Description of problem:
The current version of oniguruma in EPEL 7 is affected by multiple CVEs.
* bug 1466750 - CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229
* bug 1728967 - CVE-2019-13225
* bug 1728972 - CVE-2019-13224
* bug 1768999 - CVE-2019-16163
* bug 1770213 - CVE-2019-16161
* bug 1777538 - CVE-2019-19246
Are there any plans to address these? If backporting fixes is difficult/impossible, please consider following the EPEL incompatible upgrades policy and update the package to the latest upstream version.
This should have minimal impact. The only package I see that builds against oniguruma is jq, which will of course have to be rebuilt to link against the new soname (libonig.so.2 -> libonig.so.5).
Version-Release number of selected component (if applicable):
Selfishly I'm hoping that the best solution is to update to the latest version. In addition to Fedora I'm a maintainer with the IUS project, and for our upcoming packages (php74) will need at least oniguruma 6.8. Updating the EPEL package to at least that version would make php74 much easier. If the EPEL oniguruma package stays frozen, then I'm prepared to submit a parallel oniguruma6 package to EPEL, however that wouldn't solve the security issues with the current package.
I am oniguruma maintainer on Fedora side, not on EPEL side, so I will leave dicision to EPEL side maintainer, however I guess backporting fixes into 5.9.5 is rather tough work.
Thanks for the input Mamour. I'll await feedback from the EPEL maintainer. I'm assuming that's no1youknowz, the other admin for the package.
If no1youknowz agrees with the course of action but doesn't have the time to address this, I'd be happy to send a pull request and/or be added as another maintainer to tackle this myself.
Any word on this Paul?
Mamoru, since we haven't heard back from Paul in almost a month, can you add me as a co-maintainer of the package? Once that's done I'll start the discussion on epel-devel about the incompatible upgrade to gather feedback.
Just in case, Carl, is your FAS carlwgeorge ?
Yes, that is correct. Sorry I didn't state that upfront for clarity.
(In reply to Carl George from comment #6)
> Yes, that is correct. Sorry I didn't state that upfront for clarity.
Now I've added you to oniguruma admin member.
Hi, was this ever fixed?
Sorry for my delay on this. I still want to resolve this. Since this bug was opened three more CVEs have been reported for the EPEL 7 package.
* bug 1802053 - CVE-2019-19012
* bug 1802063 - CVE-2019-19203
* bug 1802072 - CVE-2019-19204
I have initiated the incompatible upgrade process by sending an email about this to epel-devel for wider discussion.
FEDORA-EPEL-2020-101619ac61 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-101619ac61
I decided to only update oniguruma to version 6.8.2 to match the version in RHEL 8. This will simplify future maintenance, as any vulnerabilities deems severe enough by Red Hat to fix in RHEL 8 can be backported to the EPEL 7 package easily. Regarding the vulnerabilities discussed so far, here is the status:
fixed by pending oniguruma-6.8.2-1.el7 update:
fixed upstream in 6.9.3:
fixed upstream in 6.9.4:
CVE-2019-16161 (bug 1770213 comment 2)
Here is the announcement email.
FEDORA-EPEL-2020-101619ac61 has been pushed to the Fedora EPEL 7 testing repository.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-101619ac61
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2020-101619ac61 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.