PublicDateAtUSN: 2018-11-12 15:29:00 UTC
Candidate: CVE-2018-19199
PublicDate: 2018-11-12 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19199
 https://github.com/uriparser/uriparser/commit/f76275d4a91b28d687250525d3a0c5509bbd666f
 https://github.com/uriparser/uriparser/blob/uriparser-0.9.0/ChangeLog
 https://ubuntu.com/security/notices/USN-5172-1
Description:
 An issue was discovered in uriparser before 0.9.0. UriQuery.c allows an
 integer overflow via a uriComposeQuery* or uriComposeQueryEx* function
 because of an unchecked multiplication.
Ubuntu-Description:
 It was discovered that uriparser mishandled certain input. An attacker could
 use this vulnerability to cause uriparser to crash or possibly execute
 arbitrary code.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_uriparser:
upstream_uriparser: released (0.9.0-1)
precise/esm_uriparser: DNE
trusty_uriparser: ignored (out of standard support)
trusty/esm_uriparser: needed
xenial_uriparser: ignored (end of standard support, was needed)
bionic_uriparser: released (0.8.4-1+deb9u2build0.18.04.1)
cosmic_uriparser: ignored (reached end-of-life)
disco_uriparser: released (0.9.0-1)
eoan_uriparser: not-affected (0.9.3-2)
focal_uriparser: not-affected (0.9.3-2)
groovy_uriparser: not-affected (0.9.3-2)
hirsute_uriparser: not-affected (0.9.3-2)
impish_uriparser: not-affected (0.9.3-2)
jammy_uriparser: not-affected (0.9.3-2)
devel_uriparser: not-affected (0.9.3-2)