Bug 1777660 - oniguruma: update to latest version to address CVEs
Summary: oniguruma: update to latest version to address CVEs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: oniguruma
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Carl George 🤠
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-28 02:16 UTC by Carl George
Modified: 2020-06-18 00:33 UTC (History)
7 users (show)

Fixed In Version: oniguruma-6.8.2-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-18 00:33:38 UTC
Type: Bug


Attachments (Terms of Use)

Description Carl George 2019-11-28 02:16:29 UTC
Description of problem:
The current version of oniguruma in EPEL 7 is affected by multiple CVEs.

* bug 1466750 - CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229
* bug 1728967 - CVE-2019-13225
* bug 1728972 - CVE-2019-13224
* bug 1768999 - CVE-2019-16163
* bug 1770213 - CVE-2019-16161
* bug 1777538 - CVE-2019-19246

Are there any plans to address these?  If backporting fixes is difficult/impossible, please consider following the EPEL incompatible upgrades policy and update the package to the latest upstream version.

https://fedoraproject.org/wiki/EPEL_incompatible_upgrades_policy

This should have minimal impact.  The only package I see that builds against oniguruma is jq, which will of course have to be rebuilt to link against the new soname (libonig.so.2 -> libonig.so.5).


Version-Release number of selected component (if applicable):
oniguruma-5.9.5-3.el7


Additional info:
Selfishly I'm hoping that the best solution is to update to the latest version.  In addition to Fedora I'm a maintainer with the IUS project, and for our upcoming packages (php74) will need at least oniguruma 6.8.  Updating the EPEL package to at least that version would make php74 much easier.  If the EPEL oniguruma package stays frozen, then I'm prepared to submit a parallel oniguruma6 package to EPEL, however that wouldn't solve the security issues with the current package.

Comment 1 Mamoru TASAKA 2019-11-28 04:08:28 UTC
I am oniguruma maintainer on Fedora side, not on EPEL side, so I will leave dicision to EPEL side maintainer, however I guess backporting fixes into 5.9.5 is rather tough work.

Comment 2 Carl George 2019-11-28 04:18:49 UTC
Thanks for the input Mamour.  I'll await feedback from the EPEL maintainer.  I'm assuming that's no1youknowz, the other admin for the package.

If no1youknowz agrees with the course of action but doesn't have the time to address this, I'd be happy to send a pull request and/or be added as another maintainer to tackle this myself.

Comment 3 Carl George 2019-12-05 17:36:44 UTC
Any word on this Paul?

Comment 4 Carl George 🤠 2019-12-23 18:23:08 UTC
Mamoru, since we haven't heard back from Paul in almost a month, can you add me as a co-maintainer of the package?  Once that's done I'll start the discussion on epel-devel about the incompatible upgrade to gather feedback.

Comment 5 Mamoru TASAKA 2019-12-24 00:40:29 UTC
Just in case, Carl, is your FAS carlwgeorge ?

Comment 6 Carl George 🤠 2019-12-24 00:55:06 UTC
Yes, that is correct.  Sorry I didn't state that upfront for clarity.

Comment 7 Mamoru TASAKA 2019-12-24 05:28:07 UTC
(In reply to Carl George from comment #6)
> Yes, that is correct.  Sorry I didn't state that upfront for clarity.

Now I've added you to oniguruma admin member.

Comment 8 Robbie Harwood 2020-01-24 20:39:38 UTC
Hi, was this ever fixed?

Comment 9 Carl George 🤠 2020-05-15 21:29:19 UTC
Sorry for my delay on this.  I still want to resolve this.  Since this bug was opened three more CVEs have been reported for the EPEL 7 package.

* bug 1802053 - CVE-2019-19012
* bug 1802063 - CVE-2019-19203
* bug 1802072 - CVE-2019-19204

I have initiated the incompatible upgrade process by sending an email about this to epel-devel for wider discussion.

Comment 10 Fedora Update System 2020-05-28 16:51:09 UTC
FEDORA-EPEL-2020-101619ac61 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-101619ac61

Comment 11 Carl George 🤠 2020-05-28 19:18:53 UTC
I decided to only update oniguruma to version 6.8.2 to match the version in RHEL 8.  This will simplify future maintenance, as any vulnerabilities deems severe enough by Red Hat to fix in RHEL 8 can be backported to the EPEL 7 package easily.  Regarding the vulnerabilities discussed so far, here is the status:

fixed by pending oniguruma-6.8.2-1.el7 update:
CVE-2017-9224
CVE-2017-9225
CVE-2017-9226
CVE-2017-9227
CVE-2017-9228
CVE-2017-9229

fixed upstream in 6.9.3:
CVE-2019-13224
CVE-2019-13225
CVE-2019-16163

fixed upstream in 6.9.4:
CVE-2019-19012
CVE-2019-19203
CVE-2019-19204
CVE-2019-19246

not applicable:
CVE-2019-16161 (bug 1770213 comment 2)


Here is the announcement email.

https://lists.fedoraproject.org/archives/list/epel-announce@lists.fedoraproject.org/thread/3OAUZWGQ337V33FKLJA7PAEO7N7ODUU3/

Comment 12 Fedora Update System 2020-05-29 01:10:50 UTC
FEDORA-EPEL-2020-101619ac61 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-101619ac61

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2020-06-18 00:33:38 UTC
FEDORA-EPEL-2020-101619ac61 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.