b17c2eecb9
Fixes the following security issue:
- CVE-2025-58050: PCRE2: heap-buffer-overflow read in match_ref due to
missing boundary restoration in SCS
Compared to 10.45, this release has only a minimal code change to prevent a
read-past-the-end memory error, of arbitrary length. An attacker-controlled
regex pattern is required, and it cannot be triggered by providing crafted
subject (match) text. The (*ACCEPT) and (*scs:) pattern features must be
used together.
Release 10.44 and earlier are not affected.
https://github.com/PCRE2Project/pcre2/security/advisories/GHSA-c2gv-xgf5-5cc2
https://www.cve.org/CVERecord?id=CVE-2025-58050
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Julien: add link to CVE in commit log]
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit 9fd06f212a)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>