Debian-LTS has issued an advisory on December 4: https://www.debian.org/lts/security/2019/dla-2020 We should update to 6.9.4, when it's available. I haven't checked if these fixes address the issues in Bug 24338.
Blocks: (none) => 24338Whiteboard: (none) => MGA7TOO
Fedora has issued an advisory on July 31: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/ This adds two more CVEs. They did have to include a non-upstream patch to fix one of them.
Summary: oniguruma new security issues CVE-2019-19012, CVE-2019-19204, CVE-2019-19246 => oniguruma new security issues CVE-2019-1322[45], CVE-2019-19012, CVE-2019-19204, CVE-2019-19246
Fedora has issued advisories for this on November 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZW47MSFZ6WYOAOFXHBDGU4LYACFRKC2Y/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NWOWZZNFSAWM3BUTQNAE3PD44A6JU4KE/ This adds one more CVE. They backported patches from upstream and from PHP.
Summary: oniguruma new security issues CVE-2019-1322[45], CVE-2019-19012, CVE-2019-19204, CVE-2019-19246 => oniguruma new security issues CVE-2019-1322[45], CVE-2019-16163, CVE-2019-19012, CVE-2019-19204, CVE-2019-19246
Fedora has issued an advisory on December 4: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/ It adds one more CVE. 6.9.4 is available, so we can update this now.
Summary: oniguruma new security issues CVE-2019-1322[45], CVE-2019-16163, CVE-2019-19012, CVE-2019-19204, CVE-2019-19246 => oniguruma new security issues CVE-2019-1322[45], CVE-2019-16163, CVE-2019-19012, CVE-2019-1920[34], CVE-2019-19246
release 6.9.4 is now done for both Cauldron and mga7!
Advisory: ======================== Updated oniguruma packages fix security vulnerabilities: A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe() (CVE-2019-13224). A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression (CVE-2019-13225). Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163). An integer overflow in the search_in_range function in regexec.c leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or information disclosure, or possibly have unspecified other impact, via a crafted regular expression (CVE-2019-19012). An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read (CVE-2019-19203). In the function fetch_range_quantifier in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read and lead to denial-of-service via a crafted regular expression (CVE-2019-19204). Heap-based buffer over-read in str_lower_case_match in regexec.c can lead to denial-of-service via a crafted regular expression (CVE-2019-19246). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13225 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16163 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19012 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19203 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19204 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19246 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NWOWZZNFSAWM3BUTQNAE3PD44A6JU4KE/ https://www.debian.org/lts/security/2019/dla-2020 https://security-tracker.debian.org/tracker/CVE-2019-19203 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/ ======================== Updated packages in core/updates_testing: ======================== libonig5-6.9.4-1.mga7 liboniguruma-devel-6.9.4-1.mga7 from oniguruma-6.9.4-1.mga7.src.rpm
Version: Cauldron => 7CC: (none) => geiger.david68210Whiteboard: MGA7TOO => (none)Assignee: geiger.david68210 => qa-bugs
Please also test the PoC's in: https://bugs.mageia.org/show_bug.cgi?id=24338#c9 so we know if those issues have been addressed.
MGA7-64 Plasma on Lenovo B50 No installation issues. Looked into POC's, but cann't make any sense ot of them, its beyond me. Tried # urpmq --whatrequires lib64onig5 lib64evhtp0 lib64jq1 lib64onig5 lib64slang2 php-mbstring php-mbstring php-mbstring php-mbstring php-mbstring None ring a bell to me, and the recursive search lists about a few hundred packages, giving up. At least no ill effects on the system.
CC: (none) => herman.viaene
@Herman, comment 7: Difficult to find PoC but one of the CVEs has a test script to reproduce an issue. It is time-consuming to follow up these things and not always productive so my advice is don't worry too much about them. You are doing a grand job as it is. Len
CC: (none) => tarazed25
@ Len Can i read this as a more or less hidden hint; OK on clean install?
Absolutely not. The PoC's are very simple to test. They're just php commands.
Aha. A challenge. Found a PoC for CVE-2019-16163 stack exhaustion issue: https://github.com/kkos/oniguruma/issues/147 With lib64onig5-6.9.2-1 before updates. $ gcc -g -o oniguruma_stack oniguruma_stack.c -lonig $ ./oniguruma_stack Segmentation fault (core dumped) @Herman: I am willing to pursue this if you give me leave. Not wanting to tread on your toes, again.
