Bug 27387

Summary: oniguruma new security issue CVE-2020-26159
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, herman.viaene, ouaurelien, sysadmin-bugs, tarazed25
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: oniguruma-6.9.4-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-10-11 18:13:19 CEST 
A security issue fixed upstream in oniguruma has been announced on September 30:
https://www.openwall.com/lists/oss-security/2020/09/30/7

The commit that fixed the issue is linked in the message above.

Mageia 7 is also affected.
David Walser 2020-10-11 18:13:26 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-10-13 21:13:23 CEST 
Fedora has issued an advisory for this on October 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZFUJY7BUIFBTZ3IUHVHCID4JYCRDGKPS/

Severity: normal => major

Comment 2 David Walser 2020-11-06 00:20:33 CET 
Debian-LTS has issued an advisory for this today (November 5):
https://www.debian.org/lts/security/2020/dla-2431
Comment 3 David GEIGER 2020-11-08 07:46:33 CET 
Done for both Cauldron and mga7!
Comment 4 David Walser 2020-11-09 23:10:25 CET 
Advisory:
========================

Updated oniguruma packages fix security vulnerability:

In Oniguruma, an attacker able to supply a regular expression for compilation
may be able to overflow a buffer by one byte in concat_opt_exact_str in
src/regcomp.c (CVE-2020-26159).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26159
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZFUJY7BUIFBTZ3IUHVHCID4JYCRDGKPS/
========================

Updated packages in core/updates_testing:
========================
libonig5-6.9.4-1.1.mga7
liboniguruma-devel-6.9.4-1.1.mga7

from oniguruma-6.9.4-1.1.mga7.src.rpm

CC: (none) => geiger.david68210
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: geiger.david68210 => qa-bugs

Comment 5 Herman Viaene 2020-11-15 11:52:25 CET 
Installed the update and looked at previous bugs 25843 and 24338, that is stuff out of  my league.
Cann't say no more than that it does not harm my system.

CC: (none) => herman.viaene

Comment 6 Aurelien Oudelet 2020-12-07 11:03:27 CET 
Too long in QA.

(In reply to Herman Viaene from comment #5)
> Installed the update and looked at previous bugs 25843 and 24338, that is
> stuff out of  my league.
> Cann't say no more than that it does not harm my system.

@Len, what about this?

As Herman, this is not my cup of tea...

CC: (none) => ouaurelien, tarazed25
Source RPM: oniguruma-6.9.5r1-1.mga8.src.rpm => oniguruma-6.9.4-1.mga7.src.rpm

Comment 7 Len Lawrence 2020-12-07 19:03:35 CET 
@Aurelien, comment 6.

Not mine either.  The only contact I have had is in testing the PoC in a previous version.  Those tests worked fine but give no clue as to how the application runs or how it works and I am in no position right now to attempt a follow-up so the package should perhaps be let go on the basis of a clean install - sticks in one's throat but what can you do?
Herman Viaene 2020-12-08 08:55:51 CET

Whiteboard: (none) => MGA7-64-OK

Comment 8 Aurelien Oudelet 2020-12-08 09:25:52 CET 
Validating
Advisory pushed to SVN.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2020-12-08 11:41:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0452.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED