Alerts This Week
Warning Icon 1 1,153
Alerts This Week
Warning Icon 1 1,153

Debian 9: DLA-2431-1 High: libonig Information Disclosure

debian lts
Calendar Grey November 4, 2020
Dist Debian Esm H88
Debian LTS DLA-2432-1: Upgrade libxml2 to resolve severe security flaws found within the package.

Several vulnerabilities were discovered in the Oniguruma regular expressions library, notably used in PHP mbstring

Summary

Several vulnerabilities were discovered in the Oniguruma regular
expressions library, notably used in PHP mbstring.

CVE-2019-13224

A use-after-free in onig_new_deluxe() in regext.c allows
attackers to potentially cause information disclosure, denial of
service, or possibly code execution by providing a crafted regular
expression. The attacker provides a pair of a regex pattern and a
string, with a multi-byte encoding that gets handled by
onig_new_deluxe().

CVE-2019-16163

Oniguruma allows Stack Exhaustion in regcomp.c because of recursion
in regparse.c.

CVE-2019-19012

An integer overflow in the search_in_range function in regexec.c in
Onigurama leads to an out-of-bounds read, in which the offset of
this read is under the control of an attacker. (This only affects
the 32-bit compiled version). Remote attackers can cause a
denial-of-service or information disclosure, or possibly have
unspecified other impact, via a crafted regular expression.

CVE-2019-19203

Read the Full Advisory


Package: libonig
Version: 6.1.3-2+deb9u1
CVE ID: CVE-2019-13224 CVE-2019-16163 CVE-2019-19012
Debian Bug: 931878 939988 944959 945312 945313 946344 972113

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here