Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Mageia 7: 2020-0029 Moderate: Oniguruma Information Disclosure Risk

mageia
Calendar Grey January 11, 2020
Dist Mageia Esm H88
Oniguruma 6.9.2 has been updated with vital security patches that tackle several vulnerabilities, including potential denial of service threats.
Updated oniguruma packages fix security vulnerabilities: A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information dis...

Summary

Updated oniguruma packages fix security vulnerabilities:
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe() (CVE-2019-13224).
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression (CVE-2019-13225).
Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163).
An integer overflow in the search_in_range function in regexec.c leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or inform...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=25843

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NWOWZZNFSAWM3BUTQNAE3PD44A6JU4KE/

- https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html

- https://security-tracker.debian.org/tracker/CVE-2019-19203

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/

- https://www.cve.org/CVERecord?id=CVE-2019-13224

- https://www.cve.org/CVERecord?id=CVE-2019-13225

- https://www.cve.org/CVERecord?id=CVE-2019-16163

- https://www.cve.org/CVERecord?id=CVE-2019-19012

- https://www.cve.org/CVERecord?id=CVE-2019-19203

- https://www.cve.org/CVERecord?id=CVE-2019-19204

- https://www.cve.org/CVERecord?id=CVE-2019-19246

Topics%20covered

Topics Covered

security advisory denial of service code execution information disclosure use-after-free Mageia oniguruma

Resolution

SRPMS

- 7/core/oniguruma-6.9.4-1.mga7

Publication date: 11 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0029.html
Type: security
CVE: CVE-2019-13224, CVE-2019-13225, CVE-2019-16163, CVE-2019-19012, CVE-2019-19203, CVE-2019-19204, CVE-2019-19246

Topics%20covered

Topics Covered

security advisory denial of service code execution information disclosure use-after-free Mageia oniguruma

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here