{"id":"UBUNTU-CVE-2019-13224","details":"A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.","modified":"2026-02-04T02:25:06.935234Z","published":"2019-07-10T00:00:00Z","related":["USN-4088-1"],"upstream":["CVE-2019-13224"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-13224"},{"type":"REPORT","url":"https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4088-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2019-13224"}],"affected":[{"package":{"name":"libonig","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/libonig@5.9.1-1ubuntu1.1+esm1?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.9.1-1ubuntu1.1+esm1"}]}],"versions":["5.9.1-1","5.9.1-1ubuntu1","5.9.1-1ubuntu1.1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.9.1-1ubuntu1.1+esm1","binary_name":"libonig-dev"},{"binary_version":"5.9.1-1ubuntu1.1+esm1","binary_name":"libonig2"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"php5","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/php5@5.5.9+dfsg-1ubuntu4.29+esm4?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.5.9+dfsg-1ubuntu4.29+esm4"}]}],"versions":["5.5.3+dfsg-1ubuntu2","5.5.3+dfsg-1ubuntu3","5.5.6+dfsg-1ubuntu1","5.5.6+dfsg-1ubuntu2","5.5.8+dfsg-2ubuntu1","5.5.9+dfsg-1ubuntu1","5.5.9+dfsg-1ubuntu2","5.5.9+dfsg-1ubuntu3","5.5.9+dfsg-1ubuntu4","5.5.9+dfsg-1ubuntu4.1","5.5.9+dfsg-1ubuntu4.2","5.5.9+dfsg-1ubuntu4.3","5.5.9+dfsg-1ubuntu4.4","5.5.9+dfsg-1ubuntu4.5","5.5.9+dfsg-1ubuntu4.6","5.5.9+dfsg-1ubuntu4.7","5.5.9+dfsg-1ubuntu4.9","5.5.9+dfsg-1ubuntu4.11","5.5.9+dfsg-1ubuntu4.12","5.5.9+dfsg-1ubuntu4.13","5.5.9+dfsg-1ubuntu4.14","5.5.9+dfsg-1ubuntu4.16","5.5.9+dfsg-1ubuntu4.17","5.5.9+dfsg-1ubuntu4.19","5.5.9+dfsg-1ubuntu4.20","5.5.9+dfsg-1ubuntu4.21","5.5.9+dfsg-1ubuntu4.22","5.5.9+dfsg-1ubuntu4.23","5.5.9+dfsg-1ubuntu4.24","5.5.9+dfsg-1ubuntu4.25","5.5.9+dfsg-1ubuntu4.26","5.5.9+dfsg-1ubuntu4.27","5.5.9+dfsg-1ubuntu4.29","5.5.9+dfsg-1ubuntu4.29+esm1","5.5.9+dfsg-1ubuntu4.29+esm2","5.5.9+dfsg-1ubuntu4.29+esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"libapache2-mod-php5"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"libapache2-mod-php5filter"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"libphp5-embed"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php-pear"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-cgi"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-cli"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-common"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-curl"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-dev"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-enchant"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-fpm"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-gd"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-gmp"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-intl"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-ldap"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-mysql"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-mysqlnd"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-odbc"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-pgsql"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-pspell"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-readline"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-recode"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-snmp"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-sqlite"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-sybase"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-tidy"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-xmlrpc"},{"binary_version":"5.5.9+dfsg-1ubuntu4.29+esm4","binary_name":"php5-xsl"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"groonga","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/groonga@6.0.1-1ubuntu1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.0.6.1-2ubuntu2","4.0.6.1-2ubuntu3","5.1.1-1ubuntu2","5.1.2-1ubuntu1","6.0.0-1ubuntu2","6.0.1-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"6.0.1-1ubuntu1","binary_name":"groonga"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"groonga-bin"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"groonga-examples"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"groonga-httpd"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