user/oniguruma: multiple vulnerabilities
Bugzilla ID | 155 |
Alias(es) | CVE-2019-13224, CVE-2019-13225 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2019-07-31 07:15:21 -0500 |
Modified | 2019-09-09 16:32:32 -0500 |
Status | RESOLVED FIXED |
Version | 1.0-BETA3 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
See also | https://bts.adelielinux.org/show_bug.cgi?id=194 |
Description
CVE-2019-13224: https://nvd.nist.gov/vuln/detail/CVE-2019-13224
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2
allows attackers to potentially cause information disclosure, denial
of service, or possibly code execution by providing a crafted regular
expression. The attacker provides a pair of a regex pattern and a
string, with a multi-byte encoding that gets handled by
onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as
common optional libraries for PHP and Rust.
CVE-2019-13225: https://nvd.nist.gov/vuln/detail/CVE-2019-13225
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma
6.9.2 allows attackers to potentially cause denial of service by
providing a crafted regular expression. Oniguruma issues often affect
Ruby, as well as common optional libraries for PHP and Rust.