The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted regular expression. Upstream issue: https://bugs.ruby-lang.org/issues/13234 Upstream patch: https://github.com/ruby/ruby/commit/ea940cc4dcff8d6c3
This also affects oniguruma: https://github.com/kkos/oniguruma/commit/9c85daa6b400157ee5b2be2cf5be87a031e4fd49#diff-d62ce585dc91a8f833f07e586f874814
(In reply to Mamoru TASAKA from comment #1) > This also affects oniguruma: > https://github.com/kkos/oniguruma/commit/ > 9c85daa6b400157ee5b2be2cf5be87a031e4fd49#diff- > d62ce585dc91a8f833f07e586f874814 The affected code was introduced by this; https://github.com/kkos/oniguruma/commit/6b68ebe8360adefe45be94ed0dbf13a9aa9023ef So does not affect on origuruma 6.1.3, 5.9.2. All versions of oniguruma shipped on Fedora are not affected by this.
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.