From unknown Tue Jun 24 22:39:01 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#27993: Oniguruma (PHP and Ruby) security issues
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sun, 06 Aug 2017 20:30:02 +0000
Resent-Message-ID: <handler.27993.B.150205139230120@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 27993
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 27993@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.150205139230120
          (code B ref -1); Sun, 06 Aug 2017 20:30:02 +0000
Received: (at submit) by debbugs.gnu.org; 6 Aug 2017 20:29:52 +0000
Received: from localhost ([127.0.0.1]:44998 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1deSBM-0007pk-0a
	for submit@debbugs.gnu.org; Sun, 06 Aug 2017 16:29:52 -0400
Received: from eggs.gnu.org ([208.118.235.92]:37227)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1deSBJ-0007pU-NG
 for submit@debbugs.gnu.org; Sun, 06 Aug 2017 16:29:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1deSBD-0005S3-7H
 for submit@debbugs.gnu.org; Sun, 06 Aug 2017 16:29:44 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:39718)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1deSBD-0005Rz-49
 for submit@debbugs.gnu.org; Sun, 06 Aug 2017 16:29:43 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56430)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1deSBB-0003vg-IP
 for bug-guix@gnu.org; Sun, 06 Aug 2017 16:29:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1deSB7-0005Q5-2x
 for bug-guix@gnu.org; Sun, 06 Aug 2017 16:29:41 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:57643)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1deSB6-0005Pr-PE
 for bug-guix@gnu.org; Sun, 06 Aug 2017 16:29:37 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 0CC4821676;
 Sun,  6 Aug 2017 16:29:35 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Sun, 06 Aug 2017 16:29:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=88d
 ANtf5HcMetloy27WBf73hrBu0LCdrmqQuexDnLhU=; b=RmDj0AmjEsD5cQJHtbM
 vGeEJ26c7C7HPTUBZz9HIcjKgk/zgJDWdedXQe83uOoKgWEc5gwkOrosbBTPVk+P
 ljSFYg82ULr5EUh9I2JDTYgafzWlF34QS8lHyJuoOqh2Li2VJHhQeBgSmZtjnRDh
 Ubr6F7UKa/RK65LrIF+wWyrM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=88dANtf5HcMetloy27WBf73hrBu0LCdrmqQuexDnL
 hU=; b=RUEWhnnzjIOw+jMQsl22SsPirxxkToOxiDYYfWVx8+NUpyAZhtbD0Y8Dy
 d/Ule6UiwvNhbjwbxNp8vYs2tjx1/iev9F21t9GEu4aLj6nAEiyVgzzwbA88Udco
 PekNiJp5NEmaMdpR+C00x+aXJWAD+9mIwtrax0cLZibMsI7H20t7o3o0/IBEN3m5
 vbrXOj5zfPeeI9WZjozn9cne9TzAQ2YZLUEoee5YTh2IxkZl97IPnCirF1rtjszF
 MSIaWcBxw+jh00CUU0PAFZ+yk9n4jCxbivlNvj2654tr858YzYPc5JtIjB1cw5XU
 D92kQDUOkiN4E3WCw0tcSG5SbVBAQ==
X-ME-Sender: <xms:LnyHWagMATl5TTtb8C8JLMBVk9ToSm0V2Mx_96i0XoXJmcrjRUFwbw>
X-Sasl-enc: s7sdA06rHZaJIsDU+vZoZmaxmEhOVkg11P0er2N0eh/2 1502051374
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id BB145245B0
 for <bug-guix@gnu.org>; Sun,  6 Aug 2017 16:29:34 -0400 (EDT)
Date: Sun, 6 Aug 2017 16:29:33 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <20170806202933.GA21954@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j"
Content-Disposition: inline
User-Agent: Mutt/1.8.3 (2017-05-23)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)


--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Recently several serious bugs were fixed in Oniguruma,
CVE-2017-{9224,9225,9226,9227,9228,9229}:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=oniguruma
https://github.com/kkos/oniguruma#fixed-security-issues

I'm not sure exactly which Oniguruma release fixed the bugs.

Ruby includes vulnerable code from Oniguruma. I didn't see any fixes in
the Ruby Git repo.

I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP test
suite fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt]
Test mb_ereg_replace() function : usage variations  - <type here specifics of this variation> [ext/mbstring/tests/mb_ereg_replace_variation1.phpt]
Test mb_ereg() function : usage variations - pass different character classes to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt]
=====================================================================

I tried using the bundled Oniguruma, which includes the fixes, and it
fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #60120 proc_open hangs with stdin/out with 2048+ bytes [ext/standard/tests/streams/proc_open_bug60120.phpt]
=====================================================================

--nFreZHaLTZJo0R7j
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmHfCoACgkQJkb6MLrK
fwhX5Q/7B9UUCPVzQ6B5R7p4wWnkm1/q3PnBeA2yVxLRpUTskXjmft3mKjf5P8GA
KXvGWRI99AgFPGk6ZQ0wNcbNewADrQJbANrWAPMgyQq/cLutbv4zjHyd3LR6vh6p
l6jgbyqw3jIl9jxPPt6/tkB3TcGvfZQHyWzMtTOWNzUBesAWu16Q2VeFVN20GSmI
DJCkkzfThxzAl5QRXij6rU0vlQSdskS52oVCaoiyIX7K8hqFer0ATFMVJEbZ4udx
nq3bf2OTZijJpOVugEkv8RW2kNa77+blz6LqoLjCondWxdzoAmHwsWtTyADnAtv+
EqAXbmr72i/XkkIUISG/XlTyQ4w2IpHglq34Fk6OLD+awvo8/NMeNR4sRY6W52AQ
2gRY5ke+RpbwEYJnWCNWyakmp/S7FMqDg/1LrgU8bK+SlAnjUryS37AL1XWxSoRz
cp+KEAZglgKRl+o0amT5/w7s/aoQMaV2SB8BAi9ubQnar/WkDSzz9ePxEAMUHHsk
NMuCdcBAXLLpn0OKvyMFZl7by0fHqZp7OdTpYsbgHbnTvJIOqb9vons5q+MBsU3D
70+cRDXMuffTTEB0rDoas3eQwuJOzQS03OJK4ZGT6O1BLjtbdYntt9jh3Dpv1xUZ
MvI+yy1M6DnP+Xi28NZlfcK+JG8NQSDvty99MVCCPKb895sKnMw=
=NSuc
-----END PGP SIGNATURE-----

--nFreZHaLTZJo0R7j--




From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 08 04:33:23 2017
Received: (at control) by debbugs.gnu.org; 8 Sep 2017 08:33:23 +0000
Received: from localhost ([127.0.0.1]:55240 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dqEj5-0008Ph-46
	for submit@debbugs.gnu.org; Fri, 08 Sep 2017 04:33:23 -0400
Received: from eggs.gnu.org ([208.118.235.92]:41439)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1dqEj3-0008PT-CD
 for control@debbugs.gnu.org; Fri, 08 Sep 2017 04:33:21 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@gnu.org>) id 1dqEit-0001J9-FD
 for control@debbugs.gnu.org; Fri, 08 Sep 2017 04:33:16 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD
 autolearn=disabled version=3.3.2
Received: from fencepost.gnu.org ([2001:4830:134:3::e]:43053)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <ludo@gnu.org>)
 id 1dqEit-0001J1-CL
 for control@debbugs.gnu.org; Fri, 08 Sep 2017 04:33:11 -0400
Received: from [193.50.110.231] (port=57868 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>) id 1dqEis-0005Ma-L3
 for control@debbugs.gnu.org; Fri, 08 Sep 2017 04:33:11 -0400
Date: Fri, 08 Sep 2017 10:33:09 +0200
Message-Id: <87lglpk2t6.fsf@gnu.org>
To: control@debbugs.gnu.org
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: control message for bug #27993
MIME-version: 1.0
Content-type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:4830:134:3::e
X-Spam-Score: -5.0 (-----)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

tags 27993 security




From unknown Tue Jun 24 22:39:01 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo@famulari.name>
Subject: bug#27993: closed (Re: Oniguruma (PHP and Ruby) security issues)
Message-ID: <handler.27993.D27993.15511469175118.notifdone@debbugs.gnu.org>
References: <20190226020828.GA26247@jasmine.lan>
 <20170806202933.GA21954@jasmine.lan>
X-Gnu-PR-Message: they-closed 27993
X-Gnu-PR-Package: guix
X-Gnu-PR-Keywords: security
Reply-To: 27993@debbugs.gnu.org
Date: Tue, 26 Feb 2019 02:09:01 +0000
Content-Type: multipart/mixed; boundary="----------=_1551146941-5150-1"

This is a multi-part message in MIME format...

