GNU bug report logs

#27993 Oniguruma (PHP and Ruby) security issues

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Reported by Leo Famulari <leo@famulari.name>
Date 2017-08-06T20:30:02
Severity normal
Tags security
Done Leo Famulari <leo@famulari.name>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#27993; Package guix. (Sun, 06 Aug 2017 20:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to Leo Famulari <leo@famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Sun, 06 Aug 2017 20:30:03 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Recently several serious bugs were fixed in Oniguruma,
CVE-2017-{9224,9225,9226,9227,9228,9229}:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=oniguruma
https://github.com/kkos/oniguruma#fixed-security-issues

I'm not sure exactly which Oniguruma release fixed the bugs.

Ruby includes vulnerable code from Oniguruma. I didn't see any fixes in
the Ruby Git repo.

I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP test
suite fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt]
Test mb_ereg_replace() function : usage variations  - <type here specifics of this variation> [ext/mbstring/tests/mb_ereg_replace_variation1.phpt]
Test mb_ereg() function : usage variations - pass different character classes to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt]
=====================================================================

I tried using the bundled Oniguruma, which includes the fixes, and it
fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #60120 proc_open hangs with stdin/out with 2048+ bytes [ext/standard/tests/streams/proc_open_bug60120.phpt]
=====================================================================

[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from ludo@gnu.org (Ludovic Courtès) to control@debbugs.gnu.org. (Fri, 08 Sep 2017 08:34:02 GMT) (full text, mbox, link).

Reply sent to Leo Famulari <leo@famulari.name>:
You have taken responsibility. (Tue, 26 Feb 2019 02:09:01 GMT) (full text, mbox, link).

Notification sent to Leo Famulari <leo@famulari.name>:
bug acknowledged by developer. (Tue, 26 Feb 2019 02:09:01 GMT) (full text, mbox, link).

Message #12 received at 27993-done@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sun, Aug 06, 2017 at 04:29:33PM -0400, Leo Famulari wrote:
> Recently several serious bugs were fixed in Oniguruma,
> CVE-2017-{9224,9225,9226,9227,9228,9229}:

[...]

> I'm not sure exactly which Oniguruma release fixed the bugs.

I'm still not sure, but our PHP package is using the latest Oniguruma,
and a lot of time has passed since this bug was opened. Closing...

[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Tue, 26 Mar 2019 11:24:08 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 06:08:09 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.