Bug 1141157 - (CVE-2019-13225) VUL-0: CVE-2019-13225: oniguruma: null-pointer dereference in match_at() in regexec.c
(CVE-2019-13225)
VUL-0: CVE-2019-13225: oniguruma: null-pointer dereference in match_at() in r...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Marcus Rückert
Security Team bot
https://smash.suse.de/issue/236863/
CVSSv3:SUSE:CVE-2019-13225:5.5:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-11 13:17 UTC by Wolfgang Frisch
Modified: 2020-06-26 09:41 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
wolfgang.frisch: needinfo? (mrueckert)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-07-11 13:17:16 UTC
CVE-2019-13225

A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Upstream commit:
https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1728965
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13225
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225
https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c