Oniguruma (PHP and Ruby) security issues

DoneSubmitted by Leo Famulari.
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 6 Aug 2017 22:29
(address . bug-guix@gnu.org)
20170806202933.GA21954@jasmine.lan
Recently several serious bugs were fixed in Oniguruma,CVE-2017-{9224,9225,9226,9227,9228,9229}:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=onigurumahttps://github.com/kkos/oniguruma#fixed-security-issues
I'm not sure exactly which Oniguruma release fixed the bugs.
Ruby includes vulnerable code from Oniguruma. I didn't see any fixes inthe Ruby Git repo.
I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP testsuite fails like this:
=====================================================================FAILED TEST SUMMARY---------------------------------------------------------------------Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt]Test mb_ereg_replace() function : usage variations - <type here specifics of this variation> [ext/mbstring/tests/mb_ereg_replace_variation1.phpt]Test mb_ereg() function : usage variations - pass different character classes to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt]=====================================================================
I tried using the bundled Oniguruma, which includes the fixes, and itfails like this:
=====================================================================FAILED TEST SUMMARY---------------------------------------------------------------------Bug #60120 proc_open hangs with stdin/out with 2048+ bytes [ext/standard/tests/streams/proc_open_bug60120.phpt]=====================================================================
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmHfCoACgkQJkb6MLrKfwhX5Q/7B9UUCPVzQ6B5R7p4wWnkm1/q3PnBeA2yVxLRpUTskXjmft3mKjf5P8GAKXvGWRI99AgFPGk6ZQ0wNcbNewADrQJbANrWAPMgyQq/cLutbv4zjHyd3LR6vh6pl6jgbyqw3jIl9jxPPt6/tkB3TcGvfZQHyWzMtTOWNzUBesAWu16Q2VeFVN20GSmIDJCkkzfThxzAl5QRXij6rU0vlQSdskS52oVCaoiyIX7K8hqFer0ATFMVJEbZ4udxnq3bf2OTZijJpOVugEkv8RW2kNa77+blz6LqoLjCondWxdzoAmHwsWtTyADnAtv+EqAXbmr72i/XkkIUISG/XlTyQ4w2IpHglq34Fk6OLD+awvo8/NMeNR4sRY6W52AQ2gRY5ke+RpbwEYJnWCNWyakmp/S7FMqDg/1LrgU8bK+SlAnjUryS37AL1XWxSoRzcp+KEAZglgKRl+o0amT5/w7s/aoQMaV2SB8BAi9ubQnar/WkDSzz9ePxEAMUHHskNMuCdcBAXLLpn0OKvyMFZl7by0fHqZp7OdTpYsbgHbnTvJIOqb9vons5q+MBsU3D70+cRDXMuffTTEB0rDoas3eQwuJOzQS03OJK4ZGT6O1BLjtbdYntt9jh3Dpv1xUZMvI+yy1M6DnP+Xi28NZlfcK+JG8NQSDvty99MVCCPKb895sKnMw==NSuc-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 8 Sep 2017 10:33
control message for bug #27993
(address . control@debbugs.gnu.org)
87lglpk2t6.fsf@gnu.org
tags 27993 security
L
L
Leo Famulari wrote on 26 Feb 2019 03:08
Re: Oniguruma (PHP and Ruby) security issues
(address . 27993-done@debbugs.gnu.org)
20190226020828.GA26247@jasmine.lan
On Sun, Aug 06, 2017 at 04:29:33PM -0400, Leo Famulari wrote:
Toggle quote (3 lines)> Recently several serious bugs were fixed in Oniguruma,> CVE-2017-{9224,9225,9226,9227,9228,9229}:
[...]
Toggle quote (2 lines)> I'm not sure exactly which Oniguruma release fixed the bugs.
I'm still not sure, but our PHP package is using the latest Oniguruma,and a lot of time has passed since this bug was opened. Closing...
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0n5wACgkQJkb6MLrKfwjKFxAAkuMQQl0Bz5ln6DUwBrc4uBVz7jGQ1W4JIWuVmen0h+th1EXzb/6ys88WvVsFkLGGCG7UNS/z9d5WI+NE4WYvRoUjfWrZQQvzUlvWixGyQ2Wqt7Cyw0zhi0DfS/zFxs0d3fRWci5I0ibwDjzt5UQb1D5V3/xJdz4NlS+dAYOzE9pd7Fc5KJiMyb/+4xnVdB3F9Hf6lmf6yKvQLJO8FsHUyCSUSGJktNXJnTb8dOWlcv3fTxQYqoDhOwP6q53+Ro9+R0DShrx5UQ0XbIH/REWH2H1UIwOj6+r0ZmH9/s0CUrMu+I5G4Q10O2zTGZXFu9zVW04QB1Nif4YQVOmRsXc8dsNYnLmP5U2XRy1hJbDNwz/lKSwps3LxVs0cIBemIZpSc7c8jAOkVWmbhmKYeUqRX7V447Ml9CfYvHMZ2ObcBlfIE43RB7EZ5NoEaqHuYWRh5h6RdvlA0zvUvhpwjiLPdOgD4UkBGI8ydNN/sGXwZvYcnkyXBOv02PA6QFCnILimMXeRF0DJC1xWpHHABXytDj2Vpi24QZlpOaXS5ZGyGEeSsq8nYvGbouqXvITmOeASVCYPYCbruWgajbjYqwEjM72Lxv8GaBXrSRAGDxLS6EWGLnhgg8SwNy+lpIPvJpoKdrf+9CRW3GX95JEIUTmNX2CcTtLU56R/Ch4HKWrLLH0==NuR+-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 27993@debbugs.gnu.org