Bug 1769042 (CVE-2019-16161)
| Summary: | CVE-2019-16161 onigmo: NULL pointer dereference in onig_error_code_to_str because of fetch_token in regparse.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | anpicker, bmontgom, eparis, erooth, hhorak, jburrell, jjoyce, jkucera, jokerman, jorton, jschluet, ktdreyer, lcosic, lhh, lpeer, mburns, mcascell, mcooper, mtasaka, no1youknowz, nstielau, rcollet, ruby-maint, sclewis, slinaber, sponnaga, surbania |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A NULL pointer dereference vulnerability was found in Onigmo in the way it handled certain types of "subexp" regular expressions. A remote attacker could exploit this flaw by providing a malformed regular expression that when processed by an application linked to Onigmo, would crash the application, causing a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-25 09:55:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1770212, 1770213, 1770214, 1791844, 1791845, 1791846, 1791847, 1791848, 1791849 | ||
| Bug Blocks: | 1769065 | ||
|
Description
Guilherme de Almeida Suckevicz
2019-11-05 19:50:56 UTC
Created oniguruma tracking bugs for this issue: Affects: epel-7 [bug 1770213] Affects: fedora-all [bug 1770212] Affects: openstack-rdo [bug 1770214] This is CVE for onigumo, while the one we've packed on Fedora is oniguruma. And at least with origuruma 6.9.3 and 6.9.4-rc1, the PoC code referenced in the above URL does not cause any segfault. Also anyway I checked the code of regparse.c in oniguruma, however regparse.c has lots of refactoring and etc so the code is diffenrent largely from onigumo. For now, I doubt this issue affects oniguruma in Fedora. Mamoru, Thank you for your analysis and letting us know this. OpenShift doesn't package onigmo. The PoC referred to in the above URL also does not cause a segfault with version 5.9.2 of oniguruma which is included in the following containers: - openshift4/ose-metering-hadoop - openshift4/ose-metering-hive - openshift4/ose-metering-presto As Mamoru has stated, this is a result of the code base differing within regparse.c. Onigmo is a regular expressions library forked from Oniguruma focusing on new expressions supported in Perl 5.10+ (e.g., "\K", "\R"). This flaw only affects Onigmo, as the vulnerable code is conditionally compiled (#ifdef) based on USE_PERL_SUBEXP_CALL, and this macro does not exist in Oniguruma codebase. However, it is worth noting that Oniguruma was affected by a very similar issue: https://github.com/kkos/oniguruma/issues/87. This issue was fixed upstream in version v6.8.2 with the following commits: https://github.com/kkos/oniguruma/commit/410f5916429e7d2920e1d4867388514f605413b8 https://github.com/kkos/oniguruma/commit/850bd9b0d8186eb1637722b46b12656814ab4ad2 The flaw is triggered when handling Perl "subexp" regular expressions such as "(?R)" or "(?0)" in the fetch_token() function in regparse.c. Specifically, in case of malformed subexp such as "(?0d" the code returns an "invalid group name" error and calls onig_error_code_to_str(). This function accesses the error code string (einfo->enc) which was never initialized, thus causing a NULL pointer dereference. Onigumura's commits mentioned in Comment 8 fixed this issue by properly initializing the struct (einfo->enc) in onig_compile() function in regcomp.c. This fix would have avoided the flaw in Onigmo, but for some reasons it was not included in Onigmo codebase. Also note that Onigumura versions before v6.7.0 were not affected by the issue mentioned in Comment 8 as they did not include support for Perl subexp "(?R)", which was introduced with commit https://github.com/kkos/oniguruma/commit/474e5dd6a245faf5f75922bc83f077e55881fa5b. Statement: This flaw does not affect the versions of oniguruma (embedded in php:7.2/php) as shipped with Red Hat Enterprise Linux 8 as they do not include the vulnerable code, which was introduced in a newer version of the package. The same is true for the versions of oniguruma as shipped with Red Hat Enterprise Linux 6, the versions of oniguruma (embedded in php and php53) as shipped with Red Hat Enterprise Linux 5, 6, and 7, and the versions of oniguruma (embedded in rh-php72-php) as shipped with Red Hat Software Collections 3. This flaw does not affect the versions of oniguruma as shipped with Red Hat Enterprise Linux 8 as they already include the patch. The same is true for the versions of oniguruma (embedded in php:7.3/php) as shipped with Red Hat Enterprise Linux 8 and the versions of oniguruma (embedded in rh-php73-php) as shipped with Red Hat Software Collections 3. |