ELA-816-1 pcre2 security update

buffer overread

Version10.22-3+deb9u1 (stretch)
Related CVEs CVE-2022-1586

Multiple out-of-bounds read vulnerabilities were found in pcre2, a Perl Compatible Regular Expression library, which could result in information disclosure or denial or service.


An out-of-bounds read vulnerability was discovered in the PCRE2 library
in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c
file. This involves a unicode property matching issue in JIT-compiled
regular expressions.  The issue occurs because the character was not
fully read in case-less matching within JIT.

Additionally, this upload also fixes a subject buffer overread in JIT when UTF is disabled and \X or \R has a greater than 1 fixed quantifier. This issue was found by Yunho Kim.

For Debian 9 stretch, these problems have been fixed in version 10.22-3+deb9u1.

We recommend that you upgrade your pcre2 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.