Source: libonig Version: 6.1.3-1 Severity: important Tags: patch security upstream Forwarded: https://github.com/kkos/oniguruma/issues/56
Hi, the following vulnerability was published for libonig. CVE-2017-9225[0]: | An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in | Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack | out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() | occurs during regular expression compilation. Code point 0xFFFFFFFF is | not properly handled in unicode_unfold_key(). A malformed regular | expression could result in 4 bytes being written off the end of a stack | buffer of expand_case_fold_string() during the call to | onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer | overflow. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9225 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9225 [1] https://github.com/kkos/oniguruma/issues/56 [2] https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f Please adjust the affected versions in the BTS as needed. AFAICT this only affects the version in stretch and sid, but not older. Regards, Salvatore _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