Continuing from comment 11: Skipped CVE-2019-16163 because the PoC is too complex for me to follow. https://github.com/kkos/oniguruma/issues/164 There is a C program with an elaborate configuration and compilation for the asan framework. CVE-2019-19203 https://github.com/kkos/oniguruma/issues/163 Another asan test. The program searches for something connected with GB18030 encoding and the compilation has this include -I./oniguruma-gcc-asan/src so we do not have the resources either. CVE-2019-19204 https://github.com/kkos/oniguruma/issues/162 Similar story, missing resources. The scripts can be compiled without the asan and src stuff but don't do anything useful. CVE-2019-19246 https://bugs.php.net/bug.php?id=78559 Created the test script mb_eregi.php and ran it from the command line. $ php mb_eregi.php bool(false) $ strace -o poc.trace php mb_eregi.php bool(false) $ grep libonig poc.trace openat(AT_FDCWD, "/lib64/libonig.so.5", O_RDONLY|O_CLOEXEC) = 3 Running this via a webserver on port 8000 returns the same message in a browser. Upstream sees heap-buffer-overflow in an asan framework. Don't know what to make of this.
Don't worry about asan stuff. Please see Comment 6. Those are the PoCs I'm most interested in the results of.
Results so far: *Before updates* http://git.php.net/?p=php-src.git;a=blob;f=ext/mbstring/tests/bug77370.phpt;h=c4d25582fe3bd8c4e513ffaf59cb15ead32dc0d2;hb=20407d06ca3cb5eeb10f876a812b40c381574bcc Ran the skip command to ensure that mbstring was available. No output, implying that it was. $ cat poc77370.php <?php var_dump(mb_split(" \xfd","")); ?> $ php poc77370.php PHP Warning: mb_split(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77370.php on line 2 bool(false) Expected result is: array(1) { [0]=> string(0) "" } http://git.php.net/?p=php-src.git;a=blob;f=ext/mbstring/tests/bug77371.phpt;h=f23445bd0917de5827dcbc839d3de918a3e5ec90;hb=28362ed4fae6969b5a8878591a5a06eadf114e03 $ cat poc77371.php <?php var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc","")) ?> $ php poc77371.php PHP Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77371.php on line 2 bool(false) https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5 $ cat poc77381.php $ php poc77381.php PHP Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77381.php on line 2 bool(false) PHP Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77381.php on line 3 bool(false) PHP Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77381.php on line 4 bool(false) PHP Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77381.php on line 5 bool(false) Expected output: int(1) bool(false) bool(false) bool(false) Continuing later.
Oops, dropped this somewhere.... $ cat poc77381.php <?php var_dump(mb_ereg("000||0\xfa","0")); var_dump(mb_ereg("(?i)000000000000000000000\xf0","")); var_dump(mb_ereg("0000\\"."\xf5","0")); var_dump(mb_ereg("(?i)FFF00000000000000000\xfd","")); ?>
And this in firefox: bool(false) bool(false) bool(false) bool(false)
Updated packages and ran the PoC tests again. $ php poc77370.php PHP Warning: mb_split(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77370.php on line 2 bool(false) $ php poc77371.php PHP Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77371.php on line 2 bool(false) $ php poc77381.php PHP Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77381.php on line 2 bool(false) PHP Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77381.php on line 3 bool(false) PHP Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77381.php on line 4 bool(false) PHP Warning: mb_ereg(): Pattern is not valid under UTF-8 encoding in /data/qa/oniguruma/poc77381.php on line 5 bool(false) These last three results are the same as before. Only poc77371 returns the expected output. The web server shows green, status 200. CVE-2019-19246 $ php mb_eregi.php bool(false) <no change> CVE-2019-16163 Recompiled the test program. $ ./oniguruma_stack ERROR: parse depth limit over <Good result - no segfault> Leaving this for David to comment on. And I owe you an apology for missing your directive in comment 6 and advising Herman against PoC testing.
Thanks Len. Looks like they're not crashing at least (they were in the PHP bug reports). So I guess either we're good, or there's something else preventing it from crashing and we're not vulnerable.
So we can send this on its way then. Setting the OK.
Whiteboard: (none) => MGA7-64-OK
CC: (none) => tmb, sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0029.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED