An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str()
occurs during regular expression compilation. Code point 0xFFFFFFFF is
not properly handled in unicode_unfold_key(). A malformed regular
expression could result in 4 bytes being written off the end of a stack
buffer of expand_case_fold_string() during the call to
onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer
Created oniguruma tracking bugs for this issue:
Affects: epel-7 [bug 1466750]
Affects: fedora-all [bug 1466752]
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1466751]
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1466749]
Created ruby193-ruby tracking bugs for this issue:
Affects: openshift-1 [bug 1466753]
This flaw was introduced upstream in commit https://github.com/kkos/oniguruma/commit/d8366441 (2016-04-16, post v5.9.6).
Previously, the functionality of unicode_unfold_key() was provided by a simple hash table (st.c) and was not prone to such overflows.
Ruby is not vulnerable according to Ruby upstream:
> CVE-2017-9225 https://github.com/kkos/oniguruma/issues/56
% ruby <<'END'
str = "\x3f\xff\x63\x7f\xff\xff\xff\xff\x4d\x22\x00\x00".force_encoding('UTF-32BE')
Traceback (most recent call last):
2: from -:2:in `<main>'
1: from -:2:in `new'
-:2:in `initialize': invalid multibyte character: