Bug 1884111 (CVE-2020-26159) - CVE-2020-26159 oniguruma: Buffer overflow in concat_opt_exact_str could result in DoS
Summary: CVE-2020-26159 oniguruma: Buffer overflow in concat_opt_exact_str could resul...
Status: NEW
Alias: CVE-2020-26159
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1884113 1887595 1973531 1884112 1884452 1884829 1884830 1884831 1884832 1884833 1884834 1884835 1884836 1884837
Blocks: 1884114
TreeView+ depends on / blocked
Reported: 2020-10-01 05:25 UTC by Michael Kaplan
Modified: 2021-06-18 06:14 UTC (History)
32 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in oniguruma. An attacker, able to supply a regular expression for compilation, may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github kkos oniguruma issues 221 0 None closed Possible wrong fix to #207 2021-01-03 20:07:46 UTC

Description Michael Kaplan 2020-10-01 05:25:25 UTC
In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .

Comment 2 Michael Kaplan 2020-10-01 05:25:52 UTC
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1884113]
Affects: fedora-all [bug 1884112]

Comment 6 Todd Cullum 2020-10-02 22:25:50 UTC
This flaw is Out Of Support Scope for Red Hat Software Collections rh-ruby24-ruby. Please see [1] for more information.

1. https://access.redhat.com/support/policy/updates/rhscl-rhel7

Comment 8 Todd Cullum 2020-10-02 22:48:06 UTC
Although the logic appears to exist in Joni[1], since it's a Java port, this out-of-bounds write vulnerability doesn't apply there.

1. https://github.com/jruby/joni/blob/8f0ff74275e0a84f6bedda30e8c100369d4e9e10/src/org/joni/OptExactInfo.java#L88

Comment 10 Todd Cullum 2020-10-07 17:45:35 UTC

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 14 amctagga 2020-10-14 17:19:14 UTC

Red Hat Ceph Storage 4 is not affected because the affected method, concat_opt_exact_str is not shipped. However, there is an identical flaw in concat_opt_exact_info_str and concat_opt_exact_info, which do not exist in the most recent version of oniguruma as methods. The impact is rated as low because we ship an older version without this exact exploit, so an attacker could not simply copy and paste this exploit, but would need to dig into the code itself and modify this attack for the older version of the code.

Comment 15 Vít Ondruch 2020-10-19 18:29:17 UTC
I did some analysis and I don't think the original code was correct. There was never any vulnerability. I sent my analysis upstream:


Comment 16 Vít Ondruch 2020-10-19 18:32:00 UTC
(In reply to Vít Ondruch from comment #15)

s/I don't think/I think/

Comment 17 Mamoru TASAKA 2020-10-20 05:31:49 UTC
So with the help of Vít the upstream now declared that the change by https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 is not needed and he reverted the change. So this CVE is just false.

I am also going to revert the change on Fedora packages.

Comment 18 Mamoru TASAKA 2020-10-21 00:29:48 UTC
Changes reverted with oniguruma-6.9.6-0.3.rc3.fc34, oniguruma-6.9.6-0.3.rc3.fc33, oniguruma-6.9.5-4.rev1.fc32, oniguruma-6.9.4-3.fc31

Note You need to log in before you can comment on or make changes to this bug.