|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78380 Oniguruma 6.9.3 fixes CVEs
Submitted: 2019-08-06 09:46 UTC Modified: 2019-08-26 02:52 UTC
From: Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 7.1.31 OS: *
Private report: No CVE-ID: None
 [2019-08-06 09:46 UTC]
The new Oniguruma 6.9.3 fixes two CVEs[1].  These fixes might need
to be backported into our bundled oniguruma.

[1] <>


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-06 18:58 UTC]
Since these fixes are already public, I think we can merge them immediately. I'll look into it this week if nobody beats me to it.
 [2019-08-21 00:49 UTC]
-Assigned To: +Assigned To: stas
 [2019-08-25 06:29 UTC]
CVE-2019-13225 seems to not be present in the version of oniguruma lib we have up to 7.3 - at least I can't find the code that the patch fixes. 
Will merge fix for CVE-2019-13224.
 [2019-08-25 06:30 UTC]
I also wonder if we shouldn't bump oniguruma versions for 7.2 and 7.3 - there seems to be more fixes than that?
 [2019-08-26 02:52 UTC]
-Status: Assigned +Status: Closed
 [2019-08-26 02:52 UTC]
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from and re-test.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 14 04:01:30 2024 UTC