CVE-2019-13224

Published: 10 July 2019

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

From the Ubuntu security team

It was discovered that Oniguruma incorrectly handled certain regular expressions. An attacker could possibly use this issue to obtain sensitive information, cause a denial of service or execute arbitrary code.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
groonga Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Needed
	Ubuntu 20.04 LTS (Focal Fossa)	Needed
	Ubuntu 18.04 LTS (Bionic Beaver)	Needed
	Ubuntu 16.04 LTS (Xenial Xerus)	Needed
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
libevhtp Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Not vulnerable (code not present)
	Ubuntu 20.04 LTS (Focal Fossa)	Not vulnerable (code not present)
	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (code not present)
	Ubuntu 16.04 LTS (Xenial Xerus)	Needed
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
libonig Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Released (6.9.2-1)
	Ubuntu 20.04 LTS (Focal Fossa)	Released (6.9.2-1)
	Ubuntu 18.04 LTS (Bionic Beaver)	Needed
	Ubuntu 16.04 LTS (Xenial Xerus)	Needed
	Ubuntu 14.04 ESM (Trusty Tahr)	Needed
mudlet Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Needed
	Ubuntu 18.04 LTS (Bionic Beaver)	Needed
	Ubuntu 16.04 LTS (Xenial Xerus)	Needed
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
php5 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Released (5.5.9+dfsg-1ubuntu4.29+esm4)
php7.0 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Not vulnerable (7.0.33-0ubuntu0.16.04.5)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Binaries built from this source package are in Universe and so are supported by the community.
php7.2 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (7.2.19-0ubuntu0.18.04.1)
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Binaries built from this source package are in Universe and so are supported by the community.
php7.3 Launchpad, Ubuntu, Debian	Upstream	Needs triage

	Ubuntu 20.10 (Groovy Gorilla)	Does not exist
	Ubuntu 20.04 LTS (Focal Fossa)	Does not exist
	Ubuntu 18.04 LTS (Bionic Beaver)	Does not exist
	Ubuntu 16.04 LTS (Xenial Xerus)	Does not exist
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist
	Binaries built from this source package are in Universe and so are supported by the community.

Notes

Author	Note
ebarretto	libevhtp doesn't ship oniguruma regex library since 1.2.15-1
mdeslaur	doesn't look like php uses the vulnerable function

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931878

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM