ELA-143-1 libonig security update

use-after-free

2019-07-17
Packagelibonig
Version5.9.1-1+deb7u2
Related CVEs CVE-2019-13224


A use-after-free in onig_new_deluxe() in regext.c allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe().



For Debian 7 Wheezy, these problems have been fixed in version 5.9.1-1+deb7u2.

We recommend that you upgrade your libonig packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.