Bug 1884111 (CVE-2020-26159)
| Summary: | CVE-2020-26159 oniguruma: Buffer overflow in concat_opt_exact_str could result in DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, bibryam, bmontgom, carl, chazlett, drieden, eparis, eric.wittmann, ganandan, ggaughan, gmalinko, hhorak, hvyas, janstey, jburrell, jkucera, jochrist, jokerman, jorton, jwon, ktdreyer, mtasaka, no1youknowz, nstielau, pantinor, rcollet, ruby-maint, sd-operator-metering, sponnaga, tcullum, tflannag, vondruch |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in oniguruma. An attacker, able to supply a regular expression for compilation, may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-02 17:53:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1884113, 1973531, 1884112, 1884452, 1884829, 1884830, 1884831, 1884832, 1884833, 1884834, 1884835, 1884836, 1884837, 1887595 | ||
| Bug Blocks: | 1884114 | ||
|
Description
Michael Kaplan
2020-10-01 05:25:25 UTC
External References: https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 https://github.com/kkos/oniguruma/issues/207 Created oniguruma tracking bugs for this issue: Affects: epel-7 [bug 1884113] Affects: fedora-all [bug 1884112] This flaw is Out Of Support Scope for Red Hat Software Collections rh-ruby24-ruby. Please see [1] for more information. 1. https://access.redhat.com/support/policy/updates/rhscl-rhel7 Although the logic appears to exist in Joni[1], since it's a Java port, this out-of-bounds write vulnerability doesn't apply there. 1. https://github.com/jruby/joni/blob/8f0ff74275e0a84f6bedda30e8c100369d4e9e10/src/org/joni/OptExactInfo.java#L88 Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Statement: Red Hat Ceph Storage 4 is not affected because the affected method, concat_opt_exact_str is not shipped. However, there is an identical flaw in concat_opt_exact_info_str and concat_opt_exact_info, which do not exist in the most recent version of oniguruma as methods. The impact is rated as low because we ship an older version without this exact exploit, so an attacker could not simply copy and paste this exploit, but would need to dig into the code itself and modify this attack for the older version of the code. I did some analysis and I don't think the original code was correct. There was never any vulnerability. I sent my analysis upstream: https://github.com/kkos/oniguruma/issues/221 (In reply to Vít Ondruch from comment #15) s/I don't think/I think/ So with the help of Vít the upstream now declared that the change by https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 is not needed and he reverted the change. So this CVE is just false. I am also going to revert the change on Fedora packages. Changes reverted with oniguruma-6.9.6-0.3.rc3.fc34, oniguruma-6.9.6-0.3.rc3.fc33, oniguruma-6.9.5-4.rev1.fc32, oniguruma-6.9.4-3.fc31 |