Bug 1466733 (CVE-2017-9225)

Summary: CVE-2017-9225 oniguruma: Out-of-bounds stack write in onigenc_unicode_get_case_fold_codes_by_str() during regular expression compilation
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, bkearney, cbillett, ccoleman, cpelland, dajohnso, dedgar, dmcphers, fedora, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jgoulding, jhardy, jorton, jprause, ktdreyer, mtasaka, no1youknowz, rcollet, roliveri, ruby-maint, simaishi, s, strzibny, tiwillia, tomckay, vanmeeuwen+fedora, vondruch, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: oniguruma 6.3.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:54:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1466749, 1466750, 1466751, 1466752, 1466753    
Bug Blocks: 1466748    

Description Adam Mariš 2017-06-30 10:56:10 UTC 
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str()
occurs during regular expression compilation. Code point 0xFFFFFFFF is
not properly handled in unicode_unfold_key(). A malformed regular
expression could result in 4 bytes being written off the end of a stack
buffer of expand_case_fold_string() during the call to
onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer
overflow.
 
Upstream bug:

https://github.com/kkos/oniguruma/issues/56

Upstream patch:

https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f
Comment 1 Adam Mariš 2017-06-30 11:33:55 UTC 
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1466750]
Affects: fedora-all [bug 1466752]


Created php tracking bugs for this issue:

Affects: fedora-all [bug 1466751]


Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1466749]


Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1466753]
Comment 2 Doran Moppert 2017-07-31 03:40:35 UTC 
This flaw was introduced upstream in commit https://github.com/kkos/oniguruma/commit/d8366441 (2016-04-16, post v5.9.6).

Previously, the functionality of unicode_unfold_key() was provided by a simple hash table (st.c) and was not prone to such overflows.
Comment 4 Vít Ondruch 2017-09-06 13:42:33 UTC 
Ruby is not vulnerable according to Ruby upstream:

~~~
> CVE-2017-9225 https://github.com/kkos/oniguruma/issues/56

not affected.

% ruby <<'END'
str = "\x3f\xff\x63\x7f\xff\xff\xff\xff\x4d\x22\x00\x00".force_encoding('UTF-32BE')
Regexp.new(str)
END
Traceback (most recent call last):
        2: from -:2:in `<main>'
        1: from -:2:in `new'
-:2:in `initialize': invalid multibyte character:
/\x3F\u{FF637FFF}\u{FFFFFF4D}\x22\x00\x00/ (RegexpError)
~~~