From cb4952b2b418c1dc4b96e3f9411e98dc0625db27 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 27 2022 20:09:26 +0000
Subject: import pcre2-10.32-3.el8_6


---

diff --git a/SOURCES/pcre2-10.32-Fix-CVE-2022-1586 b/SOURCES/pcre2-10.32-Fix-CVE-2022-1586
new file mode 100644
index 0000000..8a5b2d9
--- /dev/null
+++ b/SOURCES/pcre2-10.32-Fix-CVE-2022-1586
@@ -0,0 +1,21 @@
+--- pcre2-10.32/src/pcre2_jit_compile.c.old	2022-05-13 09:13:06.188574517 +0000
++++ pcre2-10.32/src/pcre2_jit_compile.c	2022-05-13 09:27:57.189574517 +0000
+@@ -6494,7 +6494,7 @@ while (*cc != XCL_END)
+     {
+     SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
+     cc++;
+-    if (*cc == PT_CLIST)
++    if (*cc == PT_CLIST && cc[-1] == XCL_PROP)
+       {
+       other_cases = PRIV(ucd_caseless_sets) + cc[1];
+       while (*other_cases != NOTACHAR)
+--- pcre2-10.32/src/pcre2_jit_test.c.old	2022-05-13 09:29:27.531574517 +0000
++++ pcre2-10.32/src/pcre2_jit_test.c	2022-05-13 09:32:50.666574517 +0000
+@@ -397,6 +397,7 @@ static struct regression_test_case regre
+ 	{ MUP, A, 0, 0 | F_PROPERTY, "[\xc3\xa2-\xc3\xa6\xc3\x81-\xc3\x84\xe2\x80\xa8-\xe2\x80\xa9\xe6\x92\xad\\p{Zs}]{2,}", "\xe2\x80\xa7\xe2\x80\xa9\xe6\x92\xad \xe6\x92\xae" },
+ 	{ MUP, A, 0, 0 | F_PROPERTY, "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" },
+ 	{ PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB  baaa" },
++	{ CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" },
+ 
+ 	/* Possible empty brackets. */
+ 	{ MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" },
diff --git a/SPECS/pcre2.spec b/SPECS/pcre2.spec
index df3f0aa..99f43bc 100644
--- a/SPECS/pcre2.spec
+++ b/SPECS/pcre2.spec
@@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.32
-Release:    %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}3%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@@ -68,6 +68,11 @@ Patch5:     pcre2-10.32-Fix-crash-when-X-is-used-without-UTF-in-JIT.patch
 # 2/2 Fix CVE-2019-20454 (a crash when \X is used without UTF mode in a JIT),
 # upstream bug #2399, bug #1734468, in upstream after 10.33
 Patch6:     pcre2-10.32-Forgot-this-file-in-previous-commit.-Fixes-JIT-non-U.patch
+# Fix CVE-2022-1586 (Out-of-bounds read in compile_xclass_matchingpath)
+# Downstream patch backport
+# Ref: https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a
+# https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cfc676c
+Patch7: pcre2-10.32-Fix-CVE-2022-1586
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@@ -150,6 +155,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@@ -251,6 +257,9 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*
 
 %changelog
+* Fri May 13 2022 Lukas Javorsky <ljavorsk@redhat.com> - 10.32-3
+- Resolves: CVE-2022-1586
+
 * Mon May 13 2019 Petr Pisar <ppisar@redhat.com> - 10.32-2
 - Fix CVE-2019-20454 (a crash when \X is used without UTF mode in a JIT)
   (bug #1734468)