Bug 1728970 (CVE-2019-13224) - CVE-2019-13224 oniguruma: Use-after-free in onig_new_deluxe() in regext.c
Summary: CVE-2019-13224 oniguruma: Use-after-free in onig_new_deluxe() in regext.c
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-13224
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1728972 1728971 1774846 1774847 1774848 1777572 1777573 1777574 1777575 1777576 1777577 1777578 1857701
Blocks: 1728974
TreeView+ depends on / blocked
 
Reported: 2019-07-11 06:51 UTC by Dhananjay Arunesh
Modified: 2021-02-16 21:43 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-08 13:17:56 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3662 0 None None None 2020-09-08 09:46:03 UTC

Description Dhananjay Arunesh 2019-07-11 06:51:03 UTC
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Reference:
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55

Comment 1 Dhananjay Arunesh 2019-07-11 06:51:21 UTC
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1728972]
Affects: fedora-all [bug 1728971]

Comment 2 Mamoru TASAKA 2019-07-12 04:42:01 UTC
(In reply to Dhananjay Arunesh from comment #0)
> A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows
> attackers to potentially cause information disclosure, denial of service, or
> possibly code execution by providing a crafted regular expression. The
> attacker provides a pair of a regex pattern and a string, with a multi-byte
> encoding that gets handled by onig_new_deluxe(). Oniguruma issues often
> affect Ruby, as well as common optional libraries for PHP and Rust.
> 
> Reference:
> https://github.com/kkos/oniguruma/commit/
> 0f7f61ed1b7b697e283e37bd2d731d0bd57adb55

This change is a-sort-of API, not a fix for the function but essentially obsoletion of the function, and currently I am unsure if I should apply this "change" as it is.

Comment 3 Mamoru TASAKA 2019-07-12 06:46:15 UTC
For F-30, F-29 (and for now for F-31) I decided not to use the upstream change but use another fix.

Comment 5 Mark Cooper 2019-11-21 05:47:16 UTC
The following containers are packaged with OpenShift 4.x and contain a vulnerable version of oniguruma (5.9.x):
 - openshift4/ose-metering-hadoop
 - openshift4/ose-metering-hive
 - openshift4/ose-metering-presto

However, these containers include oniguruma but do not use it. This includes faq and jq which may use oniguruma, and are included within the containers but likewise, are unused. Additionally, when the associated jq version uses the oniguruma library it does not call the vulnerable function onig_new_deluxe().

Comment 8 Marco Benatto 2019-11-26 18:19:22 UTC
Statement:

Ruby versions are not affected as they used Onigmo, which is a fork of Oniguruma, instead. The Onigmo library doesn't includes the source code containing the related bug.

Comment 12 Marco Benatto 2019-11-28 15:01:41 UTC
There's an issue when using different encodings in onig_new_deluxe() function. Under the right circumstances a user-after-free may be caused when Oniguruma fails to compile the regular expression. This flaw may be leveraged by an attacker to expose heap data or cause DoS by crafting a regular expression which triggers the bug.

Comment 14 errata-xmlrpc 2020-09-08 09:45:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662

Comment 15 Product Security DevOps Team 2020-09-08 13:17:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13224


Note You need to log in before you can comment on or make changes to this bug.