jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
cvrf2cusa/cvrf/2022/cvrf-openEuler-SA-2022-1686.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

167 lines
12 KiB
XML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for pcre2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2022-1686</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2022-06-02</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2022-06-02</InitialReleaseDate>
<CurrentReleaseDate>2022-06-02</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2022-06-02</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">pcre2 security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for pcre2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">PCRE2 is a re-working of the original PCRE1 library to provide an entirely new API. Since its initial release in 2015, there has been further development of the code and it now differs from PCRE1 in more than just the API. PCRE2 is written in C, and it has its own API. There are three sets of functions, one for the 8-bit library, which processes strings of bytes, one for the 16-bit library, which processes strings of 16-bit values, and one for the 32-bit library, which processes strings of 32-bit values. Unlike PCRE1, there are no C++ wrappers.
Security Fix(es):
An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.(CVE-2022-1586)
An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.(CVE-2022-1587)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for pcre2 is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.
openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Critical</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">pcre2</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1686</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1586</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-1587</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-1586</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-1587</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="aarch64">
<FullProductName ProductID="pcre2-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">pcre2-10.35-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-devel-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">pcre2-devel-10.35-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debugsource-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">pcre2-debugsource-10.35-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debuginfo-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">pcre2-debuginfo-10.35-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debuginfo-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">pcre2-debuginfo-10.35-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debugsource-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">pcre2-debugsource-10.35-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-devel-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">pcre2-devel-10.35-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">pcre2-10.35-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debuginfo-10.39-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">pcre2-debuginfo-10.39-2.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debugsource-10.39-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">pcre2-debugsource-10.39-2.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-10.39-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">pcre2-10.39-2.oe2203.aarch64.rpm</FullProductName>
<FullProductName ProductID="pcre2-devel-10.39-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">pcre2-devel-10.39-2.oe2203.aarch64.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="pcre2-help-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">pcre2-help-10.35-2.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="pcre2-help-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">pcre2-help-10.35-2.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="pcre2-help-10.39-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">pcre2-help-10.39-2.oe2203.noarch.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="pcre2-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">pcre2-10.35-2.oe1.src.rpm</FullProductName>
<FullProductName ProductID="pcre2-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">pcre2-10.35-2.oe1.src.rpm</FullProductName>
<FullProductName ProductID="pcre2-10.39-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">pcre2-10.39-2.oe2203.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="x86_64">
<FullProductName ProductID="pcre2-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">pcre2-10.35-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debuginfo-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">pcre2-debuginfo-10.35-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-devel-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">pcre2-devel-10.35-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debugsource-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">pcre2-debugsource-10.35-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debugsource-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">pcre2-debugsource-10.35-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">pcre2-10.35-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-devel-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">pcre2-devel-10.35-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debuginfo-10.35-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">pcre2-debuginfo-10.35-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-10.39-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">pcre2-10.39-2.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-devel-10.39-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">pcre2-devel-10.39-2.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debugsource-10.39-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">pcre2-debugsource-10.39-2.oe2203.x86_64.rpm</FullProductName>
<FullProductName ProductID="pcre2-debuginfo-10.39-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">pcre2-debuginfo-10.39-2.oe2203.x86_64.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.</Note>
</Notes>
<ReleaseDate>2022-06-02</ReleaseDate>
<CVE>CVE-2022-1586</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
<ProductID>openEuler-22.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Critical</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>9.1</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>pcre2 security update</Description>
<DATE>2022-06-02</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1686</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.</Note>
</Notes>
<ReleaseDate>2022-06-02</ReleaseDate>
<CVE>CVE-2022-1587</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
<ProductID>openEuler-22.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Critical</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>9.1</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>pcre2 security update</Description>
<DATE>2022-06-02</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1686</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink