Bug 24338 - oniguruma missing fixes from PHP 5.6.40
Summary: oniguruma missing fixes from PHP 5.6.40
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: David GEIGER
QA Contact: Sec team
Whiteboard: MGA7TOO
Depends on: 25843
Blocks: 24165
  Show dependency treegraph
Reported: 2019-02-10 22:03 CET by David Walser
Modified: 2020-01-12 02:34 CET (History)
2 users (show)

See Also:
Source RPM: oniguruma-6.9.1-1.mga7.src.rpm
Status comment:


Description David Walser 2019-02-10 22:03:03 CET
PHP 5.6.40 fixed several issues in mbstring and two in xmlrpc:

The xmlrpc issues are in the bundled xmlrpc-epi.  I've added a patch in SVN (pushed in Cauldron) with both fixes, but only this issue really affects the standalone package:

All of the mbstring issues are in the bundled oniguruma, and it looks like they're all relevant to the packaged version.
David Walser 2019-02-10 22:03:27 CET

Whiteboard: (none) => MGA6TOO
Blocks: (none) => 24165
CC: (none) => geiger.david68210

Comment 1 Marja Van Waes 2019-02-12 08:23:06 CET
@ daviddavid

I'm assigning to you, because you maintain oniguruma and let it obsolete onig in cauldron. There are no registered mainainers for onig and xmlrpc-epi.

Please assign back to BugSquad if you do not like the assignment.

CC: (none) => marja11
Assignee: bugsquad => geiger.david68210

Comment 2 David GEIGER 2019-02-12 09:20:18 CET
I opened a new bug report upstream oniguruma right now, let's see their answer:

Comment 3 David GEIGER 2019-02-12 15:36:25 CET
Answer from upstream (oniguruma):

This is fixed at version 6.1.2.

Though onig_search() and onig_match() has encoded byte length check option (ONIG_OPTION_CHECK_VALIDITY_OF_STRING),
I think onig_search() and onig_match() should not be used for validity check of subject strings.
It is the responsibility of the application.

Fixed at least 6.9.1.
Comment 4 David Walser 2019-02-16 18:05:32 CET
What I see when I look at the 6.9.1 code is that all of the PHP patches would apply (maybe with some minor work) as the affected code is all there and looks basically the same.
Comment 5 David GEIGER 2019-02-17 07:46:50 CET
I can't says more that upstream oniguruma has answered!
David Walser 2019-06-23 19:32:38 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 6 David Walser 2019-07-13 12:51:05 CEST
David added some CVE patches to oniguruma in Cauldron.
Comment 7 David Walser 2019-11-28 16:22:37 CET
xmlrpc-epi fixes assigned CVE-2019-9024.  Those fixes made it into Mageia 7 and Mageia 6 is EOL.

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO
Summary: xmlrpc-epi, onig, oniguruma missing fixes from PHP 5.6.40 => oniguruma missing fixes from PHP 5.6.40
Source RPM: xmlrpc-epi-0.54.2-7.mga6.src.rpm, onig-5.9.6-2.mga6.src.rpm, oniguruma-6.9.1-1.mga7.src.rpm => oniguruma-6.9.1-1.mga7.src.rpm

Comment 8 David GEIGER 2019-11-29 07:07:40 CET
Could all fedora patches do the trick to fixes security issues?

Comment 9 David Walser 2019-11-29 15:59:24 CET
Looking at the code in the upstream update just pushed in Cauldron and the patches in Fedora, it looks like neither have addressed whatever issues these PHP changes fixed:
Comment 10 David Walser 2019-11-29 16:00:51 CET
Fortunately the PHP bugs all have PoC's in them, so someone could test them with an updated oniguruma and see what happens.
David Walser 2019-12-07 23:00:18 CET

Depends on: (none) => 25843

Comment 11 David Walser 2019-12-29 18:03:13 CET
I still see no evidence that these have been addressed in oniguruma 6.9.4, so we should test the PoC's.
Comment 12 David Walser 2020-01-12 02:34:30 CET
Fixed as best we can tell:

Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.