A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust. Upstream commit: https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
Created oniguruma tracking bugs for this issue: Affects: epel-7 [bug 1728967] Affects: fedora-all [bug 1728966]
(In reply to Dhananjay Arunesh from comment #0) > A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 > allows attackers to potentially cause denial of service by providing a > crafted regular expression. Oniguruma issues often affect Ruby, as well as > common optional libraries for PHP and Rust. > > Upstream commit: > https://github.com/kkos/oniguruma/commit/ > c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c For 6.9.2 (Fedora 31 and 30), this patch can be applied cleanly. For 6.9.1 (Fedora 29) this patch cannot be applied cleanly. (Note that this patch cannot be applied already indicates that there are some large changes between 6.9.1 and 6.9.2 at least on code level, which is the reason I did not upgrade oniguruma to 6.9.1 on Fedora 29). For a quick glance, oniguruma 6.9.2 appears to be affected by this, however I think it needs some longer investigation how to apply the fix to oniguruma 6.9.2. RHEL8 seems to be using 6.8.2, EPEL7 seems to be using 5.9.5, which need much longer investigation, I think.
> however I think it needs some longer investigation how to apply the fix to oniguruma 6.9.2. s/6.9.2/6.9.1/
For 6.9.1: https://src.fedoraproject.org/rpms/oniguruma/blob/f29/f/0100-Apply-CVE-2019-13325-fix-to-6.9.1.patch
Statement: The version of Oniguruma package as shipped with Red Hat Enterprise Linux 6 is not affected by this issue. The issue resides on the way 'If/Else' statements are handled by Oniguruma which is not supported by Red Hat Enterprise Linux 6.
OpenShift is not affected as it only includes version 5.x of oniguruma in the following containers: - openshift4/ose-metering-hadoop - openshift4/ose-metering-hive - openshift4/ose-metering-presto Version 5.x does not contain the affected If/Else code.
Ruby uses libonigmo, instead of onigurama, which is not affected by this flaw.
Oniguruma is library designed to handle regular expression, when processing a regular expression Oniguruma compiles it into byte code to be further used when matching the required pattern against a text. There's a bug on compiling stagesfor regular expression's if/else statements which cause incorrect byte code to be generated. The wrong byte code further leads to a Segmentation Fault in match_at() function, as it handles regular characters as memory addresses instead. An attacker can leverage this by producing a regular expression crafted to trigger the bug leading to DoS. The attack complexity may be considered High as the target software may need to accept and compile untrusted regular expressions and the attacker my need to check which oniguruma version is being used on the victim side, as only Oniguruma v6.5.0 an above implements the if/else pattern.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3662 https://access.redhat.com/errata/RHSA-2020:3662
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-13225
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4827 https://access.redhat.com/errata/RHSA-2020:4827