Debian: DLA-958-1 Critical: Libonig Stack Overflow and DoS Threats
debian lts
May 28, 2017
CVE-2017-9224 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5
Topics Covered
Summary
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds read occurs in match_at() during regular expression
searching. A logical error involving order of validation and access in
match_at() could result in an out-of-bounds read from a stack buffer.
CVE-2017-9226
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write or read occurs in next_state_val() during regular
expression compilation. Octal numbers larger than 0xff are not handled
correctly in fetch_token() and fetch_token_in_cc(). A malformed regular
expression containing an octal number in the form of '\700' would
produce an invalid code point value larger than 0xff in
next_state_val(), resulting in an out-of-bounds write memory
corruption.
CVE-2017-9227
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: libonig
Version: 5.9.1-1+deb7u1
CVE ID: CVE-2017-9224 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228
Debian Bug: 863312 863314 863315 863316 863318
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!