Bug 1466733 - (CVE-2017-9225) CVE-2017-9225 oniguruma: Out-of-bounds stack write in onigenc_unicode_get_case_fold_codes_by_str() during regular expression compilation
CVE-2017-9225 oniguruma: Out-of-bounds stack write in onigenc_unicode_get_cas...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170522,repor...
: Security
Depends On: 1466750 1466753 1466749 1466751 1466752
Blocks: 1466748
  Show dependency treegraph
 
Reported: 2017-06-30 06:56 EDT by Adam Mariš
Modified: 2017-09-06 09:42 EDT (History)
39 users (show)

See Also:
Fixed In Version: oniguruma 6.3.0
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-06-30 06:56:10 EDT
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str()
occurs during regular expression compilation. Code point 0xFFFFFFFF is
not properly handled in unicode_unfold_key(). A malformed regular
expression could result in 4 bytes being written off the end of a stack
buffer of expand_case_fold_string() during the call to
onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer
overflow.
 
Upstream bug:

https://github.com/kkos/oniguruma/issues/56

Upstream patch:

https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f
Comment 1 Adam Mariš 2017-06-30 07:33:55 EDT
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1466750]
Affects: fedora-all [bug 1466752]


Created php tracking bugs for this issue:

Affects: fedora-all [bug 1466751]


Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1466749]


Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1466753]
Comment 2 Doran Moppert 2017-07-30 23:40:35 EDT
This flaw was introduced upstream in commit https://github.com/kkos/oniguruma/commit/d8366441 (2016-04-16, post v5.9.6).

Previously, the functionality of unicode_unfold_key() was provided by a simple hash table (st.c) and was not prone to such overflows.
Comment 4 Vít Ondruch 2017-09-06 09:42:33 EDT
Ruby is not vulnerable according to Ruby upstream:

~~~
> CVE-2017-9225 https://github.com/kkos/oniguruma/issues/56

not affected.

% ruby <<'END'
str = "\x3f\xff\x63\x7f\xff\xff\xff\xff\x4d\x22\x00\x00".force_encoding('UTF-32BE')
Regexp.new(str)
END
Traceback (most recent call last):
        2: from -:2:in `<main>'
        1: from -:2:in `new'
-:2:in `initialize': invalid multibyte character:
/\x3F\u{FF637FFF}\u{FFFFFF4D}\x22\x00\x00/ (RegexpError)
~~~

Note You need to log in before you can comment on or make changes to this bug.