PHP 5.6.40 fixed several issues in mbstring and two in xmlrpc:
The xmlrpc issues are in the bundled xmlrpc-epi. I've added a patch in SVN (pushed in Cauldron) with both fixes, but only this issue really affects the standalone package:
All of the mbstring issues are in the bundled oniguruma, and it looks like they're all relevant to the packaged version.
I'm assigning to you, because you maintain oniguruma and let it obsolete onig in cauldron. There are no registered mainainers for onig and xmlrpc-epi.
Please assign back to BugSquad if you do not like the assignment.
I opened a new bug report upstream oniguruma right now, let's see their answer:
Answer from upstream (oniguruma):
This is fixed at version 6.1.2.
Though onig_search() and onig_match() has encoded byte length check option (ONIG_OPTION_CHECK_VALIDITY_OF_STRING),
I think onig_search() and onig_match() should not be used for validity check of subject strings.
It is the responsibility of the application.
Fixed at least 6.9.1.
What I see when I look at the 6.9.1 code is that all of the PHP patches would apply (maybe with some minor work) as the affected code is all there and looks basically the same.
I can't says more that upstream oniguruma has answered!
David added some CVE patches to oniguruma in Cauldron.
xmlrpc-epi fixes assigned CVE-2019-9024. Those fixes made it into Mageia 7 and Mageia 6 is EOL.
MGA7TOO, MGA6TOO =>
xmlrpc-epi, onig, oniguruma missing fixes from PHP 5.6.40 =>
oniguruma missing fixes from PHP 5.6.40Source RPM:
xmlrpc-epi-0.54.2-7.mga6.src.rpm, onig-5.9.6-2.mga6.src.rpm, oniguruma-6.9.1-1.mga7.src.rpm =>
Could all fedora patches do the trick to fixes security issues?
Looking at the code in the upstream update just pushed in Cauldron and the patches in Fedora, it looks like neither have addressed whatever issues these PHP changes fixed:
Fortunately the PHP bugs all have PoC's in them, so someone could test them with an updated oniguruma and see what happens.
I still see no evidence that these have been addressed in oniguruma 6.9.4, so we should test the PoC's.
Fixed as best we can tell: