1777660 – oniguruma: update to latest version to address CVEs

Bug 1777660 - oniguruma: update to latest version to address CVEs

Summary: oniguruma: update to latest version to address CVEs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	oniguruma
Sub Component:
Version:	epel7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Carl George 🤠
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-28 02:16 UTC by Carl George
Modified:	2020-06-18 00:33 UTC (History)
CC List:	7 users (show)
Fixed In Version:	oniguruma-6.8.2-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-06-18 00:33:38 UTC
Type:	Bug

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Carl George 2019-11-28 02:16:29 UTC

Description of problem:
The current version of oniguruma in EPEL 7 is affected by multiple CVEs.

* bug 1466750 - CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229
* bug 1728967 - CVE-2019-13225
* bug 1728972 - CVE-2019-13224
* bug 1768999 - CVE-2019-16163
* bug 1770213 - CVE-2019-16161
* bug 1777538 - CVE-2019-19246

Are there any plans to address these?  If backporting fixes is difficult/impossible, please consider following the EPEL incompatible upgrades policy and update the package to the latest upstream version.

https://fedoraproject.org/wiki/EPEL_incompatible_upgrades_policy

This should have minimal impact.  The only package I see that builds against oniguruma is jq, which will of course have to be rebuilt to link against the new soname (libonig.so.2 -> libonig.so.5).


Version-Release number of selected component (if applicable):
oniguruma-5.9.5-3.el7


Additional info:
Selfishly I'm hoping that the best solution is to update to the latest version.  In addition to Fedora I'm a maintainer with the IUS project, and for our upcoming packages (php74) will need at least oniguruma 6.8.  Updating the EPEL package to at least that version would make php74 much easier.  If the EPEL oniguruma package stays frozen, then I'm prepared to submit a parallel oniguruma6 package to EPEL, however that wouldn't solve the security issues with the current package.

Comment 1 Mamoru TASAKA 2019-11-28 04:08:28 UTC

I am oniguruma maintainer on Fedora side, not on EPEL side, so I will leave dicision to EPEL side maintainer, however I guess backporting fixes into 5.9.5 is rather tough work.

Comment 2 Carl George 2019-11-28 04:18:49 UTC

Thanks for the input Mamour.  I'll await feedback from the EPEL maintainer.  I'm assuming that's no1youknowz, the other admin for the package.

If no1youknowz agrees with the course of action but doesn't have the time to address this, I'd be happy to send a pull request and/or be added as another maintainer to tackle this myself.

Comment 3 Carl George 2019-12-05 17:36:44 UTC

Any word on this Paul?

Comment 4 Carl George 🤠 2019-12-23 18:23:08 UTC

Mamoru, since we haven't heard back from Paul in almost a month, can you add me as a co-maintainer of the package?  Once that's done I'll start the discussion on epel-devel about the incompatible upgrade to gather feedback.

Comment 5 Mamoru TASAKA 2019-12-24 00:40:29 UTC

Just in case, Carl, is your FAS carlwgeorge ?

Comment 6 Carl George 🤠 2019-12-24 00:55:06 UTC

Yes, that is correct.  Sorry I didn't state that upfront for clarity.

Comment 7 Mamoru TASAKA 2019-12-24 05:28:07 UTC

(In reply to Carl George from comment #6)
> Yes, that is correct.  Sorry I didn't state that upfront for clarity.

Now I've added you to oniguruma admin member.

Comment 8 Robbie Harwood 2020-01-24 20:39:38 UTC

Hi, was this ever fixed?

Comment 9 Carl George 🤠 2020-05-15 21:29:19 UTC

Sorry for my delay on this.  I still want to resolve this.  Since this bug was opened three more CVEs have been reported for the EPEL 7 package.

* bug 1802053 - CVE-2019-19012
* bug 1802063 - CVE-2019-19203
* bug 1802072 - CVE-2019-19204

I have initiated the incompatible upgrade process by sending an email about this to epel-devel for wider discussion.

Comment 10 Fedora Update System 2020-05-28 16:51:09 UTC

FEDORA-EPEL-2020-101619ac61 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-101619ac61

Comment 11 Carl George 🤠 2020-05-28 19:18:53 UTC

I decided to only update oniguruma to version 6.8.2 to match the version in RHEL 8.  This will simplify future maintenance, as any vulnerabilities deems severe enough by Red Hat to fix in RHEL 8 can be backported to the EPEL 7 package easily.  Regarding the vulnerabilities discussed so far, here is the status:

fixed by pending oniguruma-6.8.2-1.el7 update:
CVE-2017-9224
CVE-2017-9225
CVE-2017-9226
CVE-2017-9227
CVE-2017-9228
CVE-2017-9229

fixed upstream in 6.9.3:
CVE-2019-13224
CVE-2019-13225
CVE-2019-16163

fixed upstream in 6.9.4:
CVE-2019-19012
CVE-2019-19203
CVE-2019-19204
CVE-2019-19246

not applicable:
CVE-2019-16161 (bug 1770213 comment 2)


Here is the announcement email.

https://lists.fedoraproject.org/archives/list/epel-announce@lists.fedoraproject.org/thread/3OAUZWGQ337V33FKLJA7PAEO7N7ODUU3/

Comment 12 Fedora Update System 2020-05-29 01:10:50 UTC

FEDORA-EPEL-2020-101619ac61 has been pushed to the Fedora EPEL 7 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-101619ac61

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Fedora Update System 2020-06-18 00:33:38 UTC

FEDORA-EPEL-2020-101619ac61 has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.