Mageia Linux Local Security Checks : Mageia: Security Advisory (MGASA-2020-0029)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.1.10.2020.0029

Categoría: Mageia Linux Local Security Checks

Título: Mageia: Security Advisory (MGASA-2020-0029)

Resumen: The remote host is missing an update for the 'oniguruma' package(s) announced via the MGASA-2020-0029 advisory.

Descripción: Summary:
The remote host is missing an update for the 'oniguruma' package(s) announced via the MGASA-2020-0029 advisory.

Vulnerability Insight:
Updated oniguruma packages fix security vulnerabilities:

A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2
allows attackers to potentially cause information disclosure, denial
of service, or possibly code execution by providing a crafted regular
expression. The attacker provides a pair of a regex pattern and a string,
with a multi-byte encoding that gets handled by onig_new_deluxe()
(CVE-2019-13224).

A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2
allows attackers to potentially cause denial of service by providing a
crafted regular expression (CVE-2019-13225).

Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of
recursion in regparse.c (CVE-2019-16163).

An integer overflow in the search_in_range function in regexec.c leads to
an out-of-bounds read, in which the offset of this read is under the
control of an attacker. (This only affects the 32-bit compiled version).
Remote attackers can cause a denial-of-service or information disclosure,
or possibly have unspecified other impact, via a crafted regular expression
(CVE-2019-19012).

An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function
gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced
without checking if it passed the end of the matched string. This leads to
a heap-based buffer over-read (CVE-2019-19203).

In the function fetch_range_quantifier in regparse.c, PFETCH is called
without checking PEND. This leads to a heap-based buffer over-read and
lead to denial-of-service via a crafted regular expression
(CVE-2019-19204).

Heap-based buffer over-read in str_lower_case_match in regexec.c can lead
to denial-of-service via a crafted regular expression (CVE-2019-19246).

Affected Software/OS:
'oniguruma' package(s) on Mageia 7.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2019-13224
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/
https://security.gentoo.org/glsa/201911-03
https://lists.debian.org/debian-lts-announce/2019/07/msg00013.html
https://usn.ubuntu.com/4088-1/
Common Vulnerability Exposure (CVE) ID: CVE-2019-13225
Common Vulnerability Exposure (CVE) ID: CVE-2019-16163
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZW47MSFZ6WYOAOFXHBDGU4LYACFRKC2Y/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWOWZZNFSAWM3BUTQNAE3PD44A6JU4KE/
https://github.com/kkos/oniguruma/commit/4097828d7cc87589864fecf452f2cd46c5f37180
https://github.com/kkos/oniguruma/compare/v6.9.2...v6.9.3
https://github.com/kkos/oniguruma/issues/147
https://lists.debian.org/debian-lts-announce/2019/09/msg00010.html
https://usn.ubuntu.com/4460-1/
Common Vulnerability Exposure (CVE) ID: CVE-2019-19012
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
https://github.com/kkos/oniguruma/issues/164
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
https://github.com/tarantula-team/CVE-2019-19012
https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-19203
https://github.com/ManhNDd/CVE-2019-19203
https://github.com/kkos/oniguruma/issues/163
https://github.com/tarantula-team/CVE-2019-19203
Common Vulnerability Exposure (CVE) ID: CVE-2019-19204
https://github.com/ManhNDd/CVE-2019-19204
https://github.com/kkos/oniguruma/issues/162
https://github.com/tarantula-team/CVE-2019-19204
Common Vulnerability Exposure (CVE) ID: CVE-2019-19246
https://bugs.php.net/bug.php?id=78559
https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b

Copyright Copyright (C) 2022 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.1.10.2020.0029
Categoría:	Mageia Linux Local Security Checks
Título:	Mageia: Security Advisory (MGASA-2020-0029)
Resumen:	The remote host is missing an update for the 'oniguruma' package(s) announced via the MGASA-2020-0029 advisory.
Descripción:	Summary: The remote host is missing an update for the 'oniguruma' package(s) announced via the MGASA-2020-0029 advisory. Vulnerability Insight: Updated oniguruma packages fix security vulnerabilities: A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe() (CVE-2019-13224). A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression (CVE-2019-13225). Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163). An integer overflow in the search_in_range function in regexec.c leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression (CVE-2019-19012). An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read (CVE-2019-19203). In the function fetch_range_quantifier in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read and lead to denial-of-service via a crafted regular expression (CVE-2019-19204). Heap-based buffer over-read in str_lower_case_match in regexec.c can lead to denial-of-service via a crafted regular expression (CVE-2019-19246). Affected Software/OS: 'oniguruma' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2019-13224 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/ https://security.gentoo.org/glsa/201911-03 https://lists.debian.org/debian-lts-announce/2019/07/msg00013.html https://usn.ubuntu.com/4088-1/ Common Vulnerability Exposure (CVE) ID: CVE-2019-13225 Common Vulnerability Exposure (CVE) ID: CVE-2019-16163 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZW47MSFZ6WYOAOFXHBDGU4LYACFRKC2Y/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWOWZZNFSAWM3BUTQNAE3PD44A6JU4KE/ https://github.com/kkos/oniguruma/commit/4097828d7cc87589864fecf452f2cd46c5f37180 https://github.com/kkos/oniguruma/compare/v6.9.2...v6.9.3 https://github.com/kkos/oniguruma/issues/147 https://lists.debian.org/debian-lts-announce/2019/09/msg00010.html https://usn.ubuntu.com/4460-1/ Common Vulnerability Exposure (CVE) ID: CVE-2019-19012 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/ https://github.com/kkos/oniguruma/issues/164 https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2 https://github.com/tarantula-team/CVE-2019-19012 https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html Common Vulnerability Exposure (CVE) ID: CVE-2019-19203 https://github.com/ManhNDd/CVE-2019-19203 https://github.com/kkos/oniguruma/issues/163 https://github.com/tarantula-team/CVE-2019-19203 Common Vulnerability Exposure (CVE) ID: CVE-2019-19204 https://github.com/ManhNDd/CVE-2019-19204 https://github.com/kkos/oniguruma/issues/162 https://github.com/tarantula-team/CVE-2019-19204 Common Vulnerability Exposure (CVE) ID: CVE-2019-19246 https://bugs.php.net/bug.php?id=78559 https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b
Copyright	Copyright (C) 2022 Greenbone AG