Bug 1142847 - (CVE-2019-13224) VUL-0: CVE-2019-13224: oniguruma: use-after-free in onig_new_deluxe() in regext.c
(CVE-2019-13224)
VUL-0: CVE-2019-13224: oniguruma: use-after-free in onig_new_deluxe() in rege...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Marcus Rückert
Security Team bot
https://smash.suse.de/issue/236862/
CVSSv3:SUSE:CVE-2019-13224:6.6:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-25 12:55 UTC by Wolfgang Frisch
Modified: 2022-08-12 07:48 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
oniguruma-CVE-2019-13224.patch (1.24 KB, patch)
2019-07-25 12:57 UTC, Wolfgang Frisch
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2019-07-25 12:55:36 UTC
CVE-2019-13224

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Reference:
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1728970
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13224
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13224.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
https://lists.debian.org/debian-lts-announce/2019/07/msg00013.html
Comment 1 Wolfgang Frisch 2019-07-25 12:57:28 UTC
Created attachment 811602 [details]
oniguruma-CVE-2019-13224.patch