Skip to content

Commits fixing the CVE-2022-1587 #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ljavorsk opened this issue May 19, 2022 · 5 comments
Closed

Commits fixing the CVE-2022-1587 #122

ljavorsk opened this issue May 19, 2022 · 5 comments

Comments

@ljavorsk
Copy link

I've been looking for any mentions of the CVE-2022-1587 in this repository, but I couldn't find any.

I'm trying to backport patches that fix this CVE to the older pcre2-10.37 version.
The reason I'm doing this is that we as a Red Hat need to support compatibility in the release versions of RHEL, and in our new RHEL-9 version, we already shipped the 10.37 version.
Due to the multiple changes between versions 10.37 and 10.40 we've decided to backport the patch fixing this CVE.

I've managed to find multiple commits that IMHO are meant to fix the CVE-2022-1587:
03654e7
d07c967
4ca0530

However, I'm not sure if the 4ca0530 is really fixing this CVE or just improving the code generator (not relevant to the CVE)

All of these commits are created by @zherczeg. So I think Zoltan you are the one I want to ask the questions above.
@zherczeg
Copy link
Collaborator

The first ( 03654e7 ) fixes the issue, the others improve the code generator. Was one of the more complicated bugs.

@ljavorsk
Copy link
Author

Thank you, Zoltan, but looking at the d07c967 message it looks like it solves the issue as well.

Isn't the commit message quite odd then? If it doesn't solve it, but only improves it.

@zherczeg
Copy link
Collaborator

You are right, the message is wrong. I haven't noticed that, probably wanted to put it into a single patch. No idea what is happened. Anyway the second patch does not fix anything, it is just a minor improvement (probably done by the compiler automatically, but not all compiler that smart)

@carenas
Copy link
Contributor

carenas commented May 20, 2022

Isn't the commit message quite odd then? If it doesn't solve it, but only improves it

not an excuse but an IMHO important clarification, that I think worth mentioning.

"git style commits and topic branches" are not yet being used here; after all PCRE2 was developed using subversion where commit messages are less verbose by tradition and the development is mostly linear until the migration to github (around the 10.37 release), and I wouldn't be surprised if the reason why development was migrated to github (and no somewhere else), was precisely because it allowed both the use of git and subversion in parallel.

@ljavorsk
Copy link
Author

Thank you so much for clarifying Zoltan.

I'm closing this issue, due to the fact that my questions were answered already.

@SolitaryGrass SolitaryGrass mentioned this issue May 31, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carenas @zherczeg @ljavorsk