A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. Reference: https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
Created oniguruma tracking bugs for this issue: Affects: epel-7 [bug 1728972] Affects: fedora-all [bug 1728971]
(In reply to Dhananjay Arunesh from comment #0) > A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows > attackers to potentially cause information disclosure, denial of service, or > possibly code execution by providing a crafted regular expression. The > attacker provides a pair of a regex pattern and a string, with a multi-byte > encoding that gets handled by onig_new_deluxe(). Oniguruma issues often > affect Ruby, as well as common optional libraries for PHP and Rust. > > Reference: > https://github.com/kkos/oniguruma/commit/ > 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 This change is a-sort-of API, not a fix for the function but essentially obsoletion of the function, and currently I am unsure if I should apply this "change" as it is.
For F-30, F-29 (and for now for F-31) I decided not to use the upstream change but use another fix.
The following containers are packaged with OpenShift 4.x and contain a vulnerable version of oniguruma (5.9.x): - openshift4/ose-metering-hadoop - openshift4/ose-metering-hive - openshift4/ose-metering-presto However, these containers include oniguruma but do not use it. This includes faq and jq which may use oniguruma, and are included within the containers but likewise, are unused. Additionally, when the associated jq version uses the oniguruma library it does not call the vulnerable function onig_new_deluxe().
Statement: Ruby versions are not affected as they used Onigmo, which is a fork of Oniguruma, instead. The Onigmo library doesn't includes the source code containing the related bug.
There's an issue when using different encodings in onig_new_deluxe() function. Under the right circumstances a user-after-free may be caused when Oniguruma fails to compile the regular expression. This flaw may be leveraged by an attacker to expose heap data or cause DoS by crafting a regular expression which triggers the bug.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-13224
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0409 https://access.redhat.com/errata/RHSA-2024:0409
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:0572 https://access.redhat.com/errata/RHSA-2024:0572
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0889 https://access.redhat.com/errata/RHSA-2024:0889