First Last Prev Next    This bug is not in your last search results.
Bug 1142847 - (CVE-2019-13224) VUL-0: CVE-2019-13224: oniguruma: use-after-free in onig_new_deluxe() in regext.c
(CVE-2019-13224)
VUL-0: CVE-2019-13224: oniguruma: use-after-free in onig_new_deluxe() in rege...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Marcus Rückert
Security Team bot
https://smash.suse.de/issue/236862/
CVSSv3:SUSE:CVE-2019-13224:6.6:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-25 12:55 UTC by Wolfgang Frisch
Modified: 2022-08-12 07:48 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
oniguruma-CVE-2019-13224.patch (1.24 KB, patch)
2019-07-25 12:57 UTC, Wolfgang Frisch 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-07-25 12:55:36 UTC 
CVE-2019-13224

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Reference:
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1728970
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13224
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13224.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
https://lists.debian.org/debian-lts-announce/2019/07/msg00013.html
Comment 1 Wolfgang Frisch 2019-07-25 12:57:28 UTC 
Created attachment 811602 [details]
oniguruma-CVE-2019-13224.patch
First Last Prev Next    This bug is not in your last search results.