------------=_1551146941-5150-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#27993: Oniguruma (PHP and Ruby) security issues

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 27993@debbugs.gnu.org.

--=20
27993: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D27993
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1551146941-5150-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 27993-done) by debbugs.gnu.org; 26 Feb 2019 02:08:37 +0000
Received: from localhost ([127.0.0.1]:52035 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1gySAe-0001KQ-M7
	for submit@debbugs.gnu.org; Mon, 25 Feb 2019 21:08:37 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:50391)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1gySAd-0001KE-24
 for 27993-done@debbugs.gnu.org; Mon, 25 Feb 2019 21:08:35 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id F32992234C;
 Mon, 25 Feb 2019 21:08:29 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Mon, 25 Feb 2019 21:08:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=Fa19vQmcW9z+foDbuCKAq70M
 4miO/AD4jTsRO3yKuas=; b=lRj6irmpEM2FUBpa3gOneFKkAGIpgHJN/bpXCNKJ
 judIVsRZ2QaYpSaDVsWImkZH7UB7VpBwwTG3RzCpCkMeRTWl3/1eUGoJjAXOAdio
 gIgkfunFWVbgY16f8/1ey/cqS6kN8M2Un4DjzKPspcmOFyon6+u4gY45XBrxu1Mc
 LTs=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Fa19vQ
 mcW9z+foDbuCKAq70M4miO/AD4jTsRO3yKuas=; b=rD+J2s4mU08GBzL+fXR5lb
 +sD+vZWLXcCo5tgVnX8sCiqep9hLyK3fTUxd6p9ht6J9GcnpMBrsB1TOpWrfaXBk
 jDt6deFmea74WVeDPoBNs5sSCqNmZvMWaSSyi6ZGRS89guhRR/ljVPFlaPGvy16X
 isA98+q6G+I+sAG30uVzAXOirTbZvh4EmJzPLMMZJRNrbFr2bZz2UJ/0ZteHrMBO
 wiQjjFyC72yzkY/cOEccU/545KWp8kIC66fP/hAsjtzu3AKMasAl29YiuaOxsxdY
 AbWYeGrYcwo1gw+H++7Pwl2dta8TrnVU5muEAbsb8tR5/kXE4C8dr142sOhL/sPg
 ==
X-ME-Sender: <xms:nZ90XEtg46XJ-uI0sMV0CBM0QeRiCFykkxiHmSlG3oAf9fn9m0jV0g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedutddrudekgdegfeculddtuddrgedtledrtddtmd
 cutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthen
 uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujggfsehgtd
 erredtredvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl
 rghrihdrnhgrmhgvqeenucfkphepjeeirdduvdegrddvtddvrddufeejnecurfgrrhgrmh
 epmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgvnecuvehluhhsthgv
 rhfuihiivgeptd
X-ME-Proxy: <xmx:nZ90XNGYmLYp1E615UHucaff2bEOrraslXuegK-gqT3pLG7zqZtt9g>
 <xmx:nZ90XKNN05HFRXJJYgCFVioJSXqrVFB0k_ndcJC8fL8X-9naLlRZKA>
 <xmx:nZ90XFGZaz5WEynUcOp8SwZEKa_-PVowxDXu3hCQlJDptomjYS9_yw>
 <xmx:nZ90XDB0dw61a89_fnUyVdmkfOa74-XVnwsrOeJsZq2ZDyJacpQr5Q>
Received: from localhost (c-76-124-202-137.hsd1.pa.comcast.net
 [76.124.202.137])
 by mail.messagingengine.com (Postfix) with ESMTPA id 8513110331
 for <27993-done@debbugs.gnu.org>; Mon, 25 Feb 2019 21:08:29 -0500 (EST)
Date: Mon, 25 Feb 2019 21:08:28 -0500
From: Leo Famulari <leo@famulari.name>
To: 27993-done@debbugs.gnu.org
Subject: Re: Oniguruma (PHP and Ruby) security issues
Message-ID: <20190226020828.GA26247@jasmine.lan>
References: <20170806202933.GA21954@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw"
Content-Disposition: inline
In-Reply-To: <20170806202933.GA21954@jasmine.lan>
User-Agent: Mutt/1.11.3 (2019-02-01)
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 27993-done
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sun, Aug 06, 2017 at 04:29:33PM -0400, Leo Famulari wrote:
> Recently several serious bugs were fixed in Oniguruma,
> CVE-2017-{9224,9225,9226,9227,9228,9229}:

[...]

