A use-after-free in onig_new_deluxe() in regext.c allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe().
For Debian 7 Wheezy, these problems have been fixed in version 5.9.1-1+deb7u2.
We recommend that you upgrade your libonig packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.