691832 – (CVE-2019-13224, CVE-2019-13225, CVE-2019-16163) <dev-libs/oniguruma-6.9.3: Multiple vulnerabilities

Bug 691832 (CVE-2019-13224, CVE-2019-13225, CVE-2019-16163) - <dev-libs/oniguruma-6.9.3: Multiple vulnerabilities

Summary: <dev-libs/oniguruma-6.9.3: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2019-13224, CVE-2019-13225, CVE-2019-16163

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-08-09 15:15 UTC by Arfrever Frehtes Taifersar Arahesis
Modified:	2019-11-07 19:08 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	dev-libs/oniguruma-6.9.3
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arfrever Frehtes Taifersar Arahesis 2019-08-09 15:15:45 UTC

https://github.com/kkos/oniguruma/releases/tag/v6.9.3:
"""
・ Fixed CVE-2019-13224
・ Fixed CVE-2019-13225
・ Fixed many problems (found by libfuzzer programs)
"""


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224:
"""
A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
"""


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225:
"""
A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.
"""

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2019-08-09 23:14:47 UTC

arm64 stable

Comment 2 Rolf Eike Beer archtester

2019-08-10 09:11:35 UTC

sparc stable

Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev

2019-08-10 09:58:42 UTC

ia64 stable

Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev

2019-08-11 17:02:59 UTC

hppa stable

Comment 5 Agostino Sarubbo gentoo-dev

2019-08-13 08:21:26 UTC

s390 stable

Comment 6 Agostino Sarubbo gentoo-dev

2019-08-13 11:41:09 UTC

ppc stable

Comment 7 Agostino Sarubbo gentoo-dev

2019-08-13 11:50:00 UTC

ppc64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2019-08-14 07:35:27 UTC

alpha stable

Comment 9 Mikle Kolyada (RETIRED) archtester

2019-09-01 18:26:48 UTC

arm stable

Comment 10 Larry the Git Cow gentoo-dev

2019-09-12 21:07:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db845c227640ab479b9bc5992de5580c3ca7688c

commit db845c227640ab479b9bc5992de5580c3ca7688c
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-09-12 21:07:09 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-09-12 21:07:28 +0000

    dev-libs/oniguruma: security cleanup (#691832)
    
    Bug: https://bugs.gentoo.org/691832
    Package-Manager: Portage-2.3.76, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/oniguruma/Manifest               |  2 --
 dev-libs/oniguruma/oniguruma-6.9.1.ebuild | 32 -------------------------------
 dev-libs/oniguruma/oniguruma-6.9.2.ebuild | 32 -------------------------------
 3 files changed, 66 deletions(-)

Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev

2019-09-12 21:08:20 UTC

New GLSA request filed.

Comment 12 Arfrever Frehtes Taifersar Arahesis 2019-09-14 02:23:32 UTC

https://github.com/kkos/oniguruma/commit/4e72afff1d360cf37cf9cccdba70946f074cb60a
"""
add CVE-2019-16163 in README.md
"""


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16163:
"""
Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
"""

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2019-11-07 19:08:48 UTC

This issue was resolved and addressed in
 GLSA 201911-03 at https://security.gentoo.org/glsa/201911-03
by GLSA coordinator Aaron Bauman (b-man).