Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-lts-changes@lists.debian.org> , <dispatch@tracker.debian.org>
Subject: Accepted libonig 6.1.3-2+deb9u1 (source) into oldstable
Date: Thu, 05 Nov 2020 00:10:13 +0000
Signed by: Markus Koschany <apo@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 04 Nov 2020 22:45:44 +0100
Source: libonig
Binary: libonig4 libonig4-dbg libonig-dev
Architecture: source
Version: 6.1.3-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Jörg Frings-Fürst <debian@jff-webhosting.net>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libonig-dev - regular expressions library — development files
 libonig4   - regular expressions library
 libonig4-dbg - regular expressions library — debugging symbols
Changes:
 libonig (6.1.3-2+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2019-13224:
     A use-after-free in onig_new_deluxe() in regext.c allows
     attackers to potentially cause information disclosure, denial of service,
     or possibly code execution by providing a crafted regular expression. The
     attacker provides a pair of a regex pattern and a string, with a multi-byte
     encoding that gets handled by onig_new_deluxe().
   * Fix CVE-2019-16163:
     Oniguruma allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
   * Fix CVE-2019-19012:
     An integer overflow in the search_in_range function in regexec.c in
     Onigurama leads to an out-of-bounds read, in which the offset of this read
     is under the control of an attacker. (This only affects the 32-bit compiled
     version). Remote attackers can cause a denial-of-service or information
     disclosure, or possibly have unspecified other impact, via a crafted
     regular expression.
   * Fix CVE-2019-19203:
     An issue was discovered in Oniguruma. In the function gb18030_mbc_enc_len
     in file gb18030.c, a UChar pointer is dereferenced without checking if it
     passed the end of the matched string. This leads to a heap-based buffer
     over-read.
   * Fix CVE-2019-19204:
     An issue was discovered in Oniguruma. In the function
     fetch_interval_quantifier (formerly known as fetch_range_quantifier) in
     regparse.c, PFETCH is called without checking PEND. This leads to a
     heap-based buffer over-read.
   * Fix CVE-2019-19246:
     Oniguruma has a heap-based buffer over-read in str_lower_case_match in
     regexec.c.
   * Fix CVE-2020-26159:
     In Oniguruma an attacker able to supply a regular expression for
     compilation may be able to overflow a buffer by one byte in
     concat_opt_exact_str in src/regcomp.c
Checksums-Sha1:
 a018ca40d8b0877ed8298cae10943c1c70714c0b 2156 libonig_6.1.3-2+deb9u1.dsc
 b78481387254f50958eff0051f23e3ab8d605822 567006 libonig_6.1.3.orig.tar.gz
 441b57e5b47a9f31434553d95e53d21dce25775d 13384 libonig_6.1.3-2+deb9u1.debian.tar.xz
 d3121336aa13cc43a974b9afcdff1fab4aac111b 6548 libonig_6.1.3-2+deb9u1_amd64.buildinfo
Checksums-Sha256:
 e568e649b661e923b205a3ff5d97dc32454765a16713958a171db21b5c437938 2156 libonig_6.1.3-2+deb9u1.dsc
 27fec91c6ba8333c1cd508a4b26ed29c232415724c68a9268207b6c7a5e8c20b 567006 libonig_6.1.3.orig.tar.gz
 dce586039a3565450618861f953db92968354df96f651943d00077ae85ab94b3 13384 libonig_6.1.3-2+deb9u1.debian.tar.xz
 9bc2af026d4c765785cd39916a3ecf1f357793a83fefad77385ebd37d8fec950 6548 libonig_6.1.3-2+deb9u1_amd64.buildinfo
Files:
 eb03b5d2b1bffa7bf9672b025bb27c98 2156 libs extra libonig_6.1.3-2+deb9u1.dsc
 212ddd2be5a2455c206f8d72420f2c58 567006 libs extra libonig_6.1.3.orig.tar.gz
 f568b65c8b6f7b84f1af79c6ca615abb 13384 libs extra libonig_6.1.3-2+deb9u1.debian.tar.xz
 784ce3351a819accd91556ff7fcfc03a 6548 libs extra libonig_6.1.3-2+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl+jPlxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkTDIP+gOSNwe4NNZlJWtqkHa51kA6qPyEIlPJAWRo
Jd4L6Pzcgt4ZZRuiKWUx55vV1v957D/r7N504/+5rYXhut5TsWUcJbQNAgwlLizI
1vIga/NRtvEiz8nXMh1bweuBqx2i2YzX3EF+KTMnocf06j7BqL3fvE4+gUbscz8J
HsFbMPkoNvaSj2Tz2T8vR9hAsDdzTKgh47mhbhtvBFeLYG31i3agqxG5bP9VtPlh
sfY20nm78H7yLAeSwICnsrz295wcCre7KWrM0v65ti4zLNyPSk6NVvnjn6/mvBcR
zySdQ1ZhMHy0MJZoMVoVZMm+ifVd+ow4JeQCR9bBBRxnHokMoZCXa1UiTOx9lIe9
AEDyfIiYlurnCgBsdULky/KjXbwcisCx15W7/6nRJPU9LOqkSFP57dUA9dMK4rcB
Ax5QhJgPBGfKsIsph/5wtpaysbZeOwH8l6DJ9dzDbgXq/b4T+ahDsm6l9X2zn/hb
niAXgBeWyTj6pBz5/ginVyDbwjXQLrGz1j1iwcBHpaMOrynPbIKvK4hW0ifU7Shy
z4QKX+Bz5LznX2468c3zOoFpwv07r4tQDqZsVDHezI7MHM7u12BED7xCjphpAFf2
MI1c7nlGIubpY4OE0P46Kl2CsKt8fRxlWqxRHOkpsKZY2klBBQknU5KAhTQJ+PDN
HmCTGFf/
=An6H
-----END PGP SIGNATURE-----
News for package libonig
