GNU bug report logs -
#27993
Oniguruma (PHP and Ruby) security issues
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sun, 6 Aug 2017 20:30:02 UTC
Severity: normal
Tags: security
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27993 in the body.
You can then email your comments to 27993 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#27993; Package
guix.
(Sun, 06 Aug 2017 20:30:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sun, 06 Aug 2017 20:30:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Recently several serious bugs were fixed in Oniguruma,
CVE-2017-{9224,9225,9226,9227,9228,9229}:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=oniguruma
https://github.com/kkos/oniguruma#fixed-security-issues
I'm not sure exactly which Oniguruma release fixed the bugs.
Ruby includes vulnerable code from Oniguruma. I didn't see any fixes in
the Ruby Git repo.
I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP test
suite fails like this:
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt]
Test mb_ereg_replace() function : usage variations - <type here specifics of this variation> [ext/mbstring/tests/mb_ereg_replace_variation1.phpt]
Test mb_ereg() function : usage variations - pass different character classes to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt]
=====================================================================
I tried using the bundled Oniguruma, which includes the fixes, and it
fails like this:
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #60120 proc_open hangs with stdin/out with 2048+ bytes [ext/standard/tests/streams/proc_open_bug60120.phpt]
=====================================================================
[signature.asc (application/pgp-signature, inline)]
Added tag(s) security.
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org.
(Fri, 08 Sep 2017 08:34:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Tue, 26 Feb 2019 02:09:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Tue, 26 Feb 2019 02:09:01 GMT)
Full text and
rfc822 format available.
Message #12 received at 27993-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Aug 06, 2017 at 04:29:33PM -0400, Leo Famulari wrote:
> Recently several serious bugs were fixed in Oniguruma,
> CVE-2017-{9224,9225,9226,9227,9228,9229}:
[...]
> I'm not sure exactly which Oniguruma release fixed the bugs.
I'm still not sure, but our PHP package is using the latest Oniguruma,
and a lot of time has passed since this bug was opened. Closing...
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 26 Mar 2019 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 26 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.