Bug 1164569 - (CVE-2019-19204) VUL-0: CVE-2019-19204: oniguruma: heap-based buffer over-read in function fetch_interval_quantifier in regparse.c
(CVE-2019-19204)
VUL-0: CVE-2019-19204: oniguruma: heap-based buffer over-read in function fet...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Marcus Rückert
Security Team bot
https://smash.suse.de/issue/247789/
CVSSv3.1:SUSE:CVE-2019-19204:7.5:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-21 14:58 UTC by Alexandros Toptsoglou
Modified: 2022-08-08 11:01 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-02-21 14:58:13 UTC
CVE-2019-19204

An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.

Reference:
https://github.com/kkos/oniguruma/issues/162
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
https://github.com/ManhNDd/CVE-2019-19204
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1802068
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19204
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19204.html
https://github.com/kkos/oniguruma/issues/162
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
https://github.com/tarantula-team/CVE-2019-19204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19204
https://github.com/ManhNDd/CVE-2019-19204
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/
https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
Comment 1 Alexandros Toptsoglou 2020-02-21 15:01:49 UTC
Tracked SLE12 and SLE15 as affected judging from the affected code.

Instruction for reproducing at [1] but I could not reproduce the same issue. 
The fix is located at [2] 


[1] https://github.com/kkos/oniguruma/issues/162 
[2] https://github.com/kkos/oniguruma/commit/6eb4aca6a7f2f60f473580576d86686ed6a6ebec