CVE-2019-13224

Published: 10 July 2019

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

From the Ubuntu Security Team

It was discovered that Oniguruma incorrectly handled certain regular expressions. An attacker could possibly use this issue to obtain sensitive information, cause a denial of service or execute arbitrary code.

Notes

Author	Note
ebarretto	libevhtp doesn't ship oniguruma regex library since 1.2.15-1
mdeslaur	doesn't look like php uses the vulnerable function

Priority

Cvss 3 Severity Score

9.8

Score breakdown

Status

Package	Release	Status
groonga Launchpad, Ubuntu, Debian	bionic	Needed
	cosmic	Ignored (end of life)
	disco	Ignored (end of life)
	eoan	Ignored (end of life)
	focal	Needed
	groovy	Ignored (end of life)
	hirsute	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Needed
	kinetic	Ignored (end of life, was needed)
	lunar	Ignored (end of life, was needed)
	mantic	Needed
	noble	Needed
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needed
libevhtp Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	cosmic	Not vulnerable (code not present)
	disco	Not vulnerable (code not present)
	eoan	Not vulnerable (code not present)
	focal	Not vulnerable (code not present)
	groovy	Not vulnerable (code not present)
	hirsute	Not vulnerable (code not present)
	impish	Not vulnerable (code not present)
	jammy	Not vulnerable (code not present)
	kinetic	Not vulnerable (code not present)
	lunar	Not vulnerable (code not present)
	mantic	Not vulnerable (code not present)
	noble	Not vulnerable (code not present)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needed
libonig Launchpad, Ubuntu, Debian	bionic	Released (6.7.0-1ubuntu0.1~esm1) Available with Ubuntu Pro
	cosmic	Ignored (end of life)
	disco	Ignored (end of life)
	eoan	Released (6.9.2-1)
	focal	Released (6.9.2-1)
	groovy	Released (6.9.2-1)
	hirsute	Released (6.9.2-1)
	impish	Released (6.9.2-1)
	jammy	Released (6.9.2-1)
	kinetic	Released (6.9.2-1)
	lunar	Released (6.9.2-1)
	mantic	Released (6.9.2-1)
	noble	Released (6.9.2-1)
	trusty	Released (5.9.1-1ubuntu1.1+esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	upstream	Needs triage
	xenial	Released (5.9.6-1ubuntu0.1+esm1) Available with Ubuntu Pro
mudlet Launchpad, Ubuntu, Debian	bionic	Needed
	cosmic	Ignored (end of life)
	disco	Ignored (end of life)
	eoan	Ignored (end of life)
	focal	Needed
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	noble	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needed
php5 Launchpad, Ubuntu, Debian	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	noble	Does not exist
	trusty	Released (5.5.9+dfsg-1ubuntu4.29+esm4) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	upstream	Needs triage
	xenial	Does not exist
php7.0 Launchpad, Ubuntu, Debian	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	noble	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Not vulnerable (7.0.33-0ubuntu0.16.04.5)
	Binaries built from this source package are in Universe and so are supported by the community.
php7.2 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (7.2.19-0ubuntu0.18.04.1)
	cosmic	Not vulnerable (7.2.19-0ubuntu0.18.10.1)
	disco	Not vulnerable (7.2.19-0ubuntu0.19.04.1)
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	noble	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	Binaries built from this source package are in Universe and so are supported by the community.
php7.3 Launchpad, Ubuntu, Debian	bionic	Does not exist
	cosmic	Does not exist
	disco	Does not exist
	eoan	Not vulnerable
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	mantic	Does not exist
	noble	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
	Binaries built from this source package are in Universe and so are supported by the community.

Severity score breakdown

Parameter	Value
Base score	9.8
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931878

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›