Onigmo through 6.2.0 has a NULL pointer dereference in onig_error_code_to_str because of fetch_token in regparse.c. Reference: https://github.com/k-takata/Onigmo/issues/132 Upstream commit: https://github.com/k-takata/Onigmo/commit/9827d5a0298ee766f6041db9c0080166ff6cdce8
Created oniguruma tracking bugs for this issue: Affects: epel-7 [bug 1770213] Affects: fedora-all [bug 1770212] Affects: openstack-rdo [bug 1770214]
This is CVE for onigumo, while the one we've packed on Fedora is oniguruma. And at least with origuruma 6.9.3 and 6.9.4-rc1, the PoC code referenced in the above URL does not cause any segfault.
Also anyway I checked the code of regparse.c in oniguruma, however regparse.c has lots of refactoring and etc so the code is diffenrent largely from onigumo.
For now, I doubt this issue affects oniguruma in Fedora.
Mamoru, Thank you for your analysis and letting us know this.
OpenShift doesn't package onigmo. The PoC referred to in the above URL also does not cause a segfault with version 5.9.2 of oniguruma which is included in the following containers: - openshift4/ose-metering-hadoop - openshift4/ose-metering-hive - openshift4/ose-metering-presto As Mamoru has stated, this is a result of the code base differing within regparse.c.
Upstream fix: https://github.com/k-takata/Onigmo/commit/00cc7e28a3ed54b3b512ef3b58ea737a57acf1f9
Onigmo is a regular expressions library forked from Oniguruma focusing on new expressions supported in Perl 5.10+ (e.g., "\K", "\R"). This flaw only affects Onigmo, as the vulnerable code is conditionally compiled (#ifdef) based on USE_PERL_SUBEXP_CALL, and this macro does not exist in Oniguruma codebase. However, it is worth noting that Oniguruma was affected by a very similar issue: https://github.com/kkos/oniguruma/issues/87. This issue was fixed upstream in version v6.8.2 with the following commits: https://github.com/kkos/oniguruma/commit/410f5916429e7d2920e1d4867388514f605413b8 https://github.com/kkos/oniguruma/commit/850bd9b0d8186eb1637722b46b12656814ab4ad2
The flaw is triggered when handling Perl "subexp" regular expressions such as "(?R)" or "(?0)" in the fetch_token() function in regparse.c. Specifically, in case of malformed subexp such as "(?0d" the code returns an "invalid group name" error and calls onig_error_code_to_str(). This function accesses the error code string (einfo->enc) which was never initialized, thus causing a NULL pointer dereference. Onigumura's commits mentioned in Comment 8 fixed this issue by properly initializing the struct (einfo->enc) in onig_compile() function in regcomp.c. This fix would have avoided the flaw in Onigmo, but for some reasons it was not included in Onigmo codebase.
Also note that Onigumura versions before v6.7.0 were not affected by the issue mentioned in Comment 8 as they did not include support for Perl subexp "(?R)", which was introduced with commit https://github.com/kkos/oniguruma/commit/474e5dd6a245faf5f75922bc83f077e55881fa5b.
Statement: This flaw does not affect the versions of oniguruma (embedded in php:7.2/php) as shipped with Red Hat Enterprise Linux 8 as they do not include the vulnerable code, which was introduced in a newer version of the package. The same is true for the versions of oniguruma as shipped with Red Hat Enterprise Linux 6, the versions of oniguruma (embedded in php and php53) as shipped with Red Hat Enterprise Linux 5, 6, and 7, and the versions of oniguruma (embedded in rh-php72-php) as shipped with Red Hat Software Collections 3. This flaw does not affect the versions of oniguruma as shipped with Red Hat Enterprise Linux 8 as they already include the patch. The same is true for the versions of oniguruma (embedded in php:7.3/php) as shipped with Red Hat Enterprise Linux 8 and the versions of oniguruma (embedded in rh-php73-php) as shipped with Red Hat Software Collections 3.