Univention Bugzilla – Bug 52326
libonig: Multiple issues (4.4)
Last modified: 2020-11-11 17:03:48 CET
New Debian libonig 6.1.3-2+deb9u1 fixes: This update addresses the following issues: * use-after-free in onig_new_deluxe() in regext.c (CVE-2019-13224) * Stack exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163) * integer overflow in search_in_range function in regexec.c leads to out-of-bounds read (CVE-2019-19012) * Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c (CVE-2019-19203) * Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c (CVE-2019-19204) * Heap-based buffer overflow in str_lower_case_match in regexec.c (CVE-2019-19246) * Buffer overflow in concat_opt_exact_str could result in DoS (CVE-2020-26159)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/libonig_6.1.3-2.dsc +++ apt/ucs_4.4-0-errata4.4-6/source/libonig_6.1.3-2+deb9u1.dsc @@ -1,3 +1,39 @@ +6.1.3-2+deb9u1 [Wed, 04 Nov 2020 22:45:44 +0100] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2019-13224: + A use-after-free in onig_new_deluxe() in regext.c allows + attackers to potentially cause information disclosure, denial of service, + or possibly code execution by providing a crafted regular expression. The + attacker provides a pair of a regex pattern and a string, with a multi-byte + encoding that gets handled by onig_new_deluxe(). + * Fix CVE-2019-16163: + Oniguruma allows Stack Exhaustion in regcomp.c because of recursion in regparse.c. + * Fix CVE-2019-19012: + An integer overflow in the search_in_range function in regexec.c in + Onigurama leads to an out-of-bounds read, in which the offset of this read + is under the control of an attacker. (This only affects the 32-bit compiled + version). Remote attackers can cause a denial-of-service or information + disclosure, or possibly have unspecified other impact, via a crafted + regular expression. + * Fix CVE-2019-19203: + An issue was discovered in Oniguruma. In the function gb18030_mbc_enc_len + in file gb18030.c, a UChar pointer is dereferenced without checking if it + passed the end of the matched string. This leads to a heap-based buffer + over-read. + * Fix CVE-2019-19204: + An issue was discovered in Oniguruma. In the function + fetch_interval_quantifier (formerly known as fetch_range_quantifier) in + regparse.c, PFETCH is called without checking PEND. This leads to a + heap-based buffer over-read. + * Fix CVE-2019-19246: + Oniguruma has a heap-based buffer over-read in str_lower_case_match in + regexec.c. + * Fix CVE-2020-26159: + In Oniguruma an attacker able to supply a regular expression for + compilation may be able to overflow a buffer by one byte in + concat_opt_exact_str in src/regcomp.c + 6.1.3-2 [Sat, 27 May 2017 12:05:50 +0200] Jörg Frings-Fürst <debian@jff-webhosting.net>: * New debian/patches/0500-CVE-2017-922[4-9].patch: <http://10.200.17.11/4.4-6/#5140547697135967136>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-6] 3e413722c4 Bug #52326: yaml doc/errata/staging/libonig.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x800>