DEBIAN-CVE-2017-9228
- Source
- https://security-tracker.debian.org/tracker/CVE-2017-9228
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2017-9228.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2017-9228
- Upstream
- Published
- 2017-05-24T15:29:00Z
- Modified
- 2025-09-30T03:54:33Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitsetsetrange() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parsecharclass() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.
- References
Affected packages
Debian:11 / libonig
Package
- Name
- libonig
- Purl
- pkg:deb/debian/libonig?arch=source
Debian:12 / libonig
Package
- Name
- libonig
- Purl
- pkg:deb/debian/libonig?arch=source
Debian:13 / libonig
Package
- Name
- libonig
- Purl
- pkg:deb/debian/libonig?arch=source
Debian:14 / libonig
Package
- Name
- libonig
- Purl
- pkg:deb/debian/libonig?arch=source