Bug 1466733 (CVE-2017-9225) - CVE-2017-9225 oniguruma: Out-of-bounds stack write in onigenc_unicode_get_case_fold_codes_by_str() during regular expression compilation
Summary: CVE-2017-9225 oniguruma: Out-of-bounds stack write in onigenc_unicode_get_cas...
Keywords:
Status: NEW
Alias: CVE-2017-9225
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170522,repor...
Depends On: 1466750 1466749 1466751 1466752 1466753
Blocks: 1466748
TreeView+ depends on / blocked
 
Reported: 2017-06-30 10:56 UTC by Adam Mariš
Modified: 2019-06-08 22:05 UTC (History)
35 users (show)

Fixed In Version: oniguruma 6.3.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Adam Mariš 2017-06-30 10:56:10 UTC
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str()
occurs during regular expression compilation. Code point 0xFFFFFFFF is
not properly handled in unicode_unfold_key(). A malformed regular
expression could result in 4 bytes being written off the end of a stack
buffer of expand_case_fold_string() during the call to
onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer
overflow.
 
Upstream bug:

https://github.com/kkos/oniguruma/issues/56

Upstream patch:

https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f

Comment 1 Adam Mariš 2017-06-30 11:33:55 UTC
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1466750]
Affects: fedora-all [bug 1466752]


Created php tracking bugs for this issue:

Affects: fedora-all [bug 1466751]


Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1466749]


Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1466753]

Comment 2 Doran Moppert 2017-07-31 03:40:35 UTC
This flaw was introduced upstream in commit https://github.com/kkos/oniguruma/commit/d8366441 (2016-04-16, post v5.9.6).

Previously, the functionality of unicode_unfold_key() was provided by a simple hash table (st.c) and was not prone to such overflows.

Comment 4 Vít Ondruch 2017-09-06 13:42:33 UTC
Ruby is not vulnerable according to Ruby upstream:

~~~
> CVE-2017-9225 https://github.com/kkos/oniguruma/issues/56

not affected.

% ruby <<'END'
str = "\x3f\xff\x63\x7f\xff\xff\xff\xff\x4d\x22\x00\x00".force_encoding('UTF-32BE')
Regexp.new(str)
END
Traceback (most recent call last):
        2: from -:2:in `<main>'
        1: from -:2:in `new'
-:2:in `initialize': invalid multibyte character:
/\x3F\u{FF637FFF}\u{FFFFFF4D}\x22\x00\x00/ (RegexpError)
~~~


Note You need to log in before you can comment on or make changes to this bug.