| Package | libonig |
|---|---|
| Version | 5.9.1-1+deb7u2 |
| Related CVEs | CVE-2019-13224 |
A use-after-free in onig_new_deluxe() in regext.c allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe().
For Debian 7 Wheezy, these problems have been fixed in version 5.9.1-1+deb7u2.
We recommend that you upgrade your libonig packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.