Am Fri, May 27, 2022 at 06:52:11PM +0100 schrieb Matthew Vernon:
> Hi,
>
> Would you like me to prepare an upload for these, or are you working on
> this?
>
> [sorry, it's not clear from the bug report]
Sorry, this fell through the cracks until I just started to flush in
inbox's backlog.
Whether we should fix this via a DSA needs a closer look first; for
regex engines the decisive factor is whether the OOB reads can be
triggered via malformed input fed to the regex library (then we can
fix this via a DSA) or via an untrusted regex pattern passed to
the library (which wouldn't warrant a DSA since it's inherently
unsafe and some basic form of sanitising is within the responsbility
of the application using pcre.
Cheers,
Moritz
