Bug#1011954: CVE-2022-1586 CVE-2022-1587
Hi, On 06/09/2022 15:56, Cyril Jouve wrote: are the binary packages going to be published to bullseye ? I think they'll be in the next point release of bullseye. Regards, Matthew
Bug#1011954: CVE-2022-1586 CVE-2022-1587
Hi, are the binary packages going to be published to bullseye ? Regards, Cyril
Bug#1011954: CVE-2022-1586 CVE-2022-1587
Am Fri, May 27, 2022 at 06:52:11PM +0100 schrieb Matthew Vernon: > Hi, > > Would you like me to prepare an upload for these, or are you working on > this? > > [sorry, it's not clear from the bug report] Sorry, this fell through the cracks until I just started to flush in inbox's backlog. Whether we should fix this via a DSA needs a closer look first; for regex engines the decisive factor is whether the OOB reads can be triggered via malformed input fed to the regex library (then we can fix this via a DSA) or via an untrusted regex pattern passed to the library (which wouldn't warrant a DSA since it's inherently unsafe and some basic form of sanitising is within the responsbility of the application using pcre. Cheers, Moritz
Bug#1011954: CVE-2022-1586 CVE-2022-1587
Hi, Would you like me to prepare an upload for these, or are you working on this? [sorry, it's not clear from the bug report] Thanks, Matthew
Bug#1011954: CVE-2022-1586 CVE-2022-1587
Source: pcre2 Version: 10.36-2 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team CVE-2022-1587 https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0 CVE-2022-1586 https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cfc676c Cheers, Moritz