Several vulnerabilities were discovered in the Oniguruma regular expressions library, notably used in PHP mbstring
Several vulnerabilities were discovered in the Oniguruma regular
expressions library, notably used in PHP mbstring.
CVE-2019-13224
A use-after-free in onig_new_deluxe() in regext.c allows
attackers to potentially cause information disclosure, denial of
service, or possibly code execution by providing a crafted regular
expression. The attacker provides a pair of a regex pattern and a
string, with a multi-byte encoding that gets handled by
onig_new_deluxe().
CVE-2019-16163
Oniguruma allows Stack Exhaustion in regcomp.c because of recursion
in regparse.c.
CVE-2019-19012
An integer overflow in the search_in_range function in regexec.c in
Onigurama leads to an out-of-bounds read, in which the offset of
this read is under the control of an attacker. (This only affects
the 32-bit compiled version). Remote attackers can cause a
denial-of-service or information disclosure, or possibly have
unspecified other impact, via a crafted regular expression.
CVE-2019-19203
Get the latest Linux and open source security news straight to your inbox.