libonig: CVE-2019-13224 CVE-2019-13225

Debian Bug report logs - #931878
libonig: CVE-2019-13224 CVE-2019-13225

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libonig: CVE-2019-13224 CVE-2019-13225

Date: Thu, 11 Jul 2019 21:37:11 +0200

Source: libonig
Version: 6.9.1-1
Severity: important
Tags: security upstream

Hi,

The following vulnerabilities were published for libonig.

CVE-2019-13224[0]:
| A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2
| allows attackers to potentially cause information disclosure, denial
| of service, or possibly code execution by providing a crafted regular
| expression. The attacker provides a pair of a regex pattern and a
| string, with a multi-byte encoding that gets handled by
| onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as
| common optional libraries for PHP and Rust.


CVE-2019-13225[1]:
| A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma
| 6.9.2 allows attackers to potentially cause denial of service by
| providing a crafted regular expression. Oniguruma issues often affect
| Ruby, as well as common optional libraries for PHP and Rust.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-13224
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224
[1] https://security-tracker.debian.org/tracker/CVE-2019-13225
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225

Please adjust the affected versions in the BTS as needed, for instance
stretch version not checked.

Regards,
Salvatore

Message #12 received at 931878@bugs.debian.org (full text, mbox, reply):

From: Jörg Frings-Fürst <debian@jff.email>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 931878@bugs.debian.org

Subject: Re: Bug#931878: libonig: CVE-2019-13224 CVE-2019-13225

Date: Fri, 12 Jul 2019 11:36:13 +0200

tags 931878 +pending
thanks

Hello Salvatore,

I have the libonig release 6.9.2 with both upstream fixes for the CVEs
ready for upload.

It is uploaded to mentors[1] and into the git[2].

Should the upload of the package be handled by the security team? 
Or can I take care of it myself? 

My changes:

  * New upstream release:
    - Refresh symbols file.
    - Refresh debian/patches/0100-source_typos.patch.
  * Rewrite debain/watch.
  * New debian/patches/0105-CVE-2019-13224.patch and
      debian/patches/0110-CVE-2019-13225.patch (Closes: #931878):
    - Fixes CVE-2019-13224 A use-after-free in onig_new_deluxe() in regext.c.
    - Fixes CVE-2019-13225 A NULL Pointer Dereference in match_at()
       in regexec.c.
  * Declare compliance with Debian Policy 4.4.0 (No changes needed).
  * Migrate to debhelper 12:
    - Change debian/compat to 12.
    - Bump minimum debhelper version in debian/control to >= 12.
    - debian/rules: Remove obsolete dh_install --fail-missing.

CU
Jörg


-- 
New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB  30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key        : 8CA1D25D
CAcert Key S/N : 0E:D4:56

Old pgp Key: BE581B6E (revoked since 2014-12-31).

Jörg Frings-Fürst
D-54470 Lieser


git:      https://jff.email/cgit/

Threema:  SYR8SJXB
Wire:     @joergfringsfuerst
Skype:    joergpenguin
Ring:     jff
Telegram: @joergfringsfuerst


My wish list: 
 - Please send me a picture from the nature at your home.

Send a report that this bug log contains spam.