Bug 1802061 (CVE-2019-19203)
| Summary: | CVE-2019-19203 oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alegrand, anpicker, bmontgom, carl, dbecker, eparis, erooth, hhorak, jburrell, jjoyce, jkucera, jokerman, jorton, jschluet, kakkoyun, ktdreyer, lcosic, lhh, lpeer, mburns, mcascell, mcooper, mloibl, mtasaka, no1youknowz, nstielau, pkrupa, rcollet, ruby-maint, sclewis, sfowler, slinaber, sponnaga, surbania, vondruch, webstack-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Oniguruma 6.9.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An out-of-bounds read vulnerability was found in the way Oniguruma handled regular expressions with GB18030 character encoding. A UChar pointer is dereferenced without checking if it passed the end of the matched string, leading to a heap-based buffer over-read. A remote attacker could abuse this flaw by providing a malformed regular expression that, when processed by an application linked to Oniguruma, might crash the application causing a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-08 13:18:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1802063, 1802064, 1802387, 1802388, 1802389, 1802390, 1804215, 1808370, 1808371, 1808372, 1808373, 1808374, 1808375, 1808376, 1808377, 1808378, 1808379, 1808380, 1814168, 1857710 | ||
| Bug Blocks: | 1802075 | ||
|
Description
Dhananjay Arunesh
2020-02-12 09:47:40 UTC
Created oniguruma tracking bugs for this issue: Affects: epel-7 [bug 1802063] Affects: fedora-30 [bug 1802064] When handling regular expressions with GB18030 character encoding, function match_at() in regexec.c calls gb18030_mbc_to_code() through macro ONIGENC_IS_MBC_WORD: https://github.com/kkos/oniguruma/blob/v6.9.3/src/regexec.c#L3183. Function gb18030_mbc_to_code() takes a UChar pointer to the regexp matching string and reads an OnigCodePoint from it. However, the pointer is previously incremented in CCLASS switch case: https://github.com/kkos/oniguruma/blob/v6.9.3/src/regexec.c#L3003. If the matching string is a malformed 2-byte string (such as "\xe1\xe1" in PoC), this will lead to an out-of-bounds read of 1 byte as the pointer argument points into the middle of the matching string. The out-of-bounds read does not occur in Oniguruma upstream versions prior to v6.9.2; the flaw was apparently introduced in version v6.9.2 with commit https://github.com/kkos/oniguruma/commit/3661ae526bc1cfe1b93ec31fc03c0fe72e1fe6c1. This commit modified the way the matching string pointer is incremented in CCLASS switch case (see comment #5). Specifically, the `enclen` macro was replaced with ++ operator to increment the pointer. `enclen` was able to detect the size of the string and increment the pointer properly, preventing ONIGENC_IS_MBC_WORD to be reached due to size checks in DATA_ENSURE macro: https://github.com/kkos/oniguruma/blob/v6.9.3/src/regexec.c#L3182. Note that the versions of Ruby as shipped with Red Hat Enterprise Linux and Red Hat Software Collections 3 do not use Oniguruma but rather Onigmo, a regular expressions library forked from Oniguruma focusing on new expressions supported in Perl 5.10+. The following containers are packaged with OpenShift 4.x and contain a vulnerable version of oniguruma (5.9.x): - openshift4/ose-metering-hadoop - openshift4/ose-metering-hive - openshift4/ose-metering-presto However, these containers include oniguruma but do not use it. This includes faq and jq which may use oniguruma, and are included within the containers but are unused. Red Hat Core OS also includes oniguruma (6.8.3 which is also vulnerable) as a dependency of jq. Created oniguruma tracking bugs for this issue: Affects: openstack-rdo [bug 1814168] (In reply to Mauro Matteo Cascella from comment #7) > Note that the versions of Ruby as shipped with Red Hat Enterprise Linux and > Red Hat Software Collections 3 do not use Oniguruma but rather Onigmo, a > regular expressions library forked from Oniguruma focusing on new > expressions supported in Perl 5.10+. So is Ruby vulnerable or not? I don't think it is, since it does more checks prior feeding the data into Oniguruma/Onigmo: ~~~ $ ruby -e 's = "[\\W]\\w\xa1".force_encoding Encoding::GB18030 > Regexp.new s' -e:2:in `initialize': invalid multibyte character: /[\W]\w\xA1/ (RegexpError) from -e:2:in `new' from -e:2:in `<main>' $ rpm -q ruby ruby-2.0.0.648-36.el7.x86_64 ~~~ Hello Vit, although it doesn't seem possible to trigger the flaw (as you pointed out), we consider all versions of Ruby to be affected because they include the same vulnerable code as Oniguruma in enc/gb18030.c and regenc.c; the patch has not been backported and we cannot rule out it might still be possible to trigger the flaw in other ways/future versions. I do agree this is a low-severity issue in Ruby for the reason above, so if you think it's not worth spending more time on it please feel free to WONTFIX the related tracking bugs. Statement: This flaw did not affect the versions of Oniguruma (embedded in php) as shipped with Red Hat Enterprise Linux 5, as they did not include support for GB18030 character encoding, which was introduced in a later version of the library. The versions of Ruby as shipped with Red Hat Enterprise Linux and Red Hat Software Collections 3 do not use Oniguruma but rather Onigmo, a regular expressions library forked from Oniguruma focusing on new expressions supported in Perl 5.10+. Those versions are affected by this flaw because both Onigmo and Oniguruma share the same vulnerable code. However, Ruby does perform additional checks which prevent the vulnerable code path to be easily reached, hence lowering the severity of the flaw. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19203 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:5275 https://access.redhat.com/errata/RHSA-2020:5275 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0409 https://access.redhat.com/errata/RHSA-2024:0409 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:0572 https://access.redhat.com/errata/RHSA-2024:0572 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0889 https://access.redhat.com/errata/RHSA-2024:0889 |