A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
| Link | Tags |
|---|---|
| https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55 | third party advisory patch |
| https://lists.debian.org/debian-lts-announce/2019/07/msg00013.html | third party advisory mailing list |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/ | vendor advisory |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/ | vendor advisory |
| https://usn.ubuntu.com/4088-1/ | third party advisory vendor advisory |
| https://support.f5.com/csp/article/K00103182 | third party advisory |
| https://support.f5.com/csp/article/K00103182?utm_source=f5support&%3Butm_medium=RSS | |
| https://security.gentoo.org/glsa/201911-03 | third party advisory vendor advisory |