Bug 1466740 - (CVE-2017-9228) CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170523,repor...
: Security
Depends On: 1466750 1466753 1466749 1466751 1466752
Blocks: 1466748 1491035
  Show dependency treegraph
 
Reported: 2017-06-30 07:16 EDT by Adam Mariš
Modified: 2017-09-25 11:12 EDT (History)
40 users (show)

See Also:
Fixed In Version: oniguruma 6.3.0
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-06-30 07:16:28 EDT
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write occurs in bitset_set_range() during regular
expression compilation due to an uninitialized variable from an
incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption. 
Upstream bug:

https://github.com/kkos/oniguruma/issues/60

Upstream patch:

https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8b
Comment 1 Adam Mariš 2017-06-30 07:34:23 EDT
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1466750]
Affects: fedora-all [bug 1466752]


Created php tracking bugs for this issue:

Affects: fedora-all [bug 1466751]


Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1466749]


Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1466753]
Comment 2 Doran Moppert 2017-07-31 00:26:35 EDT
Note also the second upstream patch:

https://github.com/kkos/oniguruma/commit/ddbf55698b5f7ffdfa737b0b8e0079af1fdd7cb1
Comment 3 Doran Moppert 2017-07-31 02:10:07 EDT
The attack demonstrated here gives very limited control - it looks like in the best case, up to 8 bits in a range determined by uninitialised (stack) data can be set to 1.
Comment 4 Vít Ondruch 2017-09-06 09:45:57 EDT
Ruby is not vulnerable according to upstream:

~~~
> CVE-2017-9228 https://github.com/kkos/oniguruma/issues/60

not affected.

% ruby <<'END'
str = [ 0xc7, 0xd6, 0xfe, 0xea, 0xe0, 0xe2, 0x00 ].pack('c*')
pattern = "\x5b\x5c\x48\x2d\xb0\x30\x8d\x30\x2a\x5b\x5d\x20\x20\x5d" +
          "\xf9\x54\x00\x7f\x5c\x63\xef\xef\xef\xef\x52\xf7\xf7\x52" +
          "\xf7\xeb\xeb\x70\x2b\xf7\x7b\x30\x2c\x32\x7d"
re = Regexp.new(pattern.force_encoding('GB18030'), Regexp::IGNORECASE)
re.match str.force_encoding('GB18030')
END
Traceback (most recent call last):
        2: from -:5:in `<main>'
        1: from -:5:in `new'
-:5:in `initialize': too short control escape: /[\H-\x{B0308D30}*[]
]\x{F954}\x00\x7F\c\x{EFEF}\x{EFEF}R\x{F7F7}R\x{F7EB}\x{EB70}+\x{F77B}0,2}/i
(RegexpError)
~~~
Comment 5 Mamoru TASAKA 2017-09-15 03:13:19 EDT
(In reply to Doran Moppert from comment #2)
> Note also the second upstream patch:
> 
> https://github.com/kkos/oniguruma/commit/
> ddbf55698b5f7ffdfa737b0b8e0079af1fdd7cb1

On Fedora, I submitted oniguruma-6.1.3-3.fc25 .
oniguruma on F-26 and above already contains this fix.
(F-24 is EOL)

Note You need to log in before you can comment on or make changes to this bug.