Debian Bug report logs -
#863316
libonig: CVE-2017-9228
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jörg Frings-Fürst <debian@jff-webhosting.net>
:
Bug#863316
; Package src:libonig
.
(Thu, 25 May 2017 11:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jörg Frings-Fürst <debian@jff-webhosting.net>
.
(Thu, 25 May 2017 11:45:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libonig
Version: 5.9.5-3.2
Severity: important
Tags: security patch upstream
Forwarded: https://github.com/kkos/oniguruma/issues/60
Hi,
the following vulnerability was published for libonig.
CVE-2017-9228[0]:
| An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
| Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
| out-of-bounds write occurs in bitset_set_range() during regular
| expression compilation due to an uninitialized variable from an
| incorrect state transition. An incorrect state transition in
| parse_char_class() could create an execution path that leaves a
| critical local variable uninitialized until it's used as an index,
| resulting in an out-of-bounds write memory corruption.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9228
[1] https://github.com/kkos/oniguruma/issues/60
[2] https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Jörg Frings-Fürst <debian@jff-webhosting.net>
:
You have taken responsibility.
(Sun, 28 May 2017 06:06:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 28 May 2017 06:06:11 GMT) (full text, mbox, link).
Message #10 received at 863316-close@bugs.debian.org (full text, mbox, reply):
Source: libonig
Source-Version: 6.1.3-2
We believe that the bug you reported is fixed in the latest version of
libonig, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jörg Frings-Fürst <debian@jff-webhosting.net> (supplier of updated libonig package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 27 May 2017 12:05:50 +0200
Source: libonig
Binary: libonig4 libonig4-dbg libonig-dev
Architecture: source
Version: 6.1.3-2
Distribution: unstable
Urgency: high
Maintainer: Jörg Frings-Fürst <debian@jff-webhosting.net>
Changed-By: Jörg Frings-Fürst <debian@jff-webhosting.net>
Description:
libonig-dev - regular expressions library — development files
libonig4 - regular expressions library
libonig4-dbg - regular expressions library — debugging symbols
Closes: 863312 863313 863314 863315 863316 863318
Changes:
libonig (6.1.3-2) unstable; urgency=high
.
* New debian/patches/0500-CVE-2017-922[4-9].patch:
- Cherrypicked from upstream to correct:
+ CVE-2017-9224 (Closes: #863312)
+ CVE-2017-9225 (Closes: #863313)
+ CVE-2017-9226 (Closes: #863314)
+ CVE-2017-9227 (Closes: #863315)
+ CVE-2017-9228 (Closes: #863316)
+ CVE-2017-9229 (Closes: #863318)
Checksums-Sha1:
8878bdc9175853ad8f7d68dd18be483313b1b181 1974 libonig_6.1.3-2.dsc
0b34ed9aa2fa49687e73455b1371e9f05085bc1a 8376 libonig_6.1.3-2.debian.tar.xz
Checksums-Sha256:
890c77479a6d3a90085f6983d49b954c1c795d29953bc5265b28adbd98bf9527 1974 libonig_6.1.3-2.dsc
0e7112bd8eeaeba54212b8211f707b914bdf0c15c2075e3430d21f56c3ad212c 8376 libonig_6.1.3-2.debian.tar.xz
Files:
2938f89898d134d321017ae1ff314199 1974 libs extra libonig_6.1.3-2.dsc
bdbad76addb7c9320a8789b75e0bc8fd 8376 libs extra libonig_6.1.3-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE1TqBWjy3ZZr4guOVju3MG6ofMv8FAlkqY60ACgkQju3MG6of
Mv/AUQ/+JUm1qL1cZpXjyPLsBUeZLFFsl/NYC3Qsg5HwXEKym3nyq6TBzloZABf+
4lvpaXlVwe/MkBIT4mm4MpLtD4u+bhjxzo+YgELiutVeRp2zKUZEXWbDM/lXz6o5
EVjeBW3o3f0UQRboBVSUN+H0u8A0UImMxijMZ5FcxDