Your submission was sent successfully! Close

CVE-2019-13224

Published: 10 July 2019

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

From the Ubuntu security team

It was discovered that Oniguruma incorrectly handled certain regular expressions. An attacker could possibly use this issue to obtain sensitive information, cause a denial of service or execute arbitrary code.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
groonga
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needed

jammy Needed

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
libevhtp
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
cosmic Not vulnerable
(code not present)
disco Not vulnerable
(code not present)
eoan Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
groovy Not vulnerable
(code not present)
hirsute Not vulnerable
(code not present)
impish Not vulnerable
(code not present)
jammy Not vulnerable
(code not present)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
libonig
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan
Released (6.9.2-1)
focal
Released (6.9.2-1)
groovy
Released (6.9.2-1)
hirsute
Released (6.9.2-1)
impish
Released (6.9.2-1)
jammy
Released (6.9.2-1)
precise Does not exist

trusty Needed

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
mudlet
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
php5
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise
Released (5.3.10-1ubuntu3.38)
trusty
Released (5.5.9+dfsg-1ubuntu4.29+esm4)
upstream Needs triage

xenial Does not exist

php7.0
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(7.0.33-0ubuntu0.16.04.5)
php7.2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(7.2.19-0ubuntu0.18.04.1)
cosmic Not vulnerable
(7.2.19-0ubuntu0.18.10.1)
disco Not vulnerable
(7.2.19-0ubuntu0.19.04.1)
eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

php7.3
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Not vulnerable

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist