CVE-2019-19012
📋 TL;DR
An integer overflow vulnerability in Oniguruma's regexec.c allows attackers to trigger an out-of-bounds read via crafted regular expressions. This affects 32-bit compiled versions of Oniguruma 6.x before 6.9.4_rc2, potentially leading to denial-of-service, information disclosure, or other impacts. Applications using vulnerable Oniguruma libraries for regular expression processing are at risk.
💻 Affected Systems
- Oniguruma
- Software using Oniguruma library (e.g., PHP, Ruby, some text editors)
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Oniguruma by Oniguruma Project
Oniguruma by Oniguruma Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, though this requires specific memory layout conditions beyond just the out-of-bounds read.
Likely Case
Denial-of-service through application crashes or information disclosure via memory leaks from the out-of-bounds read.
If Mitigated
Limited impact if proper input validation and sandboxing prevent malicious regex processing.
🎯 Exploit Status
Exploitation requires crafting specific regular expressions; public proof-of-concept exists in GitHub references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.9.4_rc2 and later
Vendor Advisory: https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
Restart Required: Yes
Instructions:
1. Update Oniguruma to version 6.9.4_rc2 or later. 2. Recompile any applications using Oniguruma with the updated library. 3. Restart affected services.
🔧 Temporary Workarounds
Input Validation for Regex Patterns
allValidate and sanitize regular expression inputs to prevent malicious patterns from being processed.
Use 64-bit Compilation
allCompile Oniguruma and dependent applications in 64-bit mode, as the vulnerability only affects 32-bit versions.
🧯 If You Can't Patch
- Isolate systems using Oniguruma behind firewalls to limit exposure.
- Implement strict input validation to block crafted regular expressions from reaching vulnerable code.
🔍 How to Verify
Check if Vulnerable:
Check if Oniguruma version is below 6.9.4_rc2 and compiled for 32-bit architecture.Check Version:
onig-config --version (if installed) or check library files directly.Verify Fix Applied:
Verify Oniguruma version is 6.9.4_rc2 or later and applications are recompiled with the updated library.📡 Detection & Monitoring
Log Indicators:
- Application crashes or abnormal termination logs related to regex processing
- High memory usage or segmentation faults in logs
Network Indicators:
- Unusual patterns of regex submissions to applications
SIEM Query:
search for 'segmentation fault' OR 'crash' AND 'regex' OR 'oniguruma' in application logs🔗 References
- https://github.com/kkos/oniguruma/issues/164
- https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
- https://github.com/tarantula-team/CVE-2019-19012
- https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/
- https://usn.ubuntu.com/4460-1/
- https://github.com/kkos/oniguruma/issues/164
- https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
- https://github.com/tarantula-team/CVE-2019-19012
- https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/
- https://usn.ubuntu.com/4460-1/
