GNU bug report logs - #27993
Oniguruma (PHP and Ruby) security issues

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sun, 6 Aug 2017 20:30:02 UTC

Severity: normal

Tags: security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Leo Famulari <leo <at> famulari.name>
Subject: bug#27993: closed (Re: Oniguruma (PHP and Ruby) security issues)
Date: Tue, 26 Feb 2019 02:09:01 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#27993: Oniguruma (PHP and Ruby) security issues

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 27993 <at> debbugs.gnu.org.

-- 
27993: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=27993
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: 27993-done <at> debbugs.gnu.org
Subject: Re: Oniguruma (PHP and Ruby) security issues
Date: Mon, 25 Feb 2019 21:08:28 -0500

[Message part 3 (text/plain, inline)]
On Sun, Aug 06, 2017 at 04:29:33PM -0400, Leo Famulari wrote:
> Recently several serious bugs were fixed in Oniguruma,
> CVE-2017-{9224,9225,9226,9227,9228,9229}:

[...]

> I'm not sure exactly which Oniguruma release fixed the bugs.

I'm still not sure, but our PHP package is using the latest Oniguruma,
and a lot of time has passed since this bug was opened. Closing...

[signature.asc (application/pgp-signature, inline)]
[Message part 5 (message/rfc822, inline)]
From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: Oniguruma (PHP and Ruby) security issues
Date: Sun, 6 Aug 2017 16:29:33 -0400

[Message part 6 (text/plain, inline)]
Recently several serious bugs were fixed in Oniguruma,
CVE-2017-{9224,9225,9226,9227,9228,9229}:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=oniguruma
https://github.com/kkos/oniguruma#fixed-security-issues

I'm not sure exactly which Oniguruma release fixed the bugs.

Ruby includes vulnerable code from Oniguruma. I didn't see any fixes in
the Ruby Git repo.

I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP test
suite fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt]
Test mb_ereg_replace() function : usage variations  - <type here specifics of this variation> [ext/mbstring/tests/mb_ereg_replace_variation1.phpt]
Test mb_ereg() function : usage variations - pass different character classes to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt]
=====================================================================

I tried using the bundled Oniguruma, which includes the fixes, and it
fails like this:

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #60120 proc_open hangs with stdin/out with 2048+ bytes [ext/standard/tests/streams/proc_open_bug60120.phpt]
=====================================================================

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 6 years and 92 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.