Oniguruma (PHP and Ruby) security issues

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Leo Famulari
Severity
normal
L
L
Leo Famulari wrote on 6 Aug 2017 22:29
(address . bug-guix@gnu.org)
20170806202933.GA21954@jasmine.lan
Recently several serious bugs were fixed in Oniguruma,
CVE-2017-{9224,9225,9226,9227,9228,9229}:


I'm not sure exactly which Oniguruma release fixed the bugs.

Ruby includes vulnerable code from Oniguruma. I didn't see any fixes in
the Ruby Git repo.

I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP test
suite fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt]
Test mb_ereg_replace() function : usage variations - <type here specifics of this variation> [ext/mbstring/tests/mb_ereg_replace_variation1.phpt]
Test mb_ereg() function : usage variations - pass different character classes to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt]
=====================================================================

I tried using the bundled Oniguruma, which includes the fixes, and it
fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #60120 proc_open hangs with stdin/out with 2048+ bytes [ext/standard/tests/streams/proc_open_bug60120.phpt]
=====================================================================
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmHfCoACgkQJkb6MLrK
fwhX5Q/7B9UUCPVzQ6B5R7p4wWnkm1/q3PnBeA2yVxLRpUTskXjmft3mKjf5P8GA
KXvGWRI99AgFPGk6ZQ0wNcbNewADrQJbANrWAPMgyQq/cLutbv4zjHyd3LR6vh6p
l6jgbyqw3jIl9jxPPt6/tkB3TcGvfZQHyWzMtTOWNzUBesAWu16Q2VeFVN20GSmI
DJCkkzfThxzAl5QRXij6rU0vlQSdskS52oVCaoiyIX7K8hqFer0ATFMVJEbZ4udx
nq3bf2OTZijJpOVugEkv8RW2kNa77+blz6LqoLjCondWxdzoAmHwsWtTyADnAtv+
EqAXbmr72i/XkkIUISG/XlTyQ4w2IpHglq34Fk6OLD+awvo8/NMeNR4sRY6W52AQ
2gRY5ke+RpbwEYJnWCNWyakmp/S7FMqDg/1LrgU8bK+SlAnjUryS37AL1XWxSoRz
cp+KEAZglgKRl+o0amT5/w7s/aoQMaV2SB8BAi9ubQnar/WkDSzz9ePxEAMUHHsk
NMuCdcBAXLLpn0OKvyMFZl7by0fHqZp7OdTpYsbgHbnTvJIOqb9vons5q+MBsU3D
70+cRDXMuffTTEB0rDoas3eQwuJOzQS03OJK4ZGT6O1BLjtbdYntt9jh3Dpv1xUZ
MvI+yy1M6DnP+Xi28NZlfcK+JG8NQSDvty99MVCCPKb895sKnMw=
=NSuc
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 8 Sep 2017 10:33
control message for bug #27993
(address . control@debbugs.gnu.org)
87lglpk2t6.fsf@gnu.org
tags 27993 security
L
L
Leo Famulari wrote on 26 Feb 2019 03:08
Re: Oniguruma (PHP and Ruby) security issues
(address . 27993-done@debbugs.gnu.org)
20190226020828.GA26247@jasmine.lan
On Sun, Aug 06, 2017 at 04:29:33PM -0400, Leo Famulari wrote:
Toggle quote (3 lines)
> Recently several serious bugs were fixed in Oniguruma,
> CVE-2017-{9224,9225,9226,9227,9228,9229}:

[...]

Toggle quote (2 lines)
> I'm not sure exactly which Oniguruma release fixed the bugs.

I'm still not sure, but our PHP package is using the latest Oniguruma,
and a lot of time has passed since this bug was opened. Closing...
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0n5wACgkQJkb6MLrK
fwjKFxAAkuMQQl0Bz5ln6DUwBrc4uBVz7jGQ1W4JIWuVmen0h+th1EXzb/6ys88W
vVsFkLGGCG7UNS/z9d5WI+NE4WYvRoUjfWrZQQvzUlvWixGyQ2Wqt7Cyw0zhi0Df
S/zFxs0d3fRWci5I0ibwDjzt5UQb1D5V3/xJdz4NlS+dAYOzE9pd7Fc5KJiMyb/+
4xnVdB3F9Hf6lmf6yKvQLJO8FsHUyCSUSGJktNXJnTb8dOWlcv3fTxQYqoDhOwP6
q53+Ro9+R0DShrx5UQ0XbIH/REWH2H1UIwOj6+r0ZmH9/s0CUrMu+I5G4Q10O2zT
GZXFu9zVW04QB1Nif4YQVOmRsXc8dsNYnLmP5U2XRy1hJbDNwz/lKSwps3LxVs0c
IBemIZpSc7c8jAOkVWmbhmKYeUqRX7V447Ml9CfYvHMZ2ObcBlfIE43RB7EZ5NoE
aqHuYWRh5h6RdvlA0zvUvhpwjiLPdOgD4UkBGI8ydNN/sGXwZvYcnkyXBOv02PA6
QFCnILimMXeRF0DJC1xWpHHABXytDj2Vpi24QZlpOaXS5ZGyGEeSsq8nYvGbouqX
vITmOeASVCYPYCbruWgajbjYqwEjM72Lxv8GaBXrSRAGDxLS6EWGLnhgg8SwNy+l
pIPvJpoKdrf+9CRW3GX95JEIUTmNX2CcTtLU56R/Ch4HKWrLLH0=
=NuR+
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 27993@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 27993
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch