Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 702012 (CVE-2019-19012, CVE-2019-19203, CVE-2019-19204) - <dev-libs/oniguruma-6.9.4: multiple vulnerabilities (CVE-2019-{19012,19203,19204})
Summary: <dev-libs/oniguruma-6.9.4: multiple vulnerabilities (CVE-2019-{19012,19203,19...
Alias: CVE-2019-19012, CVE-2019-19203, CVE-2019-19204
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2019-12-05 02:28 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-25 20:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-05 02:28:34 UTC
CVE-2019-19012 (
  An integer overflow in the search_in_range function in regexec.c in
  Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the
  offset of this read is under the control of an attacker. (This only affects
  the 32-bit compiled version). Remote attackers can cause a denial-of-service
  or information disclosure, or possibly have unspecified other impact, via a
  crafted regular expression.

CVE-2019-19203 (
  An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function
  gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced
  without checking if it passed the end of the matched string. This leads to a
  heap-based buffer over-read.

CVE-2019-19204 (
  An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function
  fetch_interval_quantifier (formerly known as fetch_range_quantifier) in
  regparse.c, PFETCH is called without checking PEND. This leads to a
  heap-based buffer over-read.
Comment 1 Agostino Sarubbo gentoo-dev 2019-12-05 08:38:59 UTC
amd64 stable
Comment 2 Rolf Eike Beer archtester 2019-12-06 21:36:23 UTC
hppa/sparc stable
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-12-08 15:52:25 UTC
arm64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2019-12-08 23:41:48 UTC
ia64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-12-09 07:49:50 UTC
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-09 08:49:11 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-12-09 12:10:44 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-12-10 12:19:38 UTC
ppc stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 15:10:06 UTC
arm stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 21:07:11 UTC
thanks arches.

@maintainer(s), ok to cleanup?
Comment 11 Larry the Git Cow gentoo-dev 2020-03-25 20:26:50 UTC
The bug has been referenced in the following commit(s):

commit 487aeb624b9001b520dc3d6340ab48bf86757881
Author:     Thomas Deutschmann <>
AuthorDate: 2020-03-25 20:26:27 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2020-03-25 20:26:27 +0000

    dev-libs/oniguruma: security cleanup (bug #702012)
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <>

 dev-libs/oniguruma/Manifest                        |  1 -
 ...a-6.9.3-fix-heap-buffer-overflow-php78559.patch | 13 --------
 ...a-6.9.3-fix-heap-buffer-overflow-php78633.patch | 25 ---------------
 dev-libs/oniguruma/oniguruma-6.9.3-r2.ebuild       | 37 ----------------------
 4 files changed, 76 deletions(-)
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 20:28:48 UTC
GLSA Vote: No

Repository is clean, all done!