An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in unicode_unfold_key(). A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow. Upstream bug: https://github.com/kkos/oniguruma/issues/56 Upstream patch: https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f
Created oniguruma tracking bugs for this issue: Affects: epel-7 [bug 1466750] Affects: fedora-all [bug 1466752] Created php tracking bugs for this issue: Affects: fedora-all [bug 1466751] Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1466749] Created ruby193-ruby tracking bugs for this issue: Affects: openshift-1 [bug 1466753]
This flaw was introduced upstream in commit https://github.com/kkos/oniguruma/commit/d8366441 (2016-04-16, post v5.9.6). Previously, the functionality of unicode_unfold_key() was provided by a simple hash table (st.c) and was not prone to such overflows.
Ruby is not vulnerable according to Ruby upstream: ~~~ > CVE-2017-9225 https://github.com/kkos/oniguruma/issues/56 not affected. % ruby <<'END' str = "\x3f\xff\x63\x7f\xff\xff\xff\xff\x4d\x22\x00\x00".force_encoding('UTF-32BE') Regexp.new(str) END Traceback (most recent call last): 2: from -:2:in `<main>' 1: from -:2:in `new' -:2:in `initialize': invalid multibyte character: /\x3F\u{FF637FFF}\u{FFFFFF4D}\x22\x00\x00/ (RegexpError) ~~~