Oniguruma: Multiple vulnerabilities (CVE-2019-13224, CVE-2019-13225, CVE-2019-16163)
CVE-2019-13224: use-after-free in onig_new_deluxe() in regext.c
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe().
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-13224
Patch:
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
CVE-2019-13225: null-pointer dereference in match_at() in regexec.c
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression.
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-13225
Patch:
https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
CVE-2019-16163: stack exhaustion in regcomp.c because of recursion in regparse.c
Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
References:
https://github.com/kkos/oniguruma/issues/147
Patch:
https://github.com/kkos/oniguruma/commit/4097828d7cc87589864fecf452f2cd46c5f37180
Affected branches:
-
master (81bbfcc4) -
3.10-stable -
3.9-stable -
3.8-stable