"groonga-munin-plugins"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"groonga-plugin-suggest"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"groonga-server-common"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"groonga-server-gqtp"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"groonga-token-filter-stem"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"groonga-tokenizer-mecab"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"libgroonga-dev"},{"binary_version":"6.0.1-1ubuntu1","binary_name":"libgroonga0"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"libevhtp","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/libevhtp@1.2.11-1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.2.10-3","1.2.11-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.2.11-1","binary_name":"libevhtp-dev"},{"binary_version":"1.2.11-1","binary_name":"libevhtp0"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"libonig","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/libonig@5.9.6-1ubuntu0.1+esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.9.6-1ubuntu0.1+esm1"}]}],"versions":["5.9.6-1","5.9.6-1ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.9.6-1ubuntu0.1+esm1","binary_name":"libonig-dev"},{"binary_version":"5.9.6-1ubuntu0.1+esm1","binary_name":"libonig2"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"mudlet","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/mudlet@1:2.1-2build2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:2.1-2build1","1:2.1-2build2"],"ecosystem_specific":{"binaries":[{"binary_version":"1:2.1-2build2","binary_name":"mudlet"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"groonga","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/groonga@8.0.0-1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["7.0.6-1","7.0.8-1","7.0.9-1","7.1.0-1","7.1.1-1","7.1.1-1build1","8.0.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"8.0.0-1","binary_name":"groonga"},{"binary_version":"8.0.0-1","binary_name":"groonga-bin"},{"binary_version":"8.0.0-1","binary_name":"groonga-examples"},{"binary_version":"8.0.0-1","binary_name":"groonga-httpd"},{"binary_version":"8.0.0-1","binary_name":"groonga-munin-plugins"},{"binary_version":"8.0.0-1","binary_name":"groonga-plugin-suggest"},{"binary_version":"8.0.0-1","binary_name":"groonga-server-common"},{"binary_version":"8.0.0-1","binary_name":"groonga-server-gqtp"},{"binary_version":"8.0.0-1","binary_name":"groonga-token-filter-stem"},{"binary_version":"8.0.0-1","binary_name":"groonga-tokenizer-mecab"},{"binary_version":"8.0.0-1","binary_name":"libgroonga-dev"},{"binary_version":"8.0.0-1","binary_name":"libgroonga0"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"libonig","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/libonig@6.7.0-1ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.7.0-1ubuntu0.1~esm1"}]}],"versions":["6.5.0-1","6.6.1-1","6.7.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"6.7.0-1ubuntu0.1~esm1","binary_name":"libonig-dev"},{"binary_version":"6.7.0-1ubuntu0.1~esm1","binary_name":"libonig4"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"mudlet","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/mudlet@1:3.7.1-1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:3.2.0-1build1","1:3.5.0-1","1:3.7.1-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:3.7.1-1","binary_name":"mudlet"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"libonig","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/libonig@6.9.2-1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.9.2-1"}]}],"ecosystem_specific":{"binaries":[{"binary_version":"6.9.2-1","binary_name":"libonig-dev"},{"binary_version":"6.9.2-1","binary_name":"libonig5"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"groonga","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/groonga@9.1.2-1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.0.7-1","9.0.7-1build1","9.0.8-1","9.0.9-1","9.1.0-1","9.1.1-1","9.1.2-1"],"ecosystem_specific":{"binaries":[{"binary_version":"9.1.2-1","binary_name":"groonga"},{"binary_version":"9.1.2-1","binary_name":"groonga-bin"},{"binary_version":"9.1.2-1","binary_name":"groonga-examples"},{"binary_version":"9.1.2-1","binary_name":"groonga-httpd"},{"binary_version":"9.1.2-1","binary_name":"groonga-munin-plugins"},{"binary_version":"9.1.2-1","binary_name":"groonga-plugin-suggest"},{"binary_version":"9.1.2-1","binary_name":"groonga-server-common"},{"binary_version":"9.1.2-1","binary_name":"groonga-server-gqtp"},{"binary_version":"9.1.2-1","binary_name":"groonga-token-filter-stem"},{"binary_version":"9.1.2-1","binary_name":"groonga-tokenizer-mecab"},{"binary_version":"9.1.2-1","binary_name":"libgroonga-dev"},{"binary_version":"9.1.2-1","binary_name":"libgroonga0"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"mudlet","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/mudlet@1:3.7.1-1.1build1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1:3.7.1-1.1","1:3.7.1-1.1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"1:3.7.1-1.1build1","binary_name":"mudlet"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"groonga","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/groonga@12.0.0-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["11.0.0-2","11.0.7-1","11.0.9-1","11.0.9-1build1","11.1.0-1","11.1.1-1","12.0.0-1"],"ecosystem_specific":{"binaries":[{"binary_version":"12.0.0-1","binary_name":"groonga"},{"binary_version":"12.0.0-1","binary_name":"groonga-bin"},{"binary_version":"12.0.0-1","binary_name":"groonga-examples"},{"binary_version":"12.0.0-1","binary_name":"groonga-httpd"},{"binary_version":"12.0.0-1","binary_name":"groonga-munin-plugins"},{"binary_version":"12.0.0-1","binary_name":"groonga-plugin-suggest"},{"binary_version":"12.0.0-1","binary_name":"groonga-server-common"},{"binary_version":"12.0.0-1","binary_name":"groonga-server-gqtp"},{"binary_version":"12.0.0-1","binary_name":"groonga-token-filter-stem"},{"binary_version":"12.0.0-1","binary_name":"groonga-tokenizer-mecab"},{"binary_version":"12.0.0-1","binary_name":"libgroonga-dev"},{"binary_version":"12.0.0-1","binary_name":"libgroonga0"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"groonga","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/groonga@13.1.1+dfsg-1.1build2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["13.0.1+dfsg-1","13.0.8+dfsg-1","13.0.9+dfsg-1","13.1.1+dfsg-1","13.1.1+dfsg-1.1","13.1.1+dfsg-1.1build2"],"ecosystem_specific":{"binaries":[{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"groonga"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"groonga-bin"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"groonga-examples"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"groonga-munin-plugins"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"groonga-plugin-suggest"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"groonga-server-common"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"groonga-server-gqtp"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"groonga-server-http"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"groonga-token-filter-stem"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"groonga-tokenizer-mecab"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"libgroonga-dev"},{"binary_version":"13.1.1+dfsg-1.1build2","binary_name":"libgroonga0t64"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}},{"package":{"name":"groonga","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/groonga@15.1.5+dfsg-2?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["14.1.0+dfsg-3","15.0.4+dfsg-1","15.0.4+dfsg-2","15.1.5+dfsg-2"],"ecosystem_specific":{"binaries":[{"binary_version":"15.1.5+dfsg-2","binary_name":"groonga"},{"binary_version":"15.1.5+dfsg-2","binary_name":"groonga-bin"},{"binary_version":"15.1.5+dfsg-2","binary_name":"groonga-examples"},{"binary_version":"15.1.5+dfsg-2","binary_name":"groonga-munin-plugins"},{"binary_version":"15.1.5+dfsg-2","binary_name":"groonga-plugin-suggest"},{"binary_version":"15.1.5+dfsg-2","binary_name":"groonga-server-common"},{"binary_version":"15.1.5+dfsg-2","binary_name":"groonga-server-gqtp"},{"binary_version":"15.1.5+dfsg-2","binary_name":"groonga-server-http"},{"binary_version":"15.1.5+dfsg-2","binary_name":"groonga-token-filter-stem"},{"binary_version":"15.1.5+dfsg-2","binary_name":"groonga-tokenizer-mecab"},{"binary_version":"15.1.5+dfsg-2","binary_name":"libgroonga-dev"},{"binary_version":"15.1.5+dfsg-2","binary_name":"libgroonga0t64"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-13224.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}