NVD Vulnerability Detail

CVE-2019-19012

Summary	An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.
Publication Date	Nov. 18, 2019, 3:15 a.m.
Registration Date	Jan. 26, 2021, 11:40 a.m.
Last Update	Nov. 21, 2024, 1:33 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oniguruma_project:oniguruma:6.9.4:rc1::::::
cpe:2.3:a:oniguruma_project:oniguruma::::::::	6.0.0	6.9.3

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:fedoraproject:fedora:30:::::::*
cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
cpe:2.3:o:fedoraproject:fedora:31:::::::*

Related information, measures and tools

No	URL	タグ
1	https://github.com/kkos/oniguruma/issues/164	Exploit Patch Third Party Advisory
2	https://github.com/kkos/oniguruma/issues/164	Exploit Patch Third Party Advisory
3	https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2	Third Party Advisory
4	https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2	Third Party Advisory
5	https://github.com/tarantula-team/CVE-2019-19012	Exploit Third Party Advisory
6	https://github.com/tarantula-team/CVE-2019-19012	Exploit Third Party Advisory
7	https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html	Third Party Advisory
8	https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html	Third Party Advisory
9	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
10	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
11	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/
12	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/
13	https://usn.ubuntu.com/4460-1/
14	https://usn.ubuntu.com/4460-1/

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-125	境界外読み取り	https://cwe.mitre.org/data/definitions/125.html
2	CWE-190	整数オーバーフローまたはラップアラウンド	https://cwe.mitre.org/data/definitions/190.html

JVN Vulnerability Information

Oniguruma における整数オーバーフローの脆弱性

Title	Oniguruma における整数オーバーフローの脆弱性
Summary	Oniguruma には、整数オーバーフローの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 14, 2019, midnight
Registration Date	Nov. 25, 2019, 2:08 p.m.
Last Update	Nov. 25, 2019, 2:08 p.m.

Affected System

Oniguruma project

Oniguruma 6.9.4_rc2 未満の 6.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-19012	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19012
National Vulnerability Database (NVD)
2	CVE-2019-19012	https://nvd.nist.gov/vuln/detail/CVE-2019-19012

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-190	https://cwe.mitre.org/data/definitions/190.html

ベンダー情報

No	Name	URL
GitHub
1	6.9.4 Release Candidate 2	https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
2	Integer overflow related to reg->dmax in search_in_range (regexec.c) #164	https://github.com/kkos/oniguruma/issues/164

Change Log

No	Changed Details	Date of change
1	[2019年11月25日] 掲載	Nov. 25, 2019, 2:08 p.m.