libonig5-6.9.7.1-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11111-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libonig5-6.9.7.1-1.2 on GA media These are all security issues fixed in the libonig5-6.9.7.1-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11111 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-13224/ SUSE CVE CVE-2019-13224 page https://www.suse.com/security/cve/CVE-2019-13225/ SUSE CVE CVE-2019-13225 page https://www.suse.com/security/cve/CVE-2019-19012/ SUSE CVE CVE-2019-19012 page https://www.suse.com/security/cve/CVE-2019-19203/ SUSE CVE CVE-2019-19203 page https://www.suse.com/security/cve/CVE-2019-19204/ SUSE CVE CVE-2019-19204 page https://www.suse.com/security/cve/CVE-2019-19246/ SUSE CVE CVE-2019-19246 page https://www.suse.com/security/cve/CVE-2020-26159/ SUSE CVE CVE-2020-26159 page openSUSE Tumbleweed libonig5-6.9.7.1-1.2 oniguruma-devel-6.9.7.1-1.2 libonig5-6.9.7.1-1.2 as a component of openSUSE Tumbleweed oniguruma-devel-6.9.7.1-1.2 as a component of openSUSE Tumbleweed A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. CVE-2019-13224 openSUSE Tumbleweed:libonig5-6.9.7.1-1.2 openSUSE Tumbleweed:oniguruma-devel-6.9.7.1-1.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-13224.html CVE-2019-13224 https://bugzilla.suse.com/1142847 SUSE Bug 1142847 https://bugzilla.suse.com/1203568 SUSE Bug 1203568 A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. CVE-2019-13225 openSUSE Tumbleweed:libonig5-6.9.7.1-1.2 openSUSE Tumbleweed:oniguruma-devel-6.9.7.1-1.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-13225.html CVE-2019-13225 https://bugzilla.suse.com/1141157 SUSE Bug 1141157 An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression. CVE-2019-19012 openSUSE Tumbleweed:libonig5-6.9.7.1-1.2 openSUSE Tumbleweed:oniguruma-devel-6.9.7.1-1.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-19012.html CVE-2019-19012 https://bugzilla.suse.com/1156984 SUSE Bug 1156984 An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read. CVE-2019-19203 openSUSE Tumbleweed:libonig5-6.9.7.1-1.2 openSUSE Tumbleweed:oniguruma-devel-6.9.7.1-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-19203.html CVE-2019-19203 https://bugzilla.suse.com/1164550 SUSE Bug 1164550 https://bugzilla.suse.com/1203568 SUSE Bug 1203568 An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read. CVE-2019-19204 openSUSE Tumbleweed:libonig5-6.9.7.1-1.2 openSUSE Tumbleweed:oniguruma-devel-6.9.7.1-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-19204.html CVE-2019-19204 https://bugzilla.suse.com/1164569 SUSE Bug 1164569 https://bugzilla.suse.com/1203568 SUSE Bug 1203568 Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c. CVE-2019-19246 openSUSE Tumbleweed:libonig5-6.9.7.1-1.2 openSUSE Tumbleweed:oniguruma-devel-6.9.7.1-1.2 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-19246.html CVE-2019-19246 https://bugzilla.suse.com/1157805 SUSE Bug 1157805 https://bugzilla.suse.com/1203568 SUSE Bug 1203568 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Further investigation showed that it was not a security issue. Notes: none. CVE-2020-26159 openSUSE Tumbleweed:libonig5-6.9.7.1-1.2 openSUSE Tumbleweed:oniguruma-devel-6.9.7.1-1.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-26159.html CVE-2020-26159 https://bugzilla.suse.com/1177179 SUSE Bug 1177179 https://bugzilla.suse.com/1203568 SUSE Bug 1203568