-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.3899.2
                          libonig security update
                              1 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libonig
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-26159 CVE-2019-19246 CVE-2019-19204
                   CVE-2019-19203 CVE-2019-19012 CVE-2019-16163
                   CVE-2019-13224  

Reference:         ESB-2020.3072
                   ESB-2020.2827
                   ESB-2019.4556
                   ESB-2019.3485

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/11/msg00006.html
   https://www.debian.org/lts/security/2021/dla-2431-2

Comment: This bulletin contains two (2) Debian security advisories.

Revision History:  February 1 2021: Patch for CVE-2020-26159 reverted due to false positive
                   November 6 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2431-1               debian-lts@lists.debian.org
https://www.debian.org/lts/security/                     Markus Koschany
November 05, 2020                            https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : libonig
Version        : 6.1.3-2+deb9u1
CVE ID         : CVE-2019-13224 CVE-2019-16163 CVE-2019-19012
                 CVE-2019-19203 CVE-2019-19204 CVE-2019-19246
                 CVE-2020-26159
Debian Bug     : 931878 939988 944959 945312 945313 946344 972113

Several vulnerabilities were discovered in the Oniguruma regular
expressions library, notably used in PHP mbstring.

CVE-2019-13224

   A use-after-free in onig_new_deluxe() in regext.c allows
   attackers to potentially cause information disclosure, denial of
   service, or possibly code execution by providing a crafted regular
   expression. The attacker provides a pair of a regex pattern and a
   string, with a multi-byte encoding that gets handled by
   onig_new_deluxe().

CVE-2019-16163

    Oniguruma allows Stack Exhaustion in regcomp.c because of recursion
    in regparse.c.

CVE-2019-19012

    An integer overflow in the search_in_range function in regexec.c in
    Onigurama leads to an out-of-bounds read, in which the offset of
    this read is under the control of an attacker. (This only affects
    the 32-bit compiled version). Remote attackers can cause a
    denial-of-service or information disclosure, or possibly have
    unspecified other impact, via a crafted regular expression.

CVE-2019-19203

    An issue was discovered in Oniguruma. In the function
    gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is
    dereferenced without checking if it passed the end of the matched
    string. This leads to a heap-based buffer over-read.

CVE-2019-19204

    An issue was discovered in Oniguruma. In the function
    fetch_interval_quantifier (formerly known as fetch_range_quantifier)
    in regparse.c, PFETCH is called without checking PEND. This leads to
    a heap-based buffer over-read.

CVE-2019-19246

    Oniguruma has a heap-based buffer over-read in str_lower_case_match
    in regexec.c.

CVE-2020-26159

    In Oniguruma an attacker able to supply a regular expression for
    compilation may be able to overflow a buffer by one byte in
    concat_opt_exact_str in src/regcomp.c

For Debian 9 stretch, these problems have been fixed in version
6.1.3-2+deb9u1.

We recommend that you upgrade your libonig packages.

For the detailed security status of libonig please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libonig

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl+jVXVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRyuA/8DsmKwP4PqQ7ud9HQ/jkpqF6EdEpYJKTWFLvpeNW5RKuwRwI0XVXEfaVE
IQKdtu17GUYJIWDvvvS0RLzlqoEeiHvEfKZBMHRid7sxn6ydu3w4NE4vL1j5joIo
aNSRXWwSe6a5Z17x9n6QJ9QRgKCtWCCnO7H4iYM7WUzcXQqcT+EIj3CPnBcz2Yz1
kd/1csK8JJms2quxFdI34I+fdr1lIhX+KPWzGxcBs5cmKQ/Tk8NV5pCt77dfyGzk
dFiu6UivaAvcwmi3edvLT+lFkZF05j27hIyt+RbMjDzQ0E4hYeYqGAVrJVUkZyFT
dB+7gGHxD2xYgox3G5AAIfBCxEe88VY+w1JsV51NztRYZLi2xJPwnjZnVv10ZaG1
mA47tbeiSrc6iOHXZgw/kr1LL0+5/LxvtOMhC5Z5VwTAdk8SvUGU/eN1vnhYw5Jw
G1tIssLYddKj9ttIbpm/gzC3fm4QyxjYETg3q7275eq1E2hCWqD81SCwszjVe+sV
IPn84OokjMo5SWkX6YSunGXCGYD9MIkGeHkFKoDhI2DKbbBJcdEbb5iFAkG/sZLf
U7hABzCVVE6ZSdwq20yjuHBpxqUZeKeog6O/L20TzsVvGNeHMJAyb8L+5kNDpoZU
EbG57R3WtwP5UbGUvGnLsIUBrKrpvNXdpq+4Fh1KKd2L8byQk1g=
=JaKD
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2431-2                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Markus Koschany
January 30, 2021                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : libonig
Version        : 6.1.3-2+deb9u2
CVE ID         : CVE-2020-26159

It was discovered that CVE-2020-26159 in the Oniguruma regular
expressions library, notably used in PHP mbstring, was a false-positive. In
consequence the patch for CVE-2020-26159 was reverted. For reference, the
original advisory text follows.

CVE-2020-26159

    In Oniguruma an attacker able to supply a regular expression for
    compilation may be able to overflow a buffer by one byte in
    concat_opt_exact_str in src/regcomp.c

For Debian 9 stretch, this problem has been fixed in version
6.1.3-2+deb9u2.

We recommend that you upgrade your libonig packages.

For the detailed security status of libonig please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libonig

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYBdNx+NLKJtyKPYoAQjA6Q//QjYc2z56YDGYsDxfZ5UqjK1FynzI1Rq2
znBZZIQ75LOZucNIXyx9Tbz4apx+5SgVQUIHY8m9LZ2ed+i6vdHrGbRQGXqA/8ni
u9WvZTDwoM3XrNaQ8ObNxV9CIfSLJ2KnihqdgGsZD6ZM+UdJPtdsOkD5wTCASJh+
D6wzGe73+ALo9OFLMrsejbyaL9UrrebmAwfPTtL3c4Yz9VRf8MvLR5toP8oncErw
TpeKBlImeBLtKUvDjYqisU+H+tyIP3PcC5oa/1IuEBOHaS/tupdCOWz1qy4/abZL
5aiPmxeNLpLtLDbmW1RFI9qp5O21biERFPbAifix9JRGL51aD38ZPb3Lbum/SFGj
VqIkZwWIZWznJ9p8lWZGxPt/Le9NGiIugFNeOamUU2FAW2vKM6H94X1nt0Ic2Mxc
ZYlZ1Se8QRrgYVnFjF/4/kbER9x5xP5SybJMy06L5RcjnIaBdID2mrYYPTZeDNSz
/PdNHkuOWKPnKDbJWQKPUH4BAkUlbMEGclRbTJtHA/5jiuCMgaCiS9SHxmtLL2vX
tvg++shttlUqSxZ4EBtPK2S4/A0P3VNnWnWNMyI0M1ChFDMdiyW3HZR/UPiVfVuk
8YUjpfhSFJza4L5RDeyj1fBtZDKldrq5BuZJvPD/jZsqGfyW5/qYFDDuFzeEC4Jd
wj7ja8UGBCU=
=Ayfr
-----END PGP SIGNATURE-----