Bug 1466740 - (CVE-2017-9228) CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1466750 1466753 1554537 1466749 1466751 1466752
Blocks: 1466748 1491035
  Show dependency treegraph
Reported: 2017-06-30 07:16 EDT by Adam Mariš
Modified: 2018-04-13 18:26 EDT (History)
39 users (show)

See Also:
Fixed In Version: oniguruma 6.3.0, php 5.6.31, php 7.0.21, php 7.1.7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-06-30 07:16:28 EDT
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write occurs in bitset_set_range() during regular
expression compilation due to an uninitialized variable from an
incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption. 
Upstream bug:


Upstream patch:

Comment 1 Adam Mariš 2017-06-30 07:34:23 EDT
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1466750]
Affects: fedora-all [bug 1466752]

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1466751]

Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1466749]

Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1466753]
Comment 2 Doran Moppert 2017-07-31 00:26:35 EDT
Note also the second upstream patch:

Comment 3 Doran Moppert 2017-07-31 02:10:07 EDT
The attack demonstrated here gives very limited control - it looks like in the best case, up to 8 bits in a range determined by uninitialised (stack) data can be set to 1.
Comment 4 Vít Ondruch 2017-09-06 09:45:57 EDT
Ruby is not vulnerable according to upstream:

> CVE-2017-9228 https://github.com/kkos/oniguruma/issues/60

not affected.

% ruby <<'END'
str = [ 0xc7, 0xd6, 0xfe, 0xea, 0xe0, 0xe2, 0x00 ].pack('c*')
pattern = "\x5b\x5c\x48\x2d\xb0\x30\x8d\x30\x2a\x5b\x5d\x20\x20\x5d" +
          "\xf9\x54\x00\x7f\x5c\x63\xef\xef\xef\xef\x52\xf7\xf7\x52" +
re = Regexp.new(pattern.force_encoding('GB18030'), Regexp::IGNORECASE)
re.match str.force_encoding('GB18030')
Traceback (most recent call last):
        2: from -:5:in `<main>'
        1: from -:5:in `new'
-:5:in `initialize': too short control escape: /[\H-\x{B0308D30}*[]
Comment 5 Mamoru TASAKA 2017-09-15 03:13:19 EDT
(In reply to Doran Moppert from comment #2)
> Note also the second upstream patch:
> https://github.com/kkos/oniguruma/commit/
> ddbf55698b5f7ffdfa737b0b8e0079af1fdd7cb1

On Fedora, I submitted oniguruma-6.1.3-3.fc25 .
oniguruma on F-26 and above already contains this fix.
(F-24 is EOL)

Note You need to log in before you can comment on or make changes to this bug.