Bug 1466730 - (CVE-2017-9224) CVE-2017-9224 oniguruma: Out-of-bounds stack read in match_at() during regular expression searching
CVE-2017-9224 oniguruma: Out-of-bounds stack read in match_at() during regula...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1466750 1466753 1554537 1466749 1466751 1466752
Blocks: 1466748 1491035
  Show dependency treegraph
Reported: 2017-06-30 06:48 EDT by Adam Mariš
Modified: 2018-04-13 18:26 EDT (History)
38 users (show)

See Also:
Fixed In Version: oniguruma 6.3.0, php 5.6.31, php 7.0.21, php 7.1.7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-06-30 06:48:46 EDT
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.

Upstream bug:


Upstream patch:

Comment 1 Adam Mariš 2017-06-30 07:34:51 EDT
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1466750]
Affects: fedora-all [bug 1466752]

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1466751]

Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1466749]

Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1466753]
Comment 2 Doran Moppert 2017-07-31 00:04:18 EDT
Exploiting this flaw results in a single byte read beyond the end of the input string, which is stack-allocated in the reproducer but could plausibly also be heap-allocated.  Information about the byte read may under some circumstances be leaked to the attacker, but their opportunity to control this or repeatedly exploit it to learn useful information is very small.
Comment 3 Vít Ondruch 2017-09-06 09:39:36 EDT
This is not vulnerable according to the upstream:

> CVE-2017-9224 https://github.com/kkos/oniguruma/issues/57

not affected.

% ruby <<'END'
str   = [ 0xc7, 0xd6, 0xfe, 0xea, 0xe0, 0xe2, 0x00 ].pack('c*')
input = [0xf1, 0x5c, 0x69, 0x53, 0x53, 0x53, 0x53, 0x3c, 0x30, 0x53,
        0x59, 0x54, 0x52, 0x33, 0x7c, 0x2e, 0x5c, 0xe2, 0x48, 0x5c,
        0x7a, 0x53, 0x00, 0x06, 0x00, 0x00, 0x27, 0x19, 0x00, 0x54,
        0x52, 0x54, 0x52, 0x33, 0x7c, 0x2e, 0x53, 0xe2, 0x48].pack('c*')

re = Regexp.new(input.force_encoding('Shift_JIS'), Regexp::IGNORECASE)
re.match str.force_encoding('Shift_JIS')
Traceback (most recent call last):
        1: from -:8:in `<main>'
-:8:in `match': invalid byte sequence in Shift_JIS (ArgumentError)
Comment 4 Vít Ondruch 2017-09-06 09:41:09 EDT
(In reply to Vít Ondruch from comment #3)
Speaking in Ruby context ...

Note You need to log in before you can comment on or make changes to this bug.