Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 702012 (CVE-2019-19012, CVE-2019-19203, CVE-2019-19204) - <dev-libs/oniguruma-6.9.4: multiple vulnerabilities (CVE-2019-{19012,19203,19204})
Summary: <dev-libs/oniguruma-6.9.4: multiple vulnerabilities (CVE-2019-{19012,19203,19...
Status: RESOLVED FIXED
Alias: CVE-2019-19012, CVE-2019-19203, CVE-2019-19204
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-05 02:28 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-25 20:28 UTC (History)
1 user (show)

See Also:
Package list:
dev-libs/oniguruma-6.9.4
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-05 02:28:34 UTC 
CVE-2019-19012 (https://nvd.nist.gov/vuln/detail/CVE-2019-19012):
  An integer overflow in the search_in_range function in regexec.c in
  Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the
  offset of this read is under the control of an attacker. (This only affects
  the 32-bit compiled version). Remote attackers can cause a denial-of-service
  or information disclosure, or possibly have unspecified other impact, via a
  crafted regular expression.

CVE-2019-19203 (https://nvd.nist.gov/vuln/detail/CVE-2019-19203):
  An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function
  gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced
  without checking if it passed the end of the matched string. This leads to a
  heap-based buffer over-read.

CVE-2019-19204 (https://nvd.nist.gov/vuln/detail/CVE-2019-19204):
  An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function
  fetch_interval_quantifier (formerly known as fetch_range_quantifier) in
  regparse.c, PFETCH is called without checking PEND. This leads to a
  heap-based buffer over-read.
Comment 1 Agostino Sarubbo gentoo-dev 2019-12-05 08:38:59 UTC 
amd64 stable
Comment 2 Rolf Eike Beer archtester 2019-12-06 21:36:23 UTC 
hppa/sparc stable
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-12-08 15:52:25 UTC 
arm64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2019-12-08 23:41:48 UTC 
ia64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-12-09 07:49:50 UTC 
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-12-09 08:49:11 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2019-12-09 12:10:44 UTC 
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2019-12-10 12:19:38 UTC 
ppc stable
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-12-24 15:10:06 UTC 
arm stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 21:07:11 UTC 
thanks arches.

@maintainer(s), ok to cleanup?
Comment 11 Larry the Git Cow gentoo-dev 2020-03-25 20:26:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=487aeb624b9001b520dc3d6340ab48bf86757881

commit 487aeb624b9001b520dc3d6340ab48bf86757881
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-25 20:26:27 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-25 20:26:27 +0000

    dev-libs/oniguruma: security cleanup (bug #702012)
    
    Bug: https://bugs.gentoo.org/702012
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/oniguruma/Manifest                        |  1 -
 ...a-6.9.3-fix-heap-buffer-overflow-php78559.patch | 13 --------
 ...a-6.9.3-fix-heap-buffer-overflow-php78633.patch | 25 ---------------
 dev-libs/oniguruma/oniguruma-6.9.3-r2.ebuild       | 37 ----------------------
 4 files changed, 76 deletions(-)
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-25 20:28:48 UTC 
GLSA Vote: No

Repository is clean, all done!