Vulnerability CVE-2019-19012: Information
Description
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.
Severity: CRITICAL (9.8) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: Nov. 17, 2019
Modified: Nov. 7, 2023
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| oniguruma | sisyphus | 6.9.4-alt1 | 6.9.9-alt1 | ALT-PU-2019-3211-1 | 242093 | Fixed |
| oniguruma | p10 | 6.9.4-alt1 | 6.9.9-alt1 | ALT-PU-2019-3211-1 | 242093 | Fixed |
| oniguruma | p9 | 6.9.4-alt1 | 6.9.4-alt1 | ALT-PU-2019-3215-1 | 242101 | Fixed |
| oniguruma | c10f1 | 6.9.4-alt1 | 6.9.7.1-alt1 | ALT-PU-2019-3211-1 | 242093 | Fixed |
| oniguruma | c9f2 | 6.9.4-alt1 | 6.9.4-alt1 | ALT-PU-2019-3215-1 | 242101 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2 |
|
| https://github.com/kkos/oniguruma/issues/164 |
|
| https://github.com/tarantula-team/CVE-2019-19012 |
|
| [debian-lts-announce] 20191204 [SECURITY] [DLA 2020-1] libonig security update |
|
| USN-4460-1 | |
| FEDORA-2019-d942abd0d4 | |
| FEDORA-2019-73197ff9a0 |