Bug 1466740 - (CVE-2017-9228) CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1466749 1466750 1466753 1466751 1466752
Blocks: 1466748
  Show dependency treegraph
Reported: 2017-06-30 07:16 EDT by Adam Mariš
Modified: 2017-07-31 18:32 EDT (History)
40 users (show)

See Also:
Fixed In Version: oniguruma 6.3.0
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2017-06-30 07:16:28 EDT
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write occurs in bitset_set_range() during regular
expression compilation due to an uninitialized variable from an
incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption. 
Upstream bug:


Upstream patch:

Comment 1 Adam Mariš 2017-06-30 07:34:23 EDT
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1466750]
Affects: fedora-all [bug 1466752]

Created php tracking bugs for this issue:

Affects: fedora-all [bug 1466751]

Created ruby tracking bugs for this issue:

Affects: fedora-all [bug 1466749]

Created ruby193-ruby tracking bugs for this issue:

Affects: openshift-1 [bug 1466753]
Comment 2 Doran Moppert 2017-07-31 00:26:35 EDT
Note also the second upstream patch:

Comment 3 Doran Moppert 2017-07-31 02:10:07 EDT
The attack demonstrated here gives very limited control - it looks like in the best case, up to 8 bits in a range determined by uninitialised (stack) data can be set to 1.

Note You need to log in before you can comment on or make changes to this bug.