Bugzilla – Bug 1199232
VUL-0: CVE-2022-1586: pcre8,pcre,pcre2: Unicode property matching issue
Last modified: 2022-09-01 14:07:04 UTC
rh#2077976 An out-of-bounds read was discovered in PCRE version 10.39, related to a missing Unicode property matching issue in JIT compiled regular expressions. The bug is present in the function "compile_xclass_matchingpath", declared in "pcre2_jit_compile.c". References: https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a References: https://bugzilla.redhat.com/show_bug.cgi?id=2077976 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1586
(For pcre please see file pcre_jit_compile.c instead of pcre2_jit_compile.c) Affected: - SUSE:SLE-11-SP3:Update:Teradata/pcre8 8.33 - SUSE:Carwos:1/pcre 8.45 - SUSE:SLE-12:Update/pcre 8.45 - SUSE:SLE-15:Update/pcre 8.45 - openSUSE:Factory/pcre 8.45 - SUSE:SLE-15:Update/pcre2 10.31 - SUSE:SLE-12:Update/pcre2 10.34 - SUSE:SLE-15-SP4:Update/pcre2 10.39 Not Affected: - SUSE:SLE-11:Update/pcre 7.8 - openSUSE:Factory/pcre2 10.40
This is foremost a pcre2 issue. I won't touch the pcre1 jit code - it might look similiar to pcre2, but I don't understand it and won't risk regressions. Note that the linked commit doesn't make sense - *cc can't be both.
Thanks, true, the fixing commit should be: https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cfc676c
It looks like the fix is a combination of both GitHub URLs. The patch in comment #0 is "Fixed a unicode properrty matching issue in JIT" but it introduced a new bug. That new bug was fixed in the patch in comment #3
(In reply to Hu from comment #1) > (For pcre please see file pcre_jit_compile.c instead of pcre2_jit_compile.c) > > Affected: > - SUSE:SLE-11-SP3:Update:Teradata/pcre8 8.33 > - SUSE:Carwos:1/pcre 8.45 > - SUSE:SLE-12:Update/pcre 8.45 > - SUSE:SLE-15:Update/pcre 8.45 > - openSUSE:Factory/pcre 8.45 > > - SUSE:SLE-15:Update/pcre2 10.31 > - SUSE:SLE-12:Update/pcre2 10.34 > - SUSE:SLE-15-SP4:Update/pcre2 10.39 > > Not Affected: > - SUSE:SLE-11:Update/pcre 7.8 > - openSUSE:Factory/pcre2 10.40 I made patches for versions 8.45, 10.31, and 10.34 The relevant code is very different in version 8.33; I gave up trying to follow it. However, I applied the test that was a part of the patch in comment #0 which passed in 8.33. So it appears that version 8.33 is not affected.
Created attachment 858831 [details] Patch for pcre2
Created attachment 858832 [details] Patch for pcre
This is not yet complete. SLE-15-SP4 still needs to be submitted. This is what I have so far. | pcre | | | created request id 272062 | SUSE:SLE-12:Update | | created request id 272064 | SUSE:SLE-15:Update | | created request id 976389 | Base:System | |---------------------------+------------------------| | pcre2 | | | created request id 272061 | SUSE:SLE-12:Update | | created request id 272066 | SUSE:SLE-15:Update |
(In reply to Jason Sikes from comment #5) > The relevant code is very different in version 8.33; I gave up trying to > follow it. > > However, I applied the test that was a part of the patch in comment #0 which > passed in 8.33. So it appears that version 8.33 is not affected. Ah okay thanks, then I made a mistake and 8.33 is not affected.
SUSE-SU-2022:1836-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1199232 CVE References: CVE-2022-1586 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): pcre2-10.34-1.7.1 SUSE OpenStack Cloud Crowbar 8 (src): pcre2-10.34-1.7.1 SUSE OpenStack Cloud 9 (src): pcre2-10.34-1.7.1 SUSE OpenStack Cloud 8 (src): pcre2-10.34-1.7.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): pcre2-10.34-1.7.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): pcre2-10.34-1.7.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): pcre2-10.34-1.7.1 SUSE Linux Enterprise Server 12-SP5 (src): pcre2-10.34-1.7.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): pcre2-10.34-1.7.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): pcre2-10.34-1.7.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): pcre2-10.34-1.7.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): pcre2-10.34-1.7.1 HPE Helion Openstack 8 (src): pcre2-10.34-1.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2022:1883-1: An update that fixes one vulnerability is now available. Category: recommended (important) Bug References: 1199232 CVE References: CVE-2022-1586 JIRA References: Sources used: openSUSE Leap 15.4 (src): pcre2-10.31-150000.3.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1883-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1199232 CVE References: CVE-2022-1586 JIRA References: Sources used: openSUSE Leap 15.3 (src): pcre2-10.31-150000.3.7.1 SUSE Manager Server 4.1 (src): pcre2-10.31-150000.3.7.1 SUSE Manager Retail Branch Server 4.1 (src): pcre2-10.31-150000.3.7.1 SUSE Manager Proxy 4.1 (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Server for SAP 15 (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Server 15-LTSS (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Micro 5.2 (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise Micro 5.1 (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): pcre2-10.31-150000.3.7.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): pcre2-10.31-150000.3.7.1 SUSE Enterprise Storage 7 (src): pcre2-10.31-150000.3.7.1 SUSE Enterprise Storage 6 (src): pcre2-10.31-150000.3.7.1 SUSE CaaS Platform 4.0 (src): pcre2-10.31-150000.3.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Finally submitted for SLE-15-SP4. created request id 274337
Complete. Assigning to Security Team.
I was informed by Gabriele Sonnu that the CVE information was missing from the changes files. However, some of the submissions have already been accepted. I have made updates to the submissions that have not yet been accepted. Here are the superseded submissions: | Project | package | old state | superseded submission status | |-------------------+------------------------+-----------+------------------------------| | pcre | | | | | request id 272062 | SUSE:SLE-12:Update | new | created request id 274652 | | request id 272064 | SUSE:SLE-15:Update | new | created request id 274654 | | request id 976389 | Base:System | accepted | NA | |-------------------+------------------------+-----------+------------------------------| | pcre2 | | | | | request id 272061 | SUSE:SLE-12:Update | accepted | NA | | request id 272066 | SUSE:SLE-15:Update | accepted | NA | | request id 274337 | SUSE:SLE-15-SP4:Update | declined | created request id 274655 |
SUSE-SU-2022:2334-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1199232 CVE References: CVE-2022-1586 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): pcre-8.45-8.12.1 SUSE OpenStack Cloud Crowbar 8 (src): pcre-8.45-8.12.1 SUSE OpenStack Cloud 9 (src): pcre-8.45-8.12.1 SUSE OpenStack Cloud 8 (src): pcre-8.45-8.12.1 SUSE Linux Enterprise Workstation Extension 12-SP5 (src): pcre-8.45-8.12.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): pcre-8.45-8.12.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): pcre-8.45-8.12.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): pcre-8.45-8.12.1 SUSE Linux Enterprise Server 12-SP5 (src): pcre-8.45-8.12.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): pcre-8.45-8.12.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): pcre-8.45-8.12.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): pcre-8.45-8.12.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): pcre-8.45-8.12.1 SUSE Linux Enterprise High Availability 12-SP5 (src): pcre-8.45-8.12.1 SUSE Linux Enterprise High Availability 12-SP4 (src): pcre-8.45-8.12.1 SUSE Linux Enterprise High Availability 12-SP3 (src): pcre-8.45-8.12.1 HPE Helion Openstack 8 (src): pcre-8.45-8.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2360-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1199232 CVE References: CVE-2022-1586 JIRA References: Sources used: openSUSE Leap 15.4 (src): pcre2-10.39-150400.4.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): pcre2-10.39-150400.4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2361-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1199232 CVE References: CVE-2022-1586 JIRA References: Sources used: openSUSE Leap 15.4 (src): pcre-8.45-150000.20.13.1 openSUSE Leap 15.3 (src): pcre-8.45-150000.20.13.1 SUSE Manager Server 4.1 (src): pcre-8.45-150000.20.13.1 SUSE Manager Retail Branch Server 4.1 (src): pcre-8.45-150000.20.13.1 SUSE Manager Proxy 4.1 (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Server for SAP 15 (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Server 15-LTSS (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Micro 5.2 (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise Micro 5.1 (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): pcre-8.45-150000.20.13.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): pcre-8.45-150000.20.13.1 SUSE Enterprise Storage 7 (src): pcre-8.45-150000.20.13.1 SUSE Enterprise Storage 6 (src): pcre-8.45-150000.20.13.1 SUSE CaaS Platform 4.0 (src): pcre-8.45-150000.20.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done here, closing.
openSUSE-SU-2022:2361-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1199232 CVE References: CVE-2022-1586 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): pcre-8.45-150000.20.13.1