Bug 1728965 (CVE-2019-13225)

Summary: CVE-2019-13225 oniguruma: NULL pointer dereference in match_at() in regexec.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, alegrand, anpicker, bleanhar, bmontgom, ccoleman, dbecker, dedgar, eparis, erooth, hhorak, jburrell, jgoulding, jjoyce, jkucera, jokerman, jorton, jschluet, kakkoyun, ktdreyer, lcosic, lhh, lpeer, mburns, mchappel, mloibl, mtasaka, no1youknowz, nstielau, pkrupa, rcollet, ruby-maint, sclewis, slinaber, sponnaga, surbania, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: oniguruma 6.9.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-08 13:17:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1728966, 1728967, 1771052, 1771054, 1771055, 1772692, 1857694    
Bug Blocks: 1728974    

Description Dhananjay Arunesh 2019-07-11 06:43:59 UTC 
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Upstream commit:
https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
Comment 1 Dhananjay Arunesh 2019-07-11 06:44:17 UTC 
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1728967]
Affects: fedora-all [bug 1728966]
Comment 2 Mamoru TASAKA 2019-07-12 04:00:57 UTC 
(In reply to Dhananjay Arunesh from comment #0)
> A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2
> allows attackers to potentially cause denial of service by providing a
> crafted regular expression. Oniguruma issues often affect Ruby, as well as
> common optional libraries for PHP and Rust.
> 
> Upstream commit:
> https://github.com/kkos/oniguruma/commit/
> c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c

For 6.9.2 (Fedora 31 and 30), this patch can be applied cleanly.

For 6.9.1 (Fedora 29) this patch cannot be applied cleanly. (Note that this patch cannot be applied already indicates that there are some large changes between 6.9.1 and 6.9.2 at least on code level, which is the reason I did not upgrade oniguruma to 6.9.1 on Fedora 29).
For a quick glance, oniguruma 6.9.2 appears to be affected by this, however I think it needs some longer investigation how to apply the fix to oniguruma 6.9.2.

RHEL8 seems to be using 6.8.2, EPEL7 seems to be using 5.9.5, which need much longer investigation, I think.
Comment 3 Mamoru TASAKA 2019-07-12 04:02:22 UTC 
> however I think it needs some longer investigation how to apply the fix to oniguruma 6.9.2.

s/6.9.2/6.9.1/
Comment 4 Mamoru TASAKA 2019-07-13 05:49:42 UTC 
For 6.9.1:
https://src.fedoraproject.org/rpms/oniguruma/blob/f29/f/0100-Apply-CVE-2019-13325-fix-to-6.9.1.patch
Comment 7 Marco Benatto 2019-11-11 19:54:59 UTC 
Statement:

The version of Oniguruma package as shipped with Red Hat Enterprise Linux 6 is not affected by this issue. The issue resides on the way 'If/Else' statements are handled by Oniguruma which is not supported by Red Hat Enterprise Linux 6.
Comment 18 Mark Cooper 2019-11-19 03:11:55 UTC 
OpenShift is not affected as it only includes version 5.x of oniguruma in the following containers:
 - openshift4/ose-metering-hadoop
 - openshift4/ose-metering-hive
 - openshift4/ose-metering-presto

Version 5.x does not contain the affected If/Else code.
Comment 19 Marco Benatto 2019-11-20 18:53:38 UTC 
Ruby uses libonigmo, instead of onigurama, which is not affected by this flaw.
Comment 20 Marco Benatto 2019-11-20 19:21:05 UTC 
Oniguruma is library designed to handle regular expression, when processing a regular expression Oniguruma compiles it into byte code to be further used when matching the required pattern against a text. There's a bug on compiling stagesfor regular expression's if/else statements which cause incorrect byte code to be generated. The wrong byte code further leads to a Segmentation Fault in match_at() function, as it handles regular characters as memory addresses instead. An attacker can leverage this by producing a regular expression crafted to trigger the bug leading to DoS.

The attack complexity may be considered High as the target software may need to accept and compile untrusted regular expressions and the attacker my need to check which oniguruma version is being used on the victim side, as only Oniguruma v6.5.0 an above implements the if/else pattern.
Comment 22 errata-xmlrpc 2020-09-08 09:45:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662
Comment 23 Product Security DevOps Team 2020-09-08 13:17:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13225
Comment 24 errata-xmlrpc 2020-11-04 04:11:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4827 https://access.redhat.com/errata/RHSA-2020:4827