Debian Bug report logs -
#931878
libonig: CVE-2019-13224 CVE-2019-13225
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Jörg Frings-Fürst <debian@jff.email>
:
Bug#931878
; Package src:libonig
.
(Thu, 11 Jul 2019 19:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Jörg Frings-Fürst <debian@jff.email>
.
(Thu, 11 Jul 2019 19:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libonig
Version: 6.9.1-1
Severity: important
Tags: security upstream
Hi,
The following vulnerabilities were published for libonig.
CVE-2019-13224[0]:
| A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2
| allows attackers to potentially cause information disclosure, denial
| of service, or possibly code execution by providing a crafted regular
| expression. The attacker provides a pair of a regex pattern and a
| string, with a multi-byte encoding that gets handled by
| onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as
| common optional libraries for PHP and Rust.
CVE-2019-13225[1]:
| A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma
| 6.9.2 allows attackers to potentially cause denial of service by
| providing a crafted regular expression. Oniguruma issues often affect
| Ruby, as well as common optional libraries for PHP and Rust.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224
[1] https://security-tracker.debian.org/tracker/CVE-2019-13225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225
Please adjust the affected versions in the BTS as needed, for instance
stretch version not checked.
Regards,
Salvatore
Added tag(s) pending.
Request was from Jörg Frings-Fürst <debian@jff.email>
to control@bugs.debian.org
.
(Fri, 12 Jul 2019 09:39:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jörg Frings-Fürst <debian@jff.email>
:
Bug#931878
; Package src:libonig
.
(Fri, 12 Jul 2019 09:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to debian@jff.email
:
Extra info received and forwarded to list. Copy sent to Jörg Frings-Fürst <debian@jff.email>
.
(Fri, 12 Jul 2019 09:48:02 GMT) (full text, mbox, link).
Message #12 received at 931878@bugs.debian.org (full text, mbox, reply):
tags 931878 +pending
thanks
Hello Salvatore,
I have the libonig release 6.9.2 with both upstream fixes for the CVEs
ready for upload.
It is uploaded to mentors[1] and into the git[2].
Should the upload of the package be handled by the security team?
Or can I take care of it myself?
My changes:
* New upstream release:
- Refresh symbols file.
- Refresh debian/patches/0100-source_typos.patch.
* Rewrite debain/watch.
* New debian/patches/0105-CVE-2019-13224.patch and
debian/patches/0110-CVE-2019-13225.patch (Closes: #931878):
- Fixes CVE-2019-13224 A use-after-free in onig_new_deluxe() in regext.c.
- Fixes CVE-2019-13225 A NULL Pointer Dereference in match_at()
in regexec.c.
* Declare compliance with Debian Policy 4.4.0 (No changes needed).
* Migrate to debhelper 12:
- Change debian/compat to 12.
- Bump minimum debhelper version in debian/control to >= 12.
- debian/rules: Remove obsolete dh_install --fail-missing.
CU
Jörg
--
New:
GPG Fingerprint: 63E0 075F C8D4 3ABB 35AB 30EE 09F8 9F3C 8CA1 D25D
GPG key (long) : 09F89F3C8CA1D25D
GPG Key : 8CA1D25D
CAcert Key S/N : 0E:D4:56
Old pgp Key: BE581B6E (revoked since 2014-12-31).
Jörg Frings-Fürst
D-54470 Lieser
git: https://jff.email/cgit/
Threema: SYR8SJXB
Wire: @joergfringsfuerst
Skype: joergpenguin
Ring: jff
Telegram: @joergfringsfuerst
My wish list:
- Please send me a picture from the nature at your home.
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jul 12 11:21:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.