2077976 – (CVE-2022-1586) CVE-2022-1586 pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcre2_jit_compile.c

Bug 2077976 (CVE-2022-1586) - CVE-2022-1586 pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcre2_jit_compile.c

Summary: CVE-2022-1586 pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcr...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-1586
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2080025 2077987 2081957 2081970 2081971 2081972 2081973 2086873
Blocks:	2077988 2081998
TreeView+	depends on / blocked

Reported:	2022-04-22 18:50 UTC by Pedro Sampaio
Modified:	2024-03-18 14:36 UTC (History)
CC List:	26 users (show)
Fixed In Version:	pcre2 10.40
Doc Type:	If docs needed, set a value
Doc Text:	An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
Clone Of:
Environment:
Last Closed:	2022-08-31 16:55:18 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5251	0	None	None	None	2022-06-28 14:59:46 UTC
Red Hat Product Errata	RHSA-2022:5809	0	None	None	None	2022-08-03 12:44:16 UTC

Description Pedro Sampaio 2022-04-22 18:50:24 UTC

An out-of-bounds read was discovered in PCRE version 10.39, related to a missing Unicode property matching issue in JIT compiled regular expressions. The bug is present in the function "compile_xclass_matchingpath", declared in "pcre2_jit_compile.c".

References:

https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a

Comment 1 Pedro Sampaio 2022-04-22 19:04:27 UTC

Created pcre2 tracking bugs for this issue:

Affects: fedora-all [bug 2077987]

Comment 3 TEJ RATHI 2022-05-05 05:26:28 UTC

Created mingw-pcre2 tracking bugs for this issue:

Affects: fedora-all [bug 2081957]

Comment 7 errata-xmlrpc 2022-06-28 14:59:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5251 https://access.redhat.com/errata/RHSA-2022:5251

Comment 8 errata-xmlrpc 2022-08-03 12:44:13 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5809 https://access.redhat.com/errata/RHSA-2022:5809

Comment 9 Product Security DevOps Team 2022-08-31 16:55:15 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1586

Note You need to log in before you can comment on or make changes to this bug.

bdettelb
caswilli
dhalasz
dkuc
fjansen
ggastald
hhorak
jburrell
jwong
kaycoth
ljavorsk
manisandro
micjohns
mschorm
psegedy
rfreiman
sbiarozk
sthirugn
tcarlin
tfister
tkasparek
tmeszaro
tsasak
vkrizan
vkumar
vmugicag