Bug 24338

Summary: oniguruma missing fixes from PHP 5.6.40
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, marja11
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO
Source RPM: oniguruma-6.9.1-1.mga7.src.rpm CVE:
Status comment:
Bug Depends on: 25843    
Bug Blocks: 24165    

Description David Walser 2019-02-10 22:03:03 CET 
PHP 5.6.40 fixed several issues in mbstring and two in xmlrpc:
http://www.php.net/ChangeLog-5.php#5.6.40

The xmlrpc issues are in the bundled xmlrpc-epi.  I've added a patch in SVN (pushed in Cauldron) with both fixes, but only this issue really affects the standalone package:
https://bugs.php.net/bug.php?id=77380

All of the mbstring issues are in the bundled oniguruma, and it looks like they're all relevant to the packaged version.
David Walser 2019-02-10 22:03:27 CET

Whiteboard: (none) => MGA6TOO
Blocks: (none) => 24165
CC: (none) => geiger.david68210

Comment 1 Marja Van Waes 2019-02-12 08:23:06 CET 
@ daviddavid

I'm assigning to you, because you maintain oniguruma and let it obsolete onig in cauldron. There are no registered mainainers for onig and xmlrpc-epi.

Please assign back to BugSquad if you do not like the assignment.

CC: (none) => marja11
Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2019-02-12 09:20:18 CET 
I opened a new bug report upstream oniguruma right now, let's see their answer:

https://github.com/kkos/oniguruma/issues/129
Comment 3 David GEIGER 2019-02-12 15:36:25 CET 
Answer from upstream (oniguruma):

#77382
This is fixed at version 6.1.2.

#77418
Though onig_search() and onig_match() has encoded byte length check option (ONIG_OPTION_CHECK_VALIDITY_OF_STRING),
I think onig_search() and onig_match() should not be used for validity check of subject strings.
It is the responsibility of the application.

#Others
Fixed at least 6.9.1.
Comment 4 David Walser 2019-02-16 18:05:32 CET 
What I see when I look at the 6.9.1 code is that all of the PHP patches would apply (maybe with some minor work) as the affected code is all there and looks basically the same.
Comment 5 David GEIGER 2019-02-17 07:46:50 CET 
I can't says more that upstream oniguruma has answered!
David Walser 2019-06-23 19:32:38 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 6 David Walser 2019-07-13 12:51:05 CEST 
David added some CVE patches to oniguruma in Cauldron.
Comment 7 David Walser 2019-11-28 16:22:37 CET 
xmlrpc-epi fixes assigned CVE-2019-9024.  Those fixes made it into Mageia 7 and Mageia 6 is EOL.

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
Summary: xmlrpc-epi, onig, oniguruma missing fixes from PHP 5.6.40 => oniguruma missing fixes from PHP 5.6.40
Source RPM: xmlrpc-epi-0.54.2-7.mga6.src.rpm, onig-5.9.6-2.mga6.src.rpm, oniguruma-6.9.1-1.mga7.src.rpm => oniguruma-6.9.1-1.mga7.src.rpm

Comment 8 David GEIGER 2019-11-29 07:07:40 CET 
Could all fedora patches do the trick to fixes security issues?

https://src.fedoraproject.org/rpms/oniguruma/tree/f30
Comment 9 David Walser 2019-11-29 15:59:24 CET 
Looking at the code in the upstream update just pushed in Cauldron and the patches in Fedora, it looks like neither have addressed whatever issues these PHP changes fixed:
http://git.php.net/?p=php-src.git;a=commitdiff;h=20407d06ca3cb5eeb10f876a812b40c381574bcc
http://git.php.net/?p=php-src.git;a=commitdiff;h=28362ed4fae6969b5a8878591a5a06eadf114e03
https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5
Comment 10 David Walser 2019-11-29 16:00:51 CET 
Fortunately the PHP bugs all have PoC's in them, so someone could test them with an updated oniguruma and see what happens.
David Walser 2019-12-07 23:00:18 CET

Depends on: (none) => 25843

Comment 11 David Walser 2019-12-29 18:03:13 CET 
I still see no evidence that these have been addressed in oniguruma 6.9.4, so we should test the PoC's.
Comment 12 David Walser 2020-01-12 02:34:30 CET 
Fixed as best we can tell:
https://advisories.mageia.org/MGASA-2020-0029.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED