Bug 1728970 (CVE-2019-13224)

Summary: CVE-2019-13224 oniguruma: Use-after-free in onig_new_deluxe() in regext.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, alegrand, anpicker, bleanhar, bmontgom, ccoleman, dbecker, dedgar, eparis, erooth, hhorak, jburrell, jgoulding, jjoyce, jkucera, jokerman, jorton, jschluet, kakkoyun, ktdreyer, lcosic, lhh, lpeer, mburns, mchappel, mloibl, mtasaka, no1youknowz, nstielau, pkrupa, rcollet, ruby-maint, sclewis, slinaber, sponnaga, surbania, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-08 13:17:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1728972, 1728971, 1774846, 1774847, 1774848, 1777572, 1777573, 1777574, 1777575, 1777576, 1777577, 1777578, 1857701    
Bug Blocks: 1728974    

Description Dhananjay Arunesh 2019-07-11 06:51:03 UTC
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Reference:
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55

Comment 1 Dhananjay Arunesh 2019-07-11 06:51:21 UTC
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1728972]
Affects: fedora-all [bug 1728971]

Comment 2 Mamoru TASAKA 2019-07-12 04:42:01 UTC
(In reply to Dhananjay Arunesh from comment #0)
> A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows
> attackers to potentially cause information disclosure, denial of service, or
> possibly code execution by providing a crafted regular expression. The
> attacker provides a pair of a regex pattern and a string, with a multi-byte
> encoding that gets handled by onig_new_deluxe(). Oniguruma issues often
> affect Ruby, as well as common optional libraries for PHP and Rust.
> 
> Reference:
> https://github.com/kkos/oniguruma/commit/
> 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55

This change is a-sort-of API, not a fix for the function but essentially obsoletion of the function, and currently I am unsure if I should apply this "change" as it is.

Comment 3 Mamoru TASAKA 2019-07-12 06:46:15 UTC
For F-30, F-29 (and for now for F-31) I decided not to use the upstream change but use another fix.

Comment 5 Mark Cooper 2019-11-21 05:47:16 UTC
The following containers are packaged with OpenShift 4.x and contain a vulnerable version of oniguruma (5.9.x):
 - openshift4/ose-metering-hadoop
 - openshift4/ose-metering-hive
 - openshift4/ose-metering-presto

However, these containers include oniguruma but do not use it. This includes faq and jq which may use oniguruma, and are included within the containers but likewise, are unused. Additionally, when the associated jq version uses the oniguruma library it does not call the vulnerable function onig_new_deluxe().

Comment 8 Marco Benatto 2019-11-26 18:19:22 UTC
Statement:

Ruby versions are not affected as they used Onigmo, which is a fork of Oniguruma, instead. The Onigmo library doesn't includes the source code containing the related bug.

Comment 12 Marco Benatto 2019-11-28 15:01:41 UTC
There's an issue when using different encodings in onig_new_deluxe() function. Under the right circumstances a user-after-free may be caused when Oniguruma fails to compile the regular expression. This flaw may be leveraged by an attacker to expose heap data or cause DoS by crafting a regular expression which triggers the bug.

Comment 14 errata-xmlrpc 2020-09-08 09:45:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662

Comment 15 Product Security DevOps Team 2020-09-08 13:17:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13224

Comment 16 errata-xmlrpc 2024-01-24 16:41:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0409 https://access.redhat.com/errata/RHSA-2024:0409

Comment 17 errata-xmlrpc 2024-01-30 13:20:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0572 https://access.redhat.com/errata/RHSA-2024:0572

Comment 18 errata-xmlrpc 2024-02-20 12:30:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0889 https://access.redhat.com/errata/RHSA-2024:0889