Oniguruma (PHP and Ruby) security issues

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 6 Aug 2017 22:29
(address . bug-guix@gnu.org)
20170806202933.GA21954@jasmine.lan
Recently several serious bugs were fixed in Oniguruma,
CVE-2017-{9224,9225,9226,9227,9228,9229}:


I'm not sure exactly which Oniguruma release fixed the bugs.

Ruby includes vulnerable code from Oniguruma. I didn't see any fixes in
the Ruby Git repo.

I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP test
suite fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt]
Test mb_ereg_replace() function : usage variations - <type here specifics of this variation> [ext/mbstring/tests/mb_ereg_replace_variation1.phpt]
Test mb_ereg() function : usage variations - pass different character classes to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt]
=====================================================================

I tried using the bundled Oniguruma, which includes the fixes, and it
fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #60120 proc_open hangs with stdin/out with 2048+ bytes [ext/standard/tests/streams/proc_open_bug60120.phpt]
=====================================================================
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmHfCoACgkQJkb6MLrK
fwhX5Q/7B9UUCPVzQ6B5R7p4wWnkm1/q3PnBeA2yVxLRpUTskXjmft3mKjf5P8GA
KXvGWRI99AgFPGk6ZQ0wNcbNewADrQJbANrWAPMgyQq/cLutbv4zjHyd3LR6vh6p
l6jgbyqw3jIl9jxPPt6/tkB3TcGvfZQHyWzMtTOWNzUBesAWu16Q2VeFVN20GSmI
DJCkkzfThxzAl5QRXij6rU0vlQSdskS52oVCaoiyIX7K8hqFer0ATFMVJEbZ4udx
nq3bf2OTZijJpOVugEkv8RW2kNa77+blz6LqoLjCondWxdzoAmHwsWtTyADnAtv+
EqAXbmr72i/XkkIUISG/XlTyQ4w2IpHglq34Fk6OLD+awvo8/NMeNR4sRY6W52AQ
2gRY5ke+RpbwEYJnWCNWyakmp/S7FMqDg/1LrgU8bK+SlAnjUryS37AL1XWxSoRz
cp+KEAZglgKRl+o0amT5/w7s/aoQMaV2SB8BAi9ubQnar/WkDSzz9ePxEAMUHHsk
NMuCdcBAXLLpn0OKvyMFZl7by0fHqZp7OdTpYsbgHbnTvJIOqb9vons5q+MBsU3D
70+cRDXMuffTTEB0rDoas3eQwuJOzQS03OJK4ZGT6O1BLjtbdYntt9jh3Dpv1xUZ
MvI+yy1M6DnP+Xi28NZlfcK+JG8NQSDvty99MVCCPKb895sKnMw=
=NSuc
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 8 Sep 2017 10:33
control message for bug #27993
(address . control@debbugs.gnu.org)
87lglpk2t6.fsf@gnu.org
tags 27993 security
L
L
Leo Famulari wrote on 26 Feb 2019 03:08
Re: Oniguruma (PHP and Ruby) security issues
(address . 27993-done@debbugs.gnu.org)
20190226020828.GA26247@jasmine.lan
On Sun, Aug 06, 2017 at 04:29:33PM -0400, Leo Famulari wrote:
Toggle quote (3 lines)
> Recently several serious bugs were fixed in Oniguruma,
> CVE-2017-{9224,9225,9226,9227,9228,9229}:

[...]

Toggle quote (2 lines)
> I'm not sure exactly which Oniguruma release fixed the bugs.

I'm still not sure, but our PHP package is using the latest Oniguruma,
and a lot of time has passed since this bug was opened. Closing...
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0n5wACgkQJkb6MLrK
fwjKFxAAkuMQQl0Bz5ln6DUwBrc4uBVz7jGQ1W4JIWuVmen0h+th1EXzb/6ys88W
vVsFkLGGCG7UNS/z9d5WI+NE4WYvRoUjfWrZQQvzUlvWixGyQ2Wqt7Cyw0zhi0Df
S/zFxs0d3fRWci5I0ibwDjzt5UQb1D5V3/xJdz4NlS+dAYOzE9pd7Fc5KJiMyb/+
4xnVdB3F9Hf6lmf6yKvQLJO8FsHUyCSUSGJktNXJnTb8dOWlcv3fTxQYqoDhOwP6
q53+Ro9+R0DShrx5UQ0XbIH/REWH2H1UIwOj6+r0ZmH9/s0CUrMu+I5G4Q10O2zT
GZXFu9zVW04QB1Nif4YQVOmRsXc8dsNYnLmP5U2XRy1hJbDNwz/lKSwps3LxVs0c
IBemIZpSc7c8jAOkVWmbhmKYeUqRX7V447Ml9CfYvHMZ2ObcBlfIE43RB7EZ5NoE
aqHuYWRh5h6RdvlA0zvUvhpwjiLPdOgD4UkBGI8ydNN/sGXwZvYcnkyXBOv02PA6
QFCnILimMXeRF0DJC1xWpHHABXytDj2Vpi24QZlpOaXS5ZGyGEeSsq8nYvGbouqX
vITmOeASVCYPYCbruWgajbjYqwEjM72Lxv8GaBXrSRAGDxLS6EWGLnhgg8SwNy+l
pIPvJpoKdrf+9CRW3GX95JEIUTmNX2CcTtLU56R/Ch4HKWrLLH0=
=NuR+
-----END PGP SIGNATURE-----


Closed
?