PT-2017-2619 · Oniguruma+3 · Oniguruma+3

Lxxxxfdho

·

Published

2017-05-23

·

Updated

2022-07-20

·

CVE-2017-9228

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Oniguruma versions 6.2.0
Description The issue is caused by an incorrect state transition in the parse char class() function, leading to the possibility of using an uninitialized variable when writing to a buffer. This can result in a heap out-of-bounds write in the bitset set range() function during regular expression compilation, causing memory corruption. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.
Recommendations For Oniguruma version 6.2.0, consider updating to a newer version that contains a fix for this issue, as the current version is affected by the incorrect state transition in parse char class() and the subsequent out-of-bounds write in bitset set range(). At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

ALT-PU-2017-1820
ALT-PU-2017-1822
ALT-PU-2017-1855
BDU:2017-01838
BDU:2017-01839
CVE-2017-9228
DLA-958-1
MGASA-2017-0246
RHSA-2018:1296
SUSE-SU-2017:3237-1
SUSE-SU-2017:3277-1
SUSE-SU-2018:0003-1
SUSE-SU-2020:1570-1
SUSE-SU-2020_1570-1
USN-3382-1
USN-3382-2

Affected Products

Alt Linux
Oniguruma
Suse
Ubuntu