PHP 5.6.40 fixed several issues in mbstring and two in xmlrpc: http://www.php.net/ChangeLog-5.php#5.6.40 The xmlrpc issues are in the bundled xmlrpc-epi. I've added a patch in SVN (pushed in Cauldron) with both fixes, but only this issue really affects the standalone package: https://bugs.php.net/bug.php?id=77380 All of the mbstring issues are in the bundled oniguruma, and it looks like they're all relevant to the packaged version.
Whiteboard: (none) => MGA6TOOBlocks: (none) => 24165CC: (none) => geiger.david68210
@ daviddavid I'm assigning to you, because you maintain oniguruma and let it obsolete onig in cauldron. There are no registered mainainers for onig and xmlrpc-epi. Please assign back to BugSquad if you do not like the assignment.
CC: (none) => marja11Assignee: bugsquad => geiger.david68210
I opened a new bug report upstream oniguruma right now, let's see their answer: https://github.com/kkos/oniguruma/issues/129
Answer from upstream (oniguruma): #77382 This is fixed at version 6.1.2. #77418 Though onig_search() and onig_match() has encoded byte length check option (ONIG_OPTION_CHECK_VALIDITY_OF_STRING), I think onig_search() and onig_match() should not be used for validity check of subject strings. It is the responsibility of the application. #Others Fixed at least 6.9.1.
What I see when I look at the 6.9.1 code is that all of the PHP patches would apply (maybe with some minor work) as the affected code is all there and looks basically the same.
I can't says more that upstream oniguruma has answered!
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
David added some CVE patches to oniguruma in Cauldron.
xmlrpc-epi fixes assigned CVE-2019-9024. Those fixes made it into Mageia 7 and Mageia 6 is EOL.
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOOSummary: xmlrpc-epi, onig, oniguruma missing fixes from PHP 5.6.40 => oniguruma missing fixes from PHP 5.6.40Source RPM: xmlrpc-epi-0.54.2-7.mga6.src.rpm, onig-5.9.6-2.mga6.src.rpm, oniguruma-6.9.1-1.mga7.src.rpm => oniguruma-6.9.1-1.mga7.src.rpm
Could all fedora patches do the trick to fixes security issues? https://src.fedoraproject.org/rpms/oniguruma/tree/f30
Looking at the code in the upstream update just pushed in Cauldron and the patches in Fedora, it looks like neither have addressed whatever issues these PHP changes fixed: http://git.php.net/?p=php-src.git;a=commitdiff;h=20407d06ca3cb5eeb10f876a812b40c381574bcc http://git.php.net/?p=php-src.git;a=commitdiff;h=28362ed4fae6969b5a8878591a5a06eadf114e03 https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5
Fortunately the PHP bugs all have PoC's in them, so someone could test them with an updated oniguruma and see what happens.
Depends on: (none) => 25843
I still see no evidence that these have been addressed in oniguruma 6.9.4, so we should test the PoC's.
Fixed as best we can tell: https://advisories.mageia.org/MGASA-2020-0029.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED