Bug 1781304 (CVE-2019-16162)

Summary: CVE-2019-16162 onigmo: out-of-bounds read in next_state_val() in regparse.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anpicker, bmontgom, eparis, erooth, hhorak, jburrell, jjoyce, jkucera, jokerman, jorton, jschluet, ktdreyer, lcosic, lhh, lpeer, mburns, mcascell, mcooper, mtasaka, no1youknowz, nstielau, rcollet, ruby-maint, sclewis, slinaber, sponnaga, surbania
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read vulnerability was found in Onigmo in the way it handled wide characters in regular expressions. A remote attacker could exploit this flaw by providing a malformed regular expression that when processed by an application linked to Onigmo, would crash the application and cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:14:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1782981, 1781305, 1781306, 1781307, 1796374, 1796375, 1796376, 1796377, 1796378, 1796379    
Bug Blocks: 1781308    

Description Guilherme de Almeida Suckevicz 2019-12-09 18:07:25 UTC 
Onigmo through 6.2.0 has an out-of-bounds read in parse_char_class because of missing codepoint validation in regenc.c.

Reference:
https://github.com/k-takata/Onigmo/issues/139
Comment 1 Guilherme de Almeida Suckevicz 2019-12-09 18:07:53 UTC 
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1781306]
Affects: fedora-all [bug 1781305]
Affects: openstack-rdo [bug 1781307]
Comment 2 Mamoru TASAKA 2019-12-10 03:53:33 UTC 
This is onigumo, not oniguruma, and oniguruma at least from 5.9.2 contains code check for onigenc_single_byte_code_to_mbclen:
https://github.com/kkos/oniguruma/blame/master/src/regenc.c#L708
and at least with oniguruma 6.9.4, the bug referenced on onigumo is not reproducible with oniguruma.
Comment 3 Mamoru TASAKA 2019-12-10 03:55:51 UTC 
For now, I closed Fedora side tracker (bug 1781305) as NOTABUG.
Comment 4 Guilherme de Almeida Suckevicz 2019-12-11 13:56:45 UTC 
(In reply to Mamoru TASAKA from comment #2)
> This is onigumo, not oniguruma, and oniguruma at least from 5.9.2 contains
> code check for onigenc_single_byte_code_to_mbclen:
> https://github.com/kkos/oniguruma/blame/master/src/regenc.c#L708
> and at least with oniguruma 6.9.4, the bug referenced on onigumo is not
> reproducible with oniguruma.

Mamoru,

Thank you for your analysis.
Since onigmo is a fork of oniguruma, we have to make sure oniguruma don't have the affected code as well.
Comment 6 Mark Cooper 2019-12-20 01:46:32 UTC 
OpenShift doesn't package Onigmo. 

The regular expression referred to in the above URL (or simple variations of a wide hex char) does not cause a segfault with version 5.9.2 of oniguruma which is included in the following containers:
 - openshift4/ose-metering-hadoop
 - openshift4/ose-metering-hive
 - openshift4/ose-metering-presto

Oniguruma correctly produces the error, "invalid code point value".
Comment 7 Mauro Matteo Cascella 2020-01-20 13:18:14 UTC 
Upstream fix:
https://github.com/k-takata/Onigmo/commit/d4cf99d30bd5f6a8a4ababd0b9d7b06f3a479a24
Comment 8 Mauro Matteo Cascella 2020-01-23 18:08:32 UTC 
Oniguruma upstream versions v5.9.6 up to v6.9.4 are not affected by this flaw, as they already include the code point check in onigenc_single_byte_code_to_mbclen() in regenc.c:
https://github.com/kkos/oniguruma/blob/master/src/regenc.c#L726

The check was already present in the very first upstream commit (onig-5.9.2) and never modified/updated/removed later on:
https://github.com/kkos/oniguruma/commit/65a9b1aa03c9bc2dc01b074295b9603232cb3b78

Note that this is pretty much the same fix introduced in Onigmo (see Comment 7).
The check prevents the function next_state_val() to be called, because ONIGENC_CODE_TO_MBCLEN() returns a negative value:
https://github.com/kkos/oniguruma/blob/v6.9.3/src/regparse.c#L6386-L6399

Also note that next_state_val() function has been renamed to cc_char_next_state() in Oniguruma upstream version v6.9.4:
https://github.com/kkos/oniguruma/commit/51b553ba7d57193eb585aeecf57d4dfbdbf4d57e
Comment 9 Mauro Matteo Cascella 2020-01-23 19:44:01 UTC 
Onigmo upstream versions 5.10.0 up to 5.15.0 are not affected by this flaw for the same reason as discussed in Comment 8.
However, Onigmo versions 6.0.0 up to 6.2.0 *are* affected, because function onigenc_single_byte_code_to_mbclen() in regenc.c does not properly check the code point value. The check was removed in upstream version 6.0.0 with the following commit:
https://github.com/k-takata/Onigmo/commit/ce13b17b955e0b6dfc6606b1fdbd4755590b360b#diff-0125a2b1f80c4e0dcb8ae0ffc60e6ccaL610
Comment 11 Mauro Matteo Cascella 2020-01-29 11:48:36 UTC 
The following versions of Ruby embed old versions of Onigmo which all seem to be affected by this issue, as regenc.c does not include the fix:

- ruby as shipped with RHEL7
- ruby:2.5/ruby:2.6 module streams as shipped with RHEL8
- rh-ruby24/rh-ruby25/rh-ruby26 as shipped with RHSCL

However, it's not so easy to reproduce the flaw (maybe not possible at all) because Ruby does not allow wide hexadecimal code points and, consequently, regular expressions containing wide chars in a character class (e.g., [\x{11111}]) end up triggering an "invalid hex escape" syntax error.
Comment 12 Mauro Matteo Cascella 2020-01-30 09:51:15 UTC 
The versions of PHP shipped with RHEL6 and RHEL7 embed a very old version of Oniguruma (4.7.1) which does not include the fix in regenc.c. Under some circumstances it is possible to enter the vulnerable path, for example by setting an "ASCII" encoding with mb_regex_encoding() and then calling mb_ereg_match(). Note that those mb_* functions are provided by php-mbstring package which adds support for multi-byte string handling to PHP. This package does not come pre-installed with PHP.

However, the flaw is not exploitable because Oniguruma does not include the macro BITSET_SET_BIT_CHKDUP() which is responsible for the out-of-bounds read. This macro was introduced in Onigmo upstream version 6.0.0 with the following commit:
https://github.com/k-takata/Onigmo/commit/ce13b17b955e0b6dfc6606b1fdbd4755590b360b#diff-a05cbe34d16476e409ca74c5345e7916R146
Comment 13 Mauro Matteo Cascella 2020-01-30 10:00:02 UTC 
Statement:

This flaw does not affect the versions of oniguruma as shipped with Red Hat Enterprise Linux 6, and 8 as they already include the patch. The same is true for the versions of oniguruma (embedded in php:7.2/php and php:7.3/php) as shipped with Red Hat Enterprise Linux 8, and the versions of oniguruma (embedded in rh-php72-php and rh-php73-php) as shipped with Red Hat Software Collections 3.

This flaw did not affect the versions of oniguruma (embedded in php) as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include the vulnerable code.