Bug 1802051 (CVE-2019-19012) - CVE-2019-19012 oniguruma: integer overflow in search_in_range function in regexec.c leads to out-of-bounds read
Summary: CVE-2019-19012 oniguruma: integer overflow in search_in_range function in reg...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-19012
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1802053 1802052 1813299 1813300 1813301 1814167
Blocks: 1802075
TreeView+ depends on / blocked
 
Reported: 2020-02-12 09:30 UTC by Dhananjay Arunesh
Modified: 2024-03-27 08:22 UTC (History)
28 users (show)

Fixed In Version: Oniguruma 6.9.4
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow vulnerability leading to an out-of-bounds read was found in the way Oniguruma handled regular expression quantifiers. A remote attacker could abuse this flaw by providing a malformed regular expression that, when processed by an application linked to Oniguruma, could crash the application, causing a denial of service.
Clone Of:
Environment:
Last Closed: 2021-10-28 10:59:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0409 0 None None None 2024-01-24 16:42:00 UTC
Red Hat Product Errata RHSA-2024:0572 0 None None None 2024-01-30 13:20:37 UTC
Red Hat Product Errata RHSA-2024:0889 0 None None None 2024-02-20 12:30:28 UTC

Description Dhananjay Arunesh 2020-02-12 09:30:47 UTC 
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression.

Reference:
https://github.com/kkos/oniguruma/issues/164
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
https://github.com/tarantula-team/CVE-2019-19012
Comment 1 Dhananjay Arunesh 2020-02-12 09:32:03 UTC 
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1802053]
Affects: fedora-30 [bug 1802052]
Comment 2 Mark Cooper 2020-02-21 04:19:21 UTC 
The Oniguruma library which is only packaged in OpenShift 4.x, is the 64-bit version which is not vulnerable to this flaw.
Comment 4 Mauro Matteo Cascella 2020-03-12 09:57:17 UTC 
Upstream fix:
https://github.com/kkos/oniguruma/commit/0463e21432515631a9bc925ce5eb95b097c73719
Comment 9 Mark Cooper 2020-03-16 05:10:57 UTC 
Statement:

This flaw only affected 32-bit compiled versions of Oniguruma. Therefore it did not affect the following 64-bit versions:
* PHP and Ruby as shipped with Red Hat Enterprise Linux 7.
* PHP and Ruby as shipped with Red Hat Software Collections 3.
* PHP as shipped with Red Hat Enterprise Linux 8.
* OpenShift containers: openshift4/ose-metering-hadoop, openshift4/ose-metering-hive, openshift4/ose-metering-presto.
Comment 10 Mauro Matteo Cascella 2020-03-17 09:17:58 UTC 
Created oniguruma tracking bugs for this issue:

Affects: openstack-rdo [bug 1814167]
Comment 12 Vít Ondruch 2020-05-04 15:42:15 UTC 
(In reply to Mauro Matteo Cascella from comment #4)
> Upstream fix:
> https://github.com/kkos/oniguruma/commit/
> 0463e21432515631a9bc925ce5eb95b097c73719

There is more than this:

https://github.com/kkos/oniguruma/commit/db64ef3189f54917a5008a02bdb000adc514a90a
https://github.com/kkos/oniguruma/commit/bfc36d3d8139b8be4d3df630d625c58687b0c7d4
https://github.com/kkos/oniguruma/commit/778a43dd56925ed58bbe26e3a7bb8202d72c3f3f
https://github.com/kkos/oniguruma/commit/b6cb7580a7e0c56fc325fe9370b9d34044910aed
Comment 22 errata-xmlrpc 2024-01-24 16:41:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0409 https://access.redhat.com/errata/RHSA-2024:0409
Comment 23 errata-xmlrpc 2024-01-30 13:20:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0572 https://access.redhat.com/errata/RHSA-2024:0572
Comment 24 errata-xmlrpc 2024-02-20 12:30:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0889 https://access.redhat.com/errata/RHSA-2024:0889
Note You need to log in before you can comment on or make changes to this bug.