A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
Created oniguruma tracking bugs for this issue:
Affects: epel-7 [bug 1728967]
Affects: fedora-all [bug 1728966]
(In reply to Dhananjay Arunesh from comment #0)
> A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2
> allows attackers to potentially cause denial of service by providing a
> crafted regular expression. Oniguruma issues often affect Ruby, as well as
> common optional libraries for PHP and Rust.
> Upstream commit:
For 6.9.2 (Fedora 31 and 30), this patch can be applied cleanly.
For 6.9.1 (Fedora 29) this patch cannot be applied cleanly. (Note that this patch cannot be applied already indicates that there are some large changes between 6.9.1 and 6.9.2 at least on code level, which is the reason I did not upgrade oniguruma to 6.9.1 on Fedora 29).
For a quick glance, oniguruma 6.9.2 appears to be affected by this, however I think it needs some longer investigation how to apply the fix to oniguruma 6.9.2.
RHEL8 seems to be using 6.8.2, EPEL7 seems to be using 5.9.5, which need much longer investigation, I think.
> however I think it needs some longer investigation how to apply the fix to oniguruma 6.9.2.
The version of Oniguruma package as shipped with Red Hat Enterprise Linux 6 is not affected by this issue. The issue resides on the way 'If/Else' statements are handled by Oniguruma which is not supported by Red Hat Enterprise Linux 6.
OpenShift is not affected as it only includes version 5.x of oniguruma in the following containers:
Version 5.x does not contain the affected If/Else code.
Ruby uses libonigmo, instead of onigurama, which is not affected by this flaw.
Oniguruma is library designed to handle regular expression, when processing a regular expression Oniguruma compiles it into byte code to be further used when matching the required pattern against a text. There's a bug on compiling stagesfor regular expression's if/else statements which cause incorrect byte code to be generated. The wrong byte code further leads to a Segmentation Fault in match_at() function, as it handles regular characters as memory addresses instead. An attacker can leverage this by producing a regular expression crafted to trigger the bug leading to DoS.
The attack complexity may be considered High as the target software may need to accept and compile untrusted regular expressions and the attacker my need to check which oniguruma version is being used on the victim side, as only Oniguruma v6.5.0 an above implements the if/else pattern.