Bugzilla – Bug 1141157
VUL-0: CVE-2019-13225: oniguruma: null-pointer dereference in match_at() in regexec.c
Last modified: 2024-07-11 09:09:57 UTC
CVE-2019-13225 A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. Upstream commit: https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c References: https://bugzilla.redhat.com/show_bug.cgi?id=1728965 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225 https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
There's a suitable backport in Fedora EPEL 7: https://src.fedoraproject.org/rpms/oniguruma/blob/epel7/f/oniguruma-6.8.2-CVE-2019-13225-fix.patch https://build.suse.de/request/show/337251
SUSE-SU-2024:2401-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1141157 CVE References: CVE-2019-13225 Maintenance Incident: [SUSE:Maintenance:34712](https://smelt.suse.de/incident/34712/) Sources used: SUSE Linux Enterprise Micro for Rancher 5.4 (src): oniguruma-6.7.0-150000.3.6.1 SUSE Linux Enterprise Micro 5.4 (src): oniguruma-6.7.0-150000.3.6.1 SUSE Linux Enterprise Micro 5.5 (src): oniguruma-6.7.0-150000.3.6.1 Basesystem Module 15-SP5 (src): oniguruma-6.7.0-150000.3.6.1 Basesystem Module 15-SP6 (src): oniguruma-6.7.0-150000.3.6.1 SUSE Linux Enterprise Micro 5.1 (src): oniguruma-6.7.0-150000.3.6.1 SUSE Linux Enterprise Micro 5.2 (src): oniguruma-6.7.0-150000.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): oniguruma-6.7.0-150000.3.6.1 openSUSE Leap 15.5 (src): oniguruma-6.7.0-150000.3.6.1 openSUSE Leap 15.6 (src): oniguruma-6.7.0-150000.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): oniguruma-6.7.0-150000.3.6.1 SUSE Linux Enterprise Micro 5.3 (src): oniguruma-6.7.0-150000.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Released.