Change History (4)
comment:1 by , 5 weeks ago
comment:2 by , 4 weeks ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed at commit df4169523d:
Update to vim-9.1.1754. Update to iana-etc-20250826. Update to tcl8.6.17. Update to pcre2-10.46. Update to meson-1.9.0. Update to linux-6.16.7. Update to kbd-2.9.0.
comment:3 by , 2 weeks ago
| Priority: | normal → high |
|---|
comment:4 by , 2 weeks ago
SA-12.4-004 issued, with a reminder to use the instructions from BLFS 12.4 substituting 10.45 with 10.46.
Note:
See TracTickets
for help on using tickets.
Version 10.46 27-August-2025
This is a security-only release, to address CVE-2025-58050.
Compared to 10.45, this release has only a minimal code change to prevent a read-past-the-end memory error, of arbitrary length. An attacker-controlled regex pattern is required, and it cannot be triggered by providing crafted subject (match) text. The (*ACCEPT) and (*scs:) pattern features must be used together.
Release 10.44 and earlier are not affected.
This could have implications of denial-of-service or information disclosure, and could potentially be used to escalate other vulnerabilities in a system (such as information disclosure being used to escalate the severity of an unrelated bug in another system).