#1112278 pcre2: CVE-2025-58050

Package:
src:pcre2
Source:
src:pcre2
Submitter:
Matthew Vernon
Date:
2025-08-28 22:19:05 UTC
Severity:
normal
Tags:
#1112278#5
Date:
2025-08-28 07:26:33 UTC
From:
To:
package: src:pcre2
version: 10.45-1
tags: security upstream trixie forky

PCRE upstream released 10.46 yesterday to fix CVE-2025-58050 -
https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46

Quoting the release note:

"
This is a security-only release, to address CVE-2025-58050.

Compared to 10.45, this release has only a minimal code change to
prevent a read-past-the-end memory error, of arbitrary length. An
attacker-controlled regex pattern is required, and it cannot be
triggered by providing crafted subject (match) text. The (*ACCEPT) and
(*scs:) pattern features must be used together.

Release 10.44 and earlier are not affected.

This could have implications of denial-of-service or information
disclosure, and could potentially be used to escalate other
vulnerabilities in a system (such as information disclosure being used
to escalate the severity of an unrelated bug in another system).
"

So trixie (10.45-1) and forky/unstable are vulnerable, but not older
releases.

Regards,

Matthew

#1112278#10
Date:
2025-08-28 07:49:41 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
pcre2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1112278@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthew Vernon <matthew@debian.org> (supplier of updated pcre2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 28 Aug 2025 08:32:30 +0100
Source: pcre2
Architecture: source
Version: 10.46-1
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Matthew Vernon <matthew@debian.org>
Closes: 1112278
Changes:
 pcre2 (10.46-1) unstable; urgency=high
 .
   * New upstream release to fix CVE-2025-58050 (Closes: #1112278)
Checksums-Sha1:
 b54c3aa8e4aa2d9ffa401b02ade99212953deeed 2337 pcre2_10.46-1.dsc
 6858f0eb287c8285f53a038c8a95dc43ba51c653 2718545 pcre2_10.46.orig.tar.gz
 fddae92ac1844431bd414198633dc3961a7ad2ea 8748 pcre2_10.46-1.diff.gz
Checksums-Sha256:
 f07e05cd55dd8189d1a7eec2c3ed2d963f51a84ab5494567a112b42f8d525661 2337 pcre2_10.46-1.dsc
 8d28d7f2c3b970c3a4bf3776bcbb5adfc923183ce74bc8df1ebaad8c1985bd07 2718545 pcre2_10.46.orig.tar.gz
 307f2b889eb62e71fba064fb6ec65a367f1a88ceb667c4d7109c8d3fe1859e88 8748 pcre2_10.46-1.diff.gz
Files:
 70ed6714c5f7638535f882a1884518cf 2337 libs optional pcre2_10.46-1.dsc
 38c1d3820b744afbc0565144ef893129 2718545 libs optional pcre2_10.46.orig.tar.gz
 6bc28f8d3d33bdcf4c795a2045db4787 8748 libs optional pcre2_10.46-1.diff.gz
-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEuk75yE35bTfYoeLUEvTSHI9qY8gFAmiwB7MTHG1hdHRoZXdA
ZGViaWFuLm9yZwAKCRAS9NIcj2pjyEDPD/9AIDXeoBpAbIych3S9bWJA54T13mLA
HJvJ9DyMrhvBPWkU844Q+2y4pKQsU0oPTzVyW6m19kq4I41ovI1/G3M60mFg2LyE
N7+eNADXaZzJ0mboBLJ+Yst6tZn5V45Y3a5uqGW1RYdi/PoJpO9mYs/mDQ9EaY/Z
3TNKagUOVOWCp7TOZZ50J0k0eGuH+QbhMHuNmI60qBDKQXS7+nA0WnToLIKELcD8
3sHEGt0/6Ngd1sUhYrF5Rp5oVKzLBBatJDB6M494nrhkB6UuXM2FXzctC4Bp1OQr
2KOt2HAQY8paDbbZo43V7SHucOkN6JY/RE3KTObblWn+Ca6Nh9QKyXxdXg32Wcpu
HEVDbLp2nYTlkV7DYJts+/DhHVza/VyGucglk6B+8vr0+kUPc5jzowZiQoeiSe+w
9dIRocTH/iPMrIn1lJYX2pdMo3Fn4O4yGQVqZI9sUxEfTiu1MK2SfXE9NwhHvAE4
oLgQC6eelpg86vesd3MyzamPOCszgC5jhKIwtznEsrakOjGsJ+UqLxo65EhQsdCB
mMK5DqJCnKbYCorDZW5vrWQJullkh/12Otd4mKDa5nB03zSFhEM1VUq5ZdXSScK6
KWhe4qiJ9UKucJgV82AtdmKebqMPKDq32ve4ISLGo26MRCr8s1XLkfZuh+MEcPMz
qstl/kwljVhoNw==
=HAZ5
-----END PGP SIGNATURE-----

