Onigmo through 6.2.0 has an out-of-bounds read in parse_char_class because of missing codepoint validation in regenc.c. Reference: https://github.com/k-takata/Onigmo/issues/139
Created oniguruma tracking bugs for this issue: Affects: epel-7 [bug 1781306] Affects: fedora-all [bug 1781305] Affects: openstack-rdo [bug 1781307]
This is onigumo, not oniguruma, and oniguruma at least from 5.9.2 contains code check for onigenc_single_byte_code_to_mbclen: https://github.com/kkos/oniguruma/blame/master/src/regenc.c#L708 and at least with oniguruma 6.9.4, the bug referenced on onigumo is not reproducible with oniguruma.
For now, I closed Fedora side tracker (bug 1781305) as NOTABUG.
(In reply to Mamoru TASAKA from comment #2) > This is onigumo, not oniguruma, and oniguruma at least from 5.9.2 contains > code check for onigenc_single_byte_code_to_mbclen: > https://github.com/kkos/oniguruma/blame/master/src/regenc.c#L708 > and at least with oniguruma 6.9.4, the bug referenced on onigumo is not > reproducible with oniguruma. Mamoru, Thank you for your analysis. Since onigmo is a fork of oniguruma, we have to make sure oniguruma don't have the affected code as well.
OpenShift doesn't package Onigmo. The regular expression referred to in the above URL (or simple variations of a wide hex char) does not cause a segfault with version 5.9.2 of oniguruma which is included in the following containers: - openshift4/ose-metering-hadoop - openshift4/ose-metering-hive - openshift4/ose-metering-presto Oniguruma correctly produces the error, "invalid code point value".
Upstream fix: https://github.com/k-takata/Onigmo/commit/d4cf99d30bd5f6a8a4ababd0b9d7b06f3a479a24
Oniguruma upstream versions v5.9.6 up to v6.9.4 are not affected by this flaw, as they already include the code point check in onigenc_single_byte_code_to_mbclen() in regenc.c: https://github.com/kkos/oniguruma/blob/master/src/regenc.c#L726 The check was already present in the very first upstream commit (onig-5.9.2) and never modified/updated/removed later on: https://github.com/kkos/oniguruma/commit/65a9b1aa03c9bc2dc01b074295b9603232cb3b78 Note that this is pretty much the same fix introduced in Onigmo (see Comment 7). The check prevents the function next_state_val() to be called, because ONIGENC_CODE_TO_MBCLEN() returns a negative value: https://github.com/kkos/oniguruma/blob/v6.9.3/src/regparse.c#L6386-L6399 Also note that next_state_val() function has been renamed to cc_char_next_state() in Oniguruma upstream version v6.9.4: https://github.com/kkos/oniguruma/commit/51b553ba7d57193eb585aeecf57d4dfbdbf4d57e
Onigmo upstream versions 5.10.0 up to 5.15.0 are not affected by this flaw for the same reason as discussed in Comment 8. However, Onigmo versions 6.0.0 up to 6.2.0 *are* affected, because function onigenc_single_byte_code_to_mbclen() in regenc.c does not properly check the code point value. The check was removed in upstream version 6.0.0 with the following commit: https://github.com/k-takata/Onigmo/commit/ce13b17b955e0b6dfc6606b1fdbd4755590b360b#diff-0125a2b1f80c4e0dcb8ae0ffc60e6ccaL610
The following versions of Ruby embed old versions of Onigmo which all seem to be affected by this issue, as regenc.c does not include the fix: - ruby as shipped with RHEL7 - ruby:2.5/ruby:2.6 module streams as shipped with RHEL8 - rh-ruby24/rh-ruby25/rh-ruby26 as shipped with RHSCL However, it's not so easy to reproduce the flaw (maybe not possible at all) because Ruby does not allow wide hexadecimal code points and, consequently, regular expressions containing wide chars in a character class (e.g., [\x{11111}]) end up triggering an "invalid hex escape" syntax error.
The versions of PHP shipped with RHEL6 and RHEL7 embed a very old version of Oniguruma (4.7.1) which does not include the fix in regenc.c. Under some circumstances it is possible to enter the vulnerable path, for example by setting an "ASCII" encoding with mb_regex_encoding() and then calling mb_ereg_match(). Note that those mb_* functions are provided by php-mbstring package which adds support for multi-byte string handling to PHP. This package does not come pre-installed with PHP. However, the flaw is not exploitable because Oniguruma does not include the macro BITSET_SET_BIT_CHKDUP() which is responsible for the out-of-bounds read. This macro was introduced in Onigmo upstream version 6.0.0 with the following commit: https://github.com/k-takata/Onigmo/commit/ce13b17b955e0b6dfc6606b1fdbd4755590b360b#diff-a05cbe34d16476e409ca74c5345e7916R146
Statement: This flaw does not affect the versions of oniguruma as shipped with Red Hat Enterprise Linux 6, and 8 as they already include the patch. The same is true for the versions of oniguruma (embedded in php:7.2/php and php:7.3/php) as shipped with Red Hat Enterprise Linux 8, and the versions of oniguruma (embedded in rh-php72-php and rh-php73-php) as shipped with Red Hat Software Collections 3. This flaw did not affect the versions of oniguruma (embedded in php) as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include the vulnerable code.