Detections
Analytics

Alibaba Cloud Linux 3 : 0076: oniguruma (ALINUX3-SA-2024:0076)

critical Nessus Plugin ID 236383

Synopsis

The remote Alibaba Cloud Linux host is missing one or more security updates.

Description

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2024:0076 advisory.

 Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

 CVE-2019-13224:
 A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

 CVE-2019-16163:
 Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.

 CVE-2019-19012:
 An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.

 CVE-2019-19203:
 An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string.
 This leads to a heap-based buffer over-read.

 CVE-2019-19204:
 An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20240076.xml

Plugin Details

Severity: Critical

ID: 236383

File Name: alinux3_sa_2024-0076.nasl

Version: 1.1

Type: local

Published: 5/14/2025

Updated: 5/14/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-19012

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:oniguruma-doc, cpe:/o:alibabacloud:alibaba_cloud_linux_3, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:oniguruma-debugsource, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:oniguruma-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:oniguruma, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:oniguruma-debuginfo

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Alibaba/release, Host/Alibaba/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/9/2024

Vulnerability Publication Date: 7/10/2019

Reference Information

CVE: CVE-2019-13224, CVE-2019-16163, CVE-2019-19012, CVE-2019-19203, CVE-2019-19204