Vulnerability CVE-2019-19204: Information
Description
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
oniguruma | sisyphus | 6.9.4-alt1 | 6.9.9-alt1 | ALT-PU-2019-3211-1 | 242093 | Fixed |
oniguruma | p10 | 6.9.4-alt1 | 6.9.9-alt1 | ALT-PU-2019-3211-1 | 242093 | Fixed |
oniguruma | p9 | 6.9.4-alt1 | 6.9.4-alt1 | ALT-PU-2019-3215-1 | 242101 | Fixed |
oniguruma | c10f1 | 6.9.4-alt1 | 6.9.7.1-alt1 | ALT-PU-2019-3211-1 | 242093 | Fixed |
oniguruma | c9f2 | 6.9.4-alt1 | 6.9.4-alt1 | ALT-PU-2019-3215-1 | 242101 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://github.com/kkos/oniguruma/issues/162 |
|
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2 |
|
https://github.com/ManhNDd/CVE-2019-19204 |
|
[debian-lts-announce] 20191204 [SECURITY] [DLA 2020-1] libonig security update |
|
https://github.com/tarantula-team/CVE-2019-19204 |
|
USN-4460-1 | |
FEDORA-2019-d942abd0d4 | |
FEDORA-2019-73197ff9a0 |