GNU bug report logs - #27993
Oniguruma (PHP and Ruby) security issues

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Leo Famulari <leo@HIDDEN>; Keywords: security; dated Sun, 6 Aug 2017 20:30:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from ludo@HIDDEN (Ludovic Courtès) to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 6 Aug 2017 20:29:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Aug 06 16:29:52 2017
Received: from localhost ([127.0.0.1]:44998 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1deSBM-0007pk-0a
	for submit <at> debbugs.gnu.org; Sun, 06 Aug 2017 16:29:52 -0400
Received: from eggs.gnu.org ([208.118.235.92]:37227)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1deSBJ-0007pU-NG
 for submit <at> debbugs.gnu.org; Sun, 06 Aug 2017 16:29:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1deSBD-0005S3-7H
 for submit <at> debbugs.gnu.org; Sun, 06 Aug 2017 16:29:44 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:39718)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1deSBD-0005Rz-49
 for submit <at> debbugs.gnu.org; Sun, 06 Aug 2017 16:29:43 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56430)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1deSBB-0003vg-IP
 for bug-guix@HIDDEN; Sun, 06 Aug 2017 16:29:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@HIDDEN>) id 1deSB7-0005Q5-2x
 for bug-guix@HIDDEN; Sun, 06 Aug 2017 16:29:41 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:57643)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@HIDDEN>) id 1deSB6-0005Pr-PE
 for bug-guix@HIDDEN; Sun, 06 Aug 2017 16:29:37 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 0CC4821676;
 Sun,  6 Aug 2017 16:29:35 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Sun, 06 Aug 2017 16:29:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=88d
 ANtf5HcMetloy27WBf73hrBu0LCdrmqQuexDnLhU=; b=RmDj0AmjEsD5cQJHtbM
 vGeEJ26c7C7HPTUBZz9HIcjKgk/zgJDWdedXQe83uOoKgWEc5gwkOrosbBTPVk+P
 ljSFYg82ULr5EUh9I2JDTYgafzWlF34QS8lHyJuoOqh2Li2VJHhQeBgSmZtjnRDh
 Ubr6F7UKa/RK65LrIF+wWyrM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=88dANtf5HcMetloy27WBf73hrBu0LCdrmqQuexDnL
 hU=; b=RUEWhnnzjIOw+jMQsl22SsPirxxkToOxiDYYfWVx8+NUpyAZhtbD0Y8Dy
 d/Ule6UiwvNhbjwbxNp8vYs2tjx1/iev9F21t9GEu4aLj6nAEiyVgzzwbA88Udco
 PekNiJp5NEmaMdpR+C00x+aXJWAD+9mIwtrax0cLZibMsI7H20t7o3o0/IBEN3m5
 vbrXOj5zfPeeI9WZjozn9cne9TzAQ2YZLUEoee5YTh2IxkZl97IPnCirF1rtjszF
 MSIaWcBxw+jh00CUU0PAFZ+yk9n4jCxbivlNvj2654tr858YzYPc5JtIjB1cw5XU
 D92kQDUOkiN4E3WCw0tcSG5SbVBAQ==
X-ME-Sender: <xms:LnyHWagMATl5TTtb8C8JLMBVk9ToSm0V2Mx_96i0XoXJmcrjRUFwbw>
X-Sasl-enc: s7sdA06rHZaJIsDU+vZoZmaxmEhOVkg11P0er2N0eh/2 1502051374
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id BB145245B0
 for <bug-guix@HIDDEN>; Sun,  6 Aug 2017 16:29:34 -0400 (EDT)
Date: Sun, 6 Aug 2017 16:29:33 -0400
From: Leo Famulari <leo@HIDDEN>
To: bug-guix@HIDDEN
Subject: Oniguruma (PHP and Ruby) security issues
Message-ID: <20170806202933.GA21954@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j"
Content-Disposition: inline
User-Agent: Mutt/1.8.3 (2017-05-23)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.1 (----)


--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Recently several serious bugs were fixed in Oniguruma,
CVE-2017-{9224,9225,9226,9227,9228,9229}:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=oniguruma
https://github.com/kkos/oniguruma#fixed-security-issues

I'm not sure exactly which Oniguruma release fixed the bugs.

Ruby includes vulnerable code from Oniguruma. I didn't see any fixes in
the Ruby Git repo.

I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP test
suite fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt]
Test mb_ereg_replace() function : usage variations  - <type here specifics of this variation> [ext/mbstring/tests/mb_ereg_replace_variation1.phpt]
Test mb_ereg() function : usage variations - pass different character classes to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt]
=====================================================================

I tried using the bundled Oniguruma, which includes the fixes, and it
fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #60120 proc_open hangs with stdin/out with 2048+ bytes [ext/standard/tests/streams/proc_open_bug60120.phpt]
=====================================================================

--nFreZHaLTZJo0R7j
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmHfCoACgkQJkb6MLrK
fwhX5Q/7B9UUCPVzQ6B5R7p4wWnkm1/q3PnBeA2yVxLRpUTskXjmft3mKjf5P8GA
KXvGWRI99AgFPGk6ZQ0wNcbNewADrQJbANrWAPMgyQq/cLutbv4zjHyd3LR6vh6p
l6jgbyqw3jIl9jxPPt6/tkB3TcGvfZQHyWzMtTOWNzUBesAWu16Q2VeFVN20GSmI
DJCkkzfThxzAl5QRXij6rU0vlQSdskS52oVCaoiyIX7K8hqFer0ATFMVJEbZ4udx
nq3bf2OTZijJpOVugEkv8RW2kNa77+blz6LqoLjCondWxdzoAmHwsWtTyADnAtv+
EqAXbmr72i/XkkIUISG/XlTyQ4w2IpHglq34Fk6OLD+awvo8/NMeNR4sRY6W52AQ
2gRY5ke+RpbwEYJnWCNWyakmp/S7FMqDg/1LrgU8bK+SlAnjUryS37AL1XWxSoRz
cp+KEAZglgKRl+o0amT5/w7s/aoQMaV2SB8BAi9ubQnar/WkDSzz9ePxEAMUHHsk
NMuCdcBAXLLpn0OKvyMFZl7by0fHqZp7OdTpYsbgHbnTvJIOqb9vons5q+MBsU3D
70+cRDXMuffTTEB0rDoas3eQwuJOzQS03OJK4ZGT6O1BLjtbdYntt9jh3Dpv1xUZ
MvI+yy1M6DnP+Xi28NZlfcK+JG8NQSDvty99MVCCPKb895sKnMw=
=NSuc
-----END PGP SIGNATURE-----

--nFreZHaLTZJo0R7j--




Acknowledgement sent to Leo Famulari <leo@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#27993; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 8 Sep 2017 08:45:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.