Bug 1728965 (CVE-2019-13225) - CVE-2019-13225 oniguruma: null-pointer dereference in match_at() in regexec.c
Summary: CVE-2019-13225 oniguruma: null-pointer dereference in match_at() in regexec.c
Keywords:
Status: NEW
Alias: CVE-2019-13225
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1728967 1771052 1728966 1771054 1771055 1772692
Blocks: 1728974
TreeView+ depends on / blocked
 
Reported: 2019-07-11 06:43 UTC by Dhananjay Arunesh
Modified: 2019-12-05 15:39 UTC (History)
30 users (show)

Fixed In Version: oniguruma 6.9.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-07-11 06:43:59 UTC
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

Upstream commit:
https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c

Comment 1 Dhananjay Arunesh 2019-07-11 06:44:17 UTC
Created oniguruma tracking bugs for this issue:

Affects: epel-7 [bug 1728967]
Affects: fedora-all [bug 1728966]

Comment 2 Mamoru TASAKA 2019-07-12 04:00:57 UTC
(In reply to Dhananjay Arunesh from comment #0)
> A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2
> allows attackers to potentially cause denial of service by providing a
> crafted regular expression. Oniguruma issues often affect Ruby, as well as
> common optional libraries for PHP and Rust.
> 
> Upstream commit:
> https://github.com/kkos/oniguruma/commit/
> c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c

For 6.9.2 (Fedora 31 and 30), this patch can be applied cleanly.

For 6.9.1 (Fedora 29) this patch cannot be applied cleanly. (Note that this patch cannot be applied already indicates that there are some large changes between 6.9.1 and 6.9.2 at least on code level, which is the reason I did not upgrade oniguruma to 6.9.1 on Fedora 29).
For a quick glance, oniguruma 6.9.2 appears to be affected by this, however I think it needs some longer investigation how to apply the fix to oniguruma 6.9.2.

RHEL8 seems to be using 6.8.2, EPEL7 seems to be using 5.9.5, which need much longer investigation, I think.

Comment 3 Mamoru TASAKA 2019-07-12 04:02:22 UTC
> however I think it needs some longer investigation how to apply the fix to oniguruma 6.9.2.

s/6.9.2/6.9.1/

Comment 7 Marco Benatto 2019-11-11 19:54:59 UTC
Statement:

The version of Oniguruma package as shipped with Red Hat Enterprise Linux 6 is not affected by this issue. The issue resides on the way 'If/Else' statements are handled by Oniguruma which is not supported by Red Hat Enterprise Linux 6.

Comment 18 Mark Cooper 2019-11-19 03:11:55 UTC
OpenShift is not affected as it only includes version 5.x of oniguruma in the following containers:
 - openshift4/ose-metering-hadoop
 - openshift4/ose-metering-hive
 - openshift4/ose-metering-presto

Version 5.x does not contain the affected If/Else code.

Comment 19 Marco Benatto 2019-11-20 18:53:38 UTC
Ruby uses libonigmo, instead of onigurama, which is not affected by this flaw.

Comment 20 Marco Benatto 2019-11-20 19:21:05 UTC
Oniguruma is library designed to handle regular expression, when processing a regular expression Oniguruma compiles it into byte code to be further used when matching the required pattern against a text. There's a bug on compiling stagesfor regular expression's if/else statements which cause incorrect byte code to be generated. The wrong byte code further leads to a Segmentation Fault in match_at() function, as it handles regular characters as memory addresses instead. An attacker can leverage this by producing a regular expression crafted to trigger the bug leading to DoS.

The attack complexity may be considered High as the target software may need to accept and compile untrusted regular expressions and the attacker my need to check which oniguruma version is being used on the victim side, as only Oniguruma v6.5.0 an above implements the if/else pattern.


Note You need to log in before you can comment on or make changes to this bug.