An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition. Upstream bug: https://github.com/kkos/oniguruma/issues/59 Upstream patch: https://github.com/kkos/oniguruma/commit/b690371bbf97794b4a1d3f295d4fb9a8b05d402d
Created oniguruma tracking bugs for this issue: Affects: epel-7 [bug 1466750] Affects: fedora-all [bug 1466752] Created php tracking bugs for this issue: Affects: fedora-all [bug 1466751] Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1466749] Created ruby193-ruby tracking bugs for this issue: Affects: openshift-1 [bug 1466753]
Ruby is not vulnerable according to upstream: ~~~ > CVE-2017-9229 https://github.com/kkos/oniguruma/issues/59 not affected. % ruby <<'END' str = [ 0xc7, 0xd6, 0xfe, 0xea, 0xe0, 0xe2, 0x00 ].pack('c*') inp = "\x00\x7c\x2e\x7b\x39\x7d\x7b\x39\x30\x7d\x7b\x39\x7d\x7b\x2c\x39\x30\x30\x7d\x30" re = Regexp.new(inp.force_encoding('EUC-JP')) md = re.match str.force_encoding('EUC-JP') p re, md END /\x00|.{9}{90}{9}{,900}0/ #<MatchData "\x00"> % ~~~
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:1296 https://access.redhat.com/errata/RHSA-2018:1296