In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c .
Created oniguruma tracking bugs for this issue:
Affects: epel-7 [bug 1884113]
Affects: fedora-all [bug 1884112]
This flaw is Out Of Support Scope for Red Hat Software Collections rh-ruby24-ruby. Please see  for more information.
Although the logic appears to exist in Joni, since it's a Java port, this out-of-bounds write vulnerability doesn't apply there.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Red Hat Ceph Storage 4 is not affected because the affected method, concat_opt_exact_str is not shipped. However, there is an identical flaw in concat_opt_exact_info_str and concat_opt_exact_info, which do not exist in the most recent version of oniguruma as methods. The impact is rated as low because we ship an older version without this exact exploit, so an attacker could not simply copy and paste this exploit, but would need to dig into the code itself and modify this attack for the older version of the code.
I did some analysis and I don't think the original code was correct. There was never any vulnerability. I sent my analysis upstream:
(In reply to Vít Ondruch from comment #15)
s/I don't think/I think/
So with the help of Vít the upstream now declared that the change by https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 is not needed and he reverted the change. So this CVE is just false.
I am also going to revert the change on Fedora packages.
Changes reverted with oniguruma-6.9.6-0.3.rc3.fc34, oniguruma-6.9.6-0.3.rc3.fc33, oniguruma-6.9.5-4.rev1.fc32, oniguruma-6.9.4-3.fc31