Bug 1443435 (CVE-2017-6181)

Summary: CVE-2017-6181 ruby: Stack overflow in parse_char_class() in Onigmo
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkearney, cbillett, ccoleman, cpelland, dajohnso, dclarizi, dedgar, dkholia, dmcphers, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jfrey, jgoulding, jhardy, joelsmith, jorton, jprause, kseifried, mmorsi, mtasaka, obarenbo, roliveri, ruby-maint, simaishi, s, strzibny, tomckay, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An unbounded recursion flaw was found in the way Ruby handled regular expressions. A specially crafted regular expression could be used by an attacker to crash an Ruby application processing such crafted input.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-16 08:28:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1443436    

Description Adam Mariš 2017-04-19 09:17:00 UTC 
The parse_char_class function in regparse.c in the Onigmo (aka
Oniguruma-mod) regular expression library, as used in Ruby 2.4.0,
allows remote attackers to cause a denial of service (deep recursion
and application crash) via a crafted regular expression.

Upstream issue:

https://bugs.ruby-lang.org/issues/13234

Upstream patch:

https://github.com/ruby/ruby/commit/ea940cc4dcff8d6c3
Comment 1 Mamoru TASAKA 2017-04-20 02:36:43 UTC 
This also affects oniguruma:
https://github.com/kkos/oniguruma/commit/9c85daa6b400157ee5b2be2cf5be87a031e4fd49#diff-d62ce585dc91a8f833f07e586f874814
Comment 2 Mamoru TASAKA 2017-04-20 04:23:13 UTC 
(In reply to Mamoru TASAKA from comment #1)
> This also affects oniguruma:
> https://github.com/kkos/oniguruma/commit/
> 9c85daa6b400157ee5b2be2cf5be87a031e4fd49#diff-
> d62ce585dc91a8f833f07e586f874814

The affected code was introduced by this;
https://github.com/kkos/oniguruma/commit/6b68ebe8360adefe45be94ed0dbf13a9aa9023ef

So does not affect on origuruma 6.1.3, 5.9.2. All versions of oniguruma shipped on Fedora are not affected by this.
Comment 4 Dhiru Kholia 2017-05-16 08:24:47 UTC 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.