oniguruma-6.8.2-2.1.el8_9

エラータID: AXSA:2024-7538:01

Release date: 
Monday, February 26, 2024 - 13:36
Subject: 
oniguruma-6.8.2-2.1.el8_9
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Oniguruma is a regular expressions library that supports a variety of character encodings.

Security Fix(es):

* oniguruma: Use-after-free in onig_new_deluxe() in regext.c (CVE-2019-13224)
* oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163)
* oniguruma: integer overflow in search_in_range function in regexec.c leads to out-of-bounds read (CVE-2019-19012)
* oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c (CVE-2019-19203)
* oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c (CVE-2019-19204)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-13224
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
CVE-2019-16163
Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
CVE-2019-19012
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.
CVE-2019-19203
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.
CVE-2019-19204
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.

Solution: 

Update packages.

CVEs: 
CVE-2019-13224
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
CVE-2019-16163
Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
CVE-2019-19012
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.
CVE-2019-19203
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.
CVE-2019-19204
An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.
Additional Info: 

N/A

Download: 

SRPMS
  1. oniguruma-6.8.2-2.1.el8_9.src.rpm
    MD5: 02b36655e7ff904b8100c6e0ae838781
    SHA-256: cd6fd57479583734d561e7fa72808afe8a1877825004749343728aa9b03f3d7a
    Size: 958.27 kB

Asianux Server 8 for x86_64
  1. oniguruma-6.8.2-2.1.el8_9.i686.rpm
    MD5: 53abacaf7f2ec061b72b0f1fdd4a2b4c
    SHA-256: 54f8cc8bdd38f2de1163eeb159b5d218bd25059c111bbcd478b936c6d2ec8c30
    Size: 191.34 kB
  2. oniguruma-6.8.2-2.1.el8_9.x86_64.rpm
    MD5: 26dcebc3869da5e75000fb15e7c2e2d4
    SHA-256: 1aa805567fb1ac7427e446199fb748066268d21b7daed044483070baf1e09a05
    Size: 187.06 kB
  3. oniguruma-devel-6.8.2-2.1.el8_9.i686.rpm
    MD5: 400805ba28f91ac008c4810f94726948
    SHA-256: dda4d04091825c5efb84a019b429cbbe475723c29d9323ba026915239509bda6
    Size: 46.68 kB
  4. oniguruma-devel-6.8.2-2.1.el8_9.x86_64.rpm
    MD5: c8e27ee20e19eb12d66ad8ad05e006ba
    SHA-256: b8da468ab4297b143c7053bdc7da986101f9c10ab4257f3513bc85c6248aed8b
    Size: 46.65 kB