#1112278#15
Date:
2025-08-28 22:17:09 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
pcre2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1112278@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthew Vernon <matthew@debian.org> (supplier of updated pcre2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 28 Aug 2025 08:43:18 +0100
Source: pcre2
Architecture: source
Version: 10.46-1~deb13u1
Distribution: trixie
Urgency: high
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Matthew Vernon <matthew@debian.org>
Closes: 1112278
Changes:
 pcre2 (10.46-1~deb13u1) trixie; urgency=high
 .
   * New upstream release to fix CVE-2025-58050 (Closes: #1112278)
Checksums-Sha1:
 70d60f3aaff0248e6a87f836a5fac291e0d57536 2377 pcre2_10.46-1~deb13u1.dsc
 73a5b15c4204a8788040848fb85faf37f3017fc7 8729 pcre2_10.46-1~deb13u1.diff.gz
Checksums-Sha256:
 15fd556b0182dac4decee5408ab4908654bb6a7f2002774a46e908c1ec7937b8 2377 pcre2_10.46-1~deb13u1.dsc
 b1e614d7d31b26314754c563079b6e8400e50fe7a35d21cc0945f41c45965c45 8729 pcre2_10.46-1~deb13u1.diff.gz
Files:
 dcece146539c4ee98eae46abd48f821b 2377 libs optional pcre2_10.46-1~deb13u1.dsc
 9acc7ceefea744ef71017ea7f328ee9d 8729 libs optional pcre2_10.46-1~deb13u1.diff.gz
-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEuk75yE35bTfYoeLUEvTSHI9qY8gFAmiwFLQTHG1hdHRoZXdA
ZGViaWFuLm9yZwAKCRAS9NIcj2pjyJdjD/9QEoSG3KeP7IQ2Z8rTWqcJB42er3l+
LteXwKPeLZ1Da7VDwdjvww1uq3lFv8+Y6Xoce9gsckBvq0WVcANj2RKcG9Gelpid
4oPTthkoqjTborai3SKCIpeEqRmJVkenz4PPqVC3+6H468Otc4srfBRN6bpkEymv
o5QH8vsKZ5riE47gCFhNsSYLVFZ+mEnDXWFJYIEFmdZ4tgm83+I4MBd9dzTRrjRb
Ie+GrPfjaJN60W6fe7P81xbCf2vNtqZVTJOqUfXkXXHjwlHi5SS4IvSkiUSL/2oK
OduqXaf14U5JVj39NiiSbxxk+7sIwI3o8/STXLNMmyki9C4L1C6fCfclo218Vk4J
b3Ghy0TpkrW7NGsJBUl7x/T18bQy+GPxgGqzOoKcwkxUycsBURUmspMRiXB/Ymq/
x/hJSY4myvZHCFsmum3k11V3ALUTNcb+zg+VjPTmnor6ZFGD3W58LYxuGs5ZWNbH
iNXM99J2oWaOB5Glt/GDU8Of9xDI2DoavadtR97Gxh04iYpI1mM+1nOD0i7lFNy3
j4y+XNUPlgutHroZBNpJgicOkpIw/4O6L30VDaMvxAqZDMdEg+MwVkgPwe1YPKHL
6RoAJFwp4rG2o8TMotV5SJ/Ni9T8UEEU9d/3EFk4SM79o7hjGEQYdGK5R6p87Zbs
Ou5MRgDjVe/MFw==
=3W7V
-----END PGP SIGNATURE-----