Fedora has issued an advisory on May 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M2GLQQUEY5VFM57CFYXVIFOXN2HUZPDM/ The issues are fixed upstream in 10.40.
Assigning to the registered pcre2 maintainer, but CC'ing all packagers collectively in case the maintainer still doesn't push to stable
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => olav
openSUSE has issued an advisory for this on May 30: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KE7HTE3HTSBOQDKJHUQC6F7TDVU6A2H5/
RedHat has issued an advisory for this on June 28: https://access.redhat.com/errata/RHSA-2022:5251
CVE-2022-1586 also affects pcre. SUSE has issued an advisory for this today (July 8): https://lists.suse.com/pipermail/sle-security-updates/2022-July/011480.html CVE-2022-1587 may as well, but there's no fix available that I'm aware of: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-1587
Source RPM: pcre2-10.36-1.mga8.src.rpm => pcre-8.44-1.mga8.src.rpm, pcre2-10.36-1.mga8.src.rpmSummary: pcre2 new security issues CVE-2022-158[67] => pcre, pcre2 new security issues CVE-2022-158[67]
(In reply to David Walser from comment #4) > CVE-2022-1586 also affects pcre. > > SUSE has issued an advisory for this today (July 8): > https://lists.suse.com/pipermail/sle-security-updates/2022-July/011480.html > > CVE-2022-1587 may as well, but there's no fix available that I'm aware of: > https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-1587 Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JFWEPYJLVFR3H2W7ZTYXJX5DCDXYG6CY/
openSUSE has issued an advisory today (July 27): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/365XX4K3GWL5IQIIBELCA2CL5KWYJZP7/ They have now fixed CVE-2022-1587 in pcre2.
Ubuntu has issued an advisory for this on September 22: https://ubuntu.com/security/notices/USN-5627-1
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT. (CVE-2022-1586) An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers. (CVE-2022-1587) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1586 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1587 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M2GLQQUEY5VFM57CFYXVIFOXN2HUZPDM/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KE7HTE3HTSBOQDKJHUQC6F7TDVU6A2H5/ https://access.redhat.com/errata/RHSA-2022:5251 https://lists.suse.com/pipermail/sle-security-updates/2022-July/011480.html https://bugzilla.suse.com/show_bug.cgi?id=CVE-2022-1587 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JFWEPYJLVFR3H2W7ZTYXJX5DCDXYG6CY/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/365XX4K3GWL5IQIIBELCA2CL5KWYJZP7/ https://ubuntu.com/security/notices/USN-5627-1 ======================== Updated packages in core/updates_testing: ======================== lib64pcre1-8.44-1.1.mga8 lib64pcre16_0-8.44-1.1.mga8 lib64pcre32_0-8.44-1.1.mga8 lib64pcre-devel-8.44-1.1.mga8 lib64pcre-static-devel-8.44-1.1.mga8 lib64pcrecpp0-8.44-1.1.mga8 lib64pcrecpp-devel-8.44-1.1.mga8 lib64pcreposix0-8.44-1.1.mga8 lib64pcreposix1-8.44-1.1.mga8 lib64pcreposix-devel-8.44-1.1.mga8 pcre-8.44-1.1.mga8 lib64pcre2_0-10.36-1.1.mga8 lib64pcre2-devel-10.36-1.1.mga8 lib64pcre2posix2-10.36-1.1.mga8 pcre2-tools-10.36-1.1.mga8 from SRPMS: pcre-8.44-1.1.mga8.src.rpm pcre2-10.36-1.1.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: olav => qa-bugsCC: (none) => nicolas.salguero
MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 26274 and bug 26932 for testing, following blindly Len's trail, as I don't even half understand what this is all about. $ pcre2test -C PCRE2 version 10.36 2020-12-04 Compiled with 8-bit support 16-bit support 32-bit support UTF and UCP support (Unicode version 13.0.0) Just-in-time compiler support: x86 64bit (little endian + unaligned) Default newline sequence is LF \R matches all Unicode newlines \C is supported Internal link size = 2 Parentheses nest limit = 250 Default heap limit = 20000000 kibibytes Default match limit = 10000000 Default depth limit = 10000000 pcre2test has libreadline support Copied net-applet from /bin into my home, then $ pcre2grep -u net_applet ~/net_applet my $onstartupfile = "$ENV{HOME}/.net_applet"; shouldStart() or die "$onstartupfile should be set to TRUE or use net_applet --force\n"; is_running('net_applet') and die "net_applet already running\n"; package network::net_applet; my $network = network::net_applet::get_current_network(); $icon = StatusNotifier::Item->new_from_icon_name('net_applet', 'STATUS_NOTIFIER_CATEGORY_APPLICATION_STATUS', 'drakx-net-unconfigured'); $icon->set_title('net_applet'); require network::net_applet::ifw; network::net_applet::ifw::init(); network::net_applet::ifw::get_unprocessed_ifw_messages() if $ifw; eval { $network::net_applet::ifw->get_reports }; # When net_applet is launched automatically when opening a new session, there my $pixbuf = network::net_applet::get_state_pixbuf(); network::net_applet::update_tray_icon(); $is_sni ? $icon->set_tooltip("drakx-net-$current_state", 'net_applet', $message) : $icon->set_tooltip_text($message); $ pcre2grep -u -v -t net_applet ~/net_applet 608 $ pcre2grep -u -t net_applet ~/net_applet 15 [tester8@mach7 ~]$ lines net_applet bash: lines: command not found How relevant is this ??? Gave up on stellarium and godot; continued ..... $ pcre-config --version 8.44 $ pcre-config --libs -L/usr/lib64 -lpcre $ pcretest PCRE version 8.44 2020-02-12 re> 3+2 ** Delimiter must not be alphanumeric or \ re> exit ** Delimiter must not be alphanumeric or \ re> quit ** Delimiter must not be alphanumeric or \ re> ^C Leaving for Len or TJ (or ????) to judge whether this test is good enough. If so, give the OK, please.
CC: (none) => herman.viaene
No reaction in one week, so giving the OK as no problems have cropped up.
Whiteboard: (none) => MGA8-64-OK
It's a mystery to me too, Herman, which is why I kept quiet. But since it doesn't seem to cause problems, I'll validate. Advisory in comment 8.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0417.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED