTC
Upstream fix <https://vcs.pcre.org/pcre?view=revision&revision=1740>.

Comment 4 Todd Cullum 2020-06-29 22:22:54 UTC
The flaw is in the file pcre_jit_compile.c routine, compile_iterator_matchingpath(). The affected code is not in versions of pcre shipped with Red Hat Enterprise Linux 5, 6, or 7.

Comment 10 Todd Cullum 2020-07-09 17:38:10 UTC
Upstream bug report for this is: https://bugs.exim.org/show_bug.cgi?id=2320

Comment 11 Todd Cullum 2020-07-09 18:04:28 UTC
Mitigation:

Do not use more than one fixed quantifier with \R or \X with UTF disabled in PCRE or PCRE2, as these are the conditions needed to trigger the flaw.

Comment 15 errata-xmlrpc 2021-11-09 18:29:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4373 https://access.redhat.com/errata/RHSA-2021:4373

Comment 16 errata-xmlrpc 2021-11-10 17:14:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2021:4613 https://access.redhat.com/errata/RHSA-2021:4613

Comment 17 errata-xmlrpc 2021-11-10 17:18:10 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:4614 https://access.redhat.com/errata/RHSA-2021:4614