Security update for pcre2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2022:2649-1 Final 1 1 2022-08-03T13:06:51Z current 2022-08-03T13:06:51Z 2022-08-03T13:06:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pcre2 This update for pcre2 fixes the following issues: - CVE-2019-20454: Fixed out-of-bounds read in JIT mode when \X is used in non-UTF mode (bsc#1164384). - CVE-2022-1587: Fixed out-of-bounds read due to bug in recursions (bsc#1199235). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-Micro-5.2-2022-2649 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZVHVSVNKKW7CC77JRUJ23MMS76WXHBBU/ E-Mail link for openSUSE-SU-2022:2649-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1164384 SUSE Bug 1164384 https://bugzilla.suse.com/1199235 SUSE Bug 1199235 https://www.suse.com/security/cve/CVE-2019-20454/ SUSE CVE CVE-2019-20454 page https://www.suse.com/security/cve/CVE-2022-1587/ SUSE CVE CVE-2022-1587 page openSUSE Leap Micro 5.2 libpcre2-8-0-10.31-150000.3.12.1 libpcre2-8-0-10.31-150000.3.12.1 as a component of openSUSE Leap Micro 5.2 An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. CVE-2019-20454 openSUSE Leap Micro 5.2:libpcre2-8-0-10.31-150000.3.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZVHVSVNKKW7CC77JRUJ23MMS76WXHBBU/ https://www.suse.com/security/cve/CVE-2019-20454.html CVE-2019-20454 https://bugzilla.suse.com/1164384 SUSE Bug 1164384 https://bugzilla.suse.com/1172973 SUSE Bug 1172973 An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers. CVE-2022-1587 openSUSE Leap Micro 5.2:libpcre2-8-0-10.31-150000.3.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZVHVSVNKKW7CC77JRUJ23MMS76WXHBBU/ https://www.suse.com/security/cve/CVE-2022-1587.html CVE-2022-1587 https://bugzilla.suse.com/1199235 SUSE Bug 1199235 https://bugzilla.suse.com/1201754 SUSE Bug 1201754 https://bugzilla.suse.com/1203032 SUSE Bug 1203032