> I'm not sure exactly which Oniguruma release fixed the bugs.

I'm still not sure, but our PHP package is using the latest Oniguruma,
and a lot of time has passed since this bug was opened. Closing...

--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlx0n5wACgkQJkb6MLrK
fwjKFxAAkuMQQl0Bz5ln6DUwBrc4uBVz7jGQ1W4JIWuVmen0h+th1EXzb/6ys88W
vVsFkLGGCG7UNS/z9d5WI+NE4WYvRoUjfWrZQQvzUlvWixGyQ2Wqt7Cyw0zhi0Df
S/zFxs0d3fRWci5I0ibwDjzt5UQb1D5V3/xJdz4NlS+dAYOzE9pd7Fc5KJiMyb/+
4xnVdB3F9Hf6lmf6yKvQLJO8FsHUyCSUSGJktNXJnTb8dOWlcv3fTxQYqoDhOwP6
q53+Ro9+R0DShrx5UQ0XbIH/REWH2H1UIwOj6+r0ZmH9/s0CUrMu+I5G4Q10O2zT
GZXFu9zVW04QB1Nif4YQVOmRsXc8dsNYnLmP5U2XRy1hJbDNwz/lKSwps3LxVs0c
IBemIZpSc7c8jAOkVWmbhmKYeUqRX7V447Ml9CfYvHMZ2ObcBlfIE43RB7EZ5NoE
aqHuYWRh5h6RdvlA0zvUvhpwjiLPdOgD4UkBGI8ydNN/sGXwZvYcnkyXBOv02PA6
QFCnILimMXeRF0DJC1xWpHHABXytDj2Vpi24QZlpOaXS5ZGyGEeSsq8nYvGbouqX
vITmOeASVCYPYCbruWgajbjYqwEjM72Lxv8GaBXrSRAGDxLS6EWGLnhgg8SwNy+l
pIPvJpoKdrf+9CRW3GX95JEIUTmNX2CcTtLU56R/Ch4HKWrLLH0=
=NuR+
-----END PGP SIGNATURE-----

--GvXjxJ+pjyke8COw--


------------=_1551146941-5150-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 6 Aug 2017 20:29:52 +0000
Received: from localhost ([127.0.0.1]:44998 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1deSBM-0007pk-0a
	for submit@debbugs.gnu.org; Sun, 06 Aug 2017 16:29:52 -0400
Received: from eggs.gnu.org ([208.118.235.92]:37227)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1deSBJ-0007pU-NG
 for submit@debbugs.gnu.org; Sun, 06 Aug 2017 16:29:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1deSBD-0005S3-7H
 for submit@debbugs.gnu.org; Sun, 06 Aug 2017 16:29:44 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID
 autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:39718)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1deSBD-0005Rz-49
 for submit@debbugs.gnu.org; Sun, 06 Aug 2017 16:29:43 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56430)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1deSBB-0003vg-IP
 for bug-guix@gnu.org; Sun, 06 Aug 2017 16:29:42 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1deSB7-0005Q5-2x
 for bug-guix@gnu.org; Sun, 06 Aug 2017 16:29:41 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:57643)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1deSB6-0005Pr-PE
 for bug-guix@gnu.org; Sun, 06 Aug 2017 16:29:37 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 0CC4821676;
 Sun,  6 Aug 2017 16:29:35 -0400 (EDT)
Received: from frontend2 ([10.202.2.161])
 by compute4.internal (MEProxy); Sun, 06 Aug 2017 16:29:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=88d
 ANtf5HcMetloy27WBf73hrBu0LCdrmqQuexDnLhU=; b=RmDj0AmjEsD5cQJHtbM
 vGeEJ26c7C7HPTUBZz9HIcjKgk/zgJDWdedXQe83uOoKgWEc5gwkOrosbBTPVk+P
 ljSFYg82ULr5EUh9I2JDTYgafzWlF34QS8lHyJuoOqh2Li2VJHhQeBgSmZtjnRDh
 Ubr6F7UKa/RK65LrIF+wWyrM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=88dANtf5HcMetloy27WBf73hrBu0LCdrmqQuexDnL
 hU=; b=RUEWhnnzjIOw+jMQsl22SsPirxxkToOxiDYYfWVx8+NUpyAZhtbD0Y8Dy
 d/Ule6UiwvNhbjwbxNp8vYs2tjx1/iev9F21t9GEu4aLj6nAEiyVgzzwbA88Udco
 PekNiJp5NEmaMdpR+C00x+aXJWAD+9mIwtrax0cLZibMsI7H20t7o3o0/IBEN3m5
 vbrXOj5zfPeeI9WZjozn9cne9TzAQ2YZLUEoee5YTh2IxkZl97IPnCirF1rtjszF
 MSIaWcBxw+jh00CUU0PAFZ+yk9n4jCxbivlNvj2654tr858YzYPc5JtIjB1cw5XU
 D92kQDUOkiN4E3WCw0tcSG5SbVBAQ==
X-ME-Sender: <xms:LnyHWagMATl5TTtb8C8JLMBVk9ToSm0V2Mx_96i0XoXJmcrjRUFwbw>
X-Sasl-enc: s7sdA06rHZaJIsDU+vZoZmaxmEhOVkg11P0er2N0eh/2 1502051374
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id BB145245B0
 for <bug-guix@gnu.org>; Sun,  6 Aug 2017 16:29:34 -0400 (EDT)
Date: Sun, 6 Aug 2017 16:29:33 -0400
From: Leo Famulari <leo@famulari.name>
To: bug-guix@gnu.org
Subject: Oniguruma (PHP and Ruby) security issues
Message-ID: <20170806202933.GA21954@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j"
Content-Disposition: inline
User-Agent: Mutt/1.8.3 (2017-05-23)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.1 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -4.1 (----)


--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Recently several serious bugs were fixed in Oniguruma,
CVE-2017-{9224,9225,9226,9227,9228,9229}:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=oniguruma
https://github.com/kkos/oniguruma#fixed-security-issues

I'm not sure exactly which Oniguruma release fixed the bugs.

Ruby includes vulnerable code from Oniguruma. I didn't see any fixes in
the Ruby Git repo.

I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP test
suite fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt]
Test mb_ereg_replace() function : usage variations  - <type here specifics of this variation> [ext/mbstring/tests/mb_ereg_replace_variation1.phpt]
Test mb_ereg() function : usage variations - pass different character classes to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt]
=====================================================================

I tried using the bundled Oniguruma, which includes the fixes, and it
fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #60120 proc_open hangs with stdin/out with 2048+ bytes [ext/standard/tests/streams/proc_open_bug60120.phpt]
=====================================================================

--nFreZHaLTZJo0R7j
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlmHfCoACgkQJkb6MLrK
fwhX5Q/7B9UUCPVzQ6B5R7p4wWnkm1/q3PnBeA2yVxLRpUTskXjmft3mKjf5P8GA
KXvGWRI99AgFPGk6ZQ0wNcbNewADrQJbANrWAPMgyQq/cLutbv4zjHyd3LR6vh6p
l6jgbyqw3jIl9jxPPt6/tkB3TcGvfZQHyWzMtTOWNzUBesAWu16Q2VeFVN20GSmI
DJCkkzfThxzAl5QRXij6rU0vlQSdskS52oVCaoiyIX7K8hqFer0ATFMVJEbZ4udx
nq3bf2OTZijJpOVugEkv8RW2kNa77+blz6LqoLjCondWxdzoAmHwsWtTyADnAtv+
EqAXbmr72i/XkkIUISG/XlTyQ4w2IpHglq34Fk6OLD+awvo8/NMeNR4sRY6W52AQ
2gRY5ke+RpbwEYJnWCNWyakmp/S7FMqDg/1LrgU8bK+SlAnjUryS37AL1XWxSoRz
cp+KEAZglgKRl+o0amT5/w7s/aoQMaV2SB8BAi9ubQnar/WkDSzz9ePxEAMUHHsk
NMuCdcBAXLLpn0OKvyMFZl7by0fHqZp7OdTpYsbgHbnTvJIOqb9vons5q+MBsU3D
70+cRDXMuffTTEB0rDoas3eQwuJOzQS03OJK4ZGT6O1BLjtbdYntt9jh3Dpv1xUZ
MvI+yy1M6DnP+Xi28NZlfcK+JG8NQSDvty99MVCCPKb895sKnMw=
=NSuc
-----END PGP SIGNATURE-----

--nFreZHaLTZJo0R7j--



------------=_1551146941-5150-1--