Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 691832 (CVE-2019-13224, CVE-2019-13225, CVE-2019-16163) - <dev-libs/oniguruma-6.9.3: Multiple vulnerabilities
Summary: <dev-libs/oniguruma-6.9.3: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2019-13224, CVE-2019-13225, CVE-2019-16163
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-09 15:15 UTC by Arfrever Frehtes Taifersar Arahesis
Modified: 2019-11-07 19:08 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/oniguruma-6.9.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis 2019-08-09 15:15:45 UTC
https://github.com/kkos/oniguruma/releases/tag/v6.9.3:
"""
・ Fixed CVE-2019-13224
・ Fixed CVE-2019-13225
・ Fixed many problems (found by libfuzzer programs)
"""


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224:
"""
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
"""


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225:
"""
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
"""
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-09 23:14:47 UTC
arm64 stable
Comment 2 Rolf Eike Beer 2019-08-10 09:11:35 UTC
sparc stable
Comment 3 Sergei Trofimovich gentoo-dev 2019-08-10 09:58:42 UTC
ia64 stable
Comment 4 Sergei Trofimovich gentoo-dev 2019-08-11 17:02:59 UTC
hppa stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-08-13 08:21:26 UTC
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-08-13 11:41:09 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-08-13 11:50:00 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-08-14 07:35:27 UTC
alpha stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-09-01 18:26:48 UTC
arm stable
Comment 10 Larry the Git Cow gentoo-dev 2019-09-12 21:07:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db845c227640ab479b9bc5992de5580c3ca7688c

commit db845c227640ab479b9bc5992de5580c3ca7688c
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-09-12 21:07:09 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-09-12 21:07:28 +0000

    dev-libs/oniguruma: security cleanup (#691832)
    
    Bug: https://bugs.gentoo.org/691832
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/oniguruma/Manifest               |  2 --
 dev-libs/oniguruma/oniguruma-6.9.1.ebuild | 32 -------------------------------
 dev-libs/oniguruma/oniguruma-6.9.2.ebuild | 32 -------------------------------
 3 files changed, 66 deletions(-)
Comment 11 Thomas Deutschmann gentoo-dev Security 2019-09-12 21:08:20 UTC
New GLSA request filed.
Comment 12 Arfrever Frehtes Taifersar Arahesis 2019-09-14 02:23:32 UTC
https://github.com/kkos/oniguruma/commit/4e72afff1d360cf37cf9cccdba70946f074cb60a
"""
add CVE-2019-16163 in README.md
"""


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16163:
"""
Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
"""
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2019-11-07 19:08:48 UTC
This issue was resolved and addressed in
 GLSA 201911-03 at https://security.gentoo.org/glsa/201911-03
by GLSA coordinator Aaron Bauman (b-man).