Nmap Development mailing list archives

Re: Nmap uses PCRE library and scan tool report one vulnerability CVE-2022-1586 & CVE-2022-1587 to PCRE2 library

From: Gordon Fyodor Lyon <fyodor () nmap org>
Date: Mon, 20 Jun 2022 14:09:29 -0700

Hi Shivani.  Thanks for the report.  Those two vulnerabilities are in the
PCRE2 (2nd generation) PCRE library.  Although we plan to upgrade to PCRE2
soon, Nmap is currently still using the 1st generation PCRE which is not
susceptible to these bugs.  When we do upgrade, we will be sure to use a
fixed version of PCRE2.

Also, Nmap version 4.6 and 5.21 are ancient and well worth upgrading for
other reasons.


On Mon, Jun 20, 2022 at 1:47 PM Sharma, Shivani via dev <dev () nmap org>
wrote:

Hi Team,

We are using Nmap 4.6 and 5.21 in our project and scan tool reports one
vulnerability to Nmap which is related to PCRE2.

As per vulnerabilities ,CVE-2022-1586: This involves a unicode property
matching issue in JIT-compiled regular expressions. The issue occurs
because the character was not fully read in case-less matching within JIT.

CVE-2022-1587: This comes with PCRE2 library in the
get_recurse_data_length() function of the pcre2_jit_compile.c file. This
issue affects recursions in JIT-compiled regular expressions caused by
duplicate data transfers.



We want to ask following questions



   1. Is Nmap 4.6 and 5.21 are vulnerable to CVE-2022-1586 and
   CVE-2022-1587 issue?
   2. If it is vulnerable so in which version it is vulnerable free and
   how can we get that.

Regards,

Shivani
This message contains information that may be privileged or confidential
and is the property of the Capgemini Group. It is intended only for the
person to whom it is addressed. If you are not the intended recipient, you
are not authorized to read, print, retain, copy, disseminate, distribute,
or use this message or any part thereof. If you receive this message in
error, please notify the sender immediately and delete all copies of this
message.
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

Current thread:

Nmap uses PCRE library and scan tool report one vulnerability CVE-2022-1586 & CVE-2022-1587 to PCRE2 library Sharma, Shivani via dev (Jun 20)
- Re: Nmap uses PCRE library and scan tool report one vulnerability CVE-2022-1586 & CVE-2022-1587 to PCRE2 library Gordon Fyodor Lyon (Jun 20)