CVE-2019-19203

Published: 21 November 2019

An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
libonig
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(6.9.4-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(6.9.4-1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/kkos/oniguruma/commit/aa0188eaedc056dca8374ac03d0177429b495515