Bug 1802051 (CVE-2019-19012)

Summary: CVE-2019-19012 oniguruma: integer overflow in search_in_range function in regexec.c leads to out-of-bounds read
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anpicker, bmontgom, carl, eparis, erooth, hhorak, jburrell, jjoyce, jkucera, jokerman, jorton, jschluet, ktdreyer, lcosic, lhh, lpeer, mburns, mcascell, mtasaka, no1youknowz, nstielau, rcollet, ruby-maint, sclewis, slinaber, sponnaga, surbania, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Oniguruma 6.9.4 Doc Type: If docs needed, set a value
Doc Text:
An integer overflow vulnerability leading to an out-of-bounds read was found in the way Oniguruma handled regular expression quantifiers. A remote attacker could abuse this flaw by providing a malformed regular expression that, when processed by an application linked to Oniguruma, could crash the application, causing a denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 10:59:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1802052, 1802053, 1813299, 1813300, 1813301, 1814167    
Bug Blocks: 1802075    

Description Dhananjay Arunesh 2020-02-12 09:30:47 UTC
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.

Reference:
https://github.com/kkos/oniguruma/issues/164
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
https://github.com/tarantula-team/CVE-2019-19012

Comment 1 Dhananjay Arunesh 2020-02-12 09:32:03 UTC
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1802053]
Affects: fedora-30 [bug 1802052]

Comment 2 Mark Cooper 2020-02-21 04:19:21 UTC
The Oniguruma library which is only packaged in OpenShift 4.x, is the 64-bit version which is not vulnerable to this flaw.

Comment 4 Mauro Matteo Cascella 2020-03-12 09:57:17 UTC
Upstream fix:
https://github.com/kkos/oniguruma/commit/0463e21432515631a9bc925ce5eb95b097c73719

Comment 9 Mark Cooper 2020-03-16 05:10:57 UTC
Statement:

This flaw only affected 32-bit compiled versions of Oniguruma. Therefore it did not affect the following 64-bit versions:
* PHP and Ruby as shipped with Red Hat Enterprise Linux 7.
* PHP and Ruby as shipped with Red Hat Software Collections 3.
* PHP as shipped with Red Hat Enterprise Linux 8.
* OpenShift containers: openshift4/ose-metering-hadoop, openshift4/ose-metering-hive, openshift4/ose-metering-presto.

Comment 10 Mauro Matteo Cascella 2020-03-17 09:17:58 UTC
Created oniguruma tracking bugs for this issue:

Affects: openstack-rdo [bug 1814167]

Comment 22 errata-xmlrpc 2024-01-24 16:41:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0409 https://access.redhat.com/errata/RHSA-2024:0409

Comment 23 errata-xmlrpc 2024-01-30 13:20:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0572 https://access.redhat.com/errata/RHSA-2024:0572

Comment 24 errata-xmlrpc 2024-02-20 12:30:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0889 https://access.redhat.com/errata/RHSA-2024:0889