Source: libonig
Version: 6.9.1-1
Severity: important
Tags: security upstream

Hi,

The following vulnerabilities were published for libonig.

CVE-2019-13224[0]:
| A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2
| allows attackers to potentially cause information disclosure, denial
| of service, or possibly code execution by providing a crafted regular
| expression. The attacker provides a pair of a regex pattern and a
| string, with a multi-byte encoding that gets handled by
| onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as
| common optional libraries for PHP and Rust.


CVE-2019-13225[1]:
| A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma
| 6.9.2 allows attackers to potentially cause denial of service by
| providing a crafted regular expression. Oniguruma issues often affect
| Ruby, as well as common optional libraries for PHP and Rust.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-13224
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224
[1] https://security-tracker.debian.org/tracker/CVE-2019-13225
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225

Please adjust the affected versions in the BTS as needed, for instance
stretch version not checked.

Regards,
Salvatore

Reply via email to