Bug 27387 - oniguruma new security issue CVE-2020-26159
Summary: oniguruma new security issue CVE-2020-26159
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-11 18:13 CEST by David Walser
Modified: 2020-11-15 11:52 CET (History)
2 users (show)

See Also:
Source RPM: oniguruma-6.9.5r1-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-10-11 18:13:19 CEST
A security issue fixed upstream in oniguruma has been announced on September 30:
https://www.openwall.com/lists/oss-security/2020/09/30/7

The commit that fixed the issue is linked in the message above.

Mageia 7 is also affected.
David Walser 2020-10-11 18:13:26 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-10-13 21:13:23 CEST
Fedora has issued an advisory for this on October 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZFUJY7BUIFBTZ3IUHVHCID4JYCRDGKPS/

Severity: normal => major

Comment 2 David Walser 2020-11-06 00:20:33 CET
Debian-LTS has issued an advisory for this today (November 5):
https://www.debian.org/lts/security/2020/dla-2431
Comment 3 David GEIGER 2020-11-08 07:46:33 CET
Done for both Cauldron and mga7!
Comment 4 David Walser 2020-11-09 23:10:25 CET
Advisory:
========================

Updated oniguruma packages fix security vulnerability:

In Oniguruma, an attacker able to supply a regular expression for compilation
may be able to overflow a buffer by one byte in concat_opt_exact_str in
src/regcomp.c (CVE-2020-26159).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26159
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZFUJY7BUIFBTZ3IUHVHCID4JYCRDGKPS/
========================

Updated packages in core/updates_testing:
========================
libonig5-6.9.4-1.1.mga7
liboniguruma-devel-6.9.4-1.1.mga7

from oniguruma-6.9.4-1.1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
CC: (none) => geiger.david68210

Comment 5 Herman Viaene 2020-11-15 11:52:25 CET
Installed the update and looked at previous bugs 25843 and 24338, that is stuff out of  my league.
Cann't say no more than that it does not harm my system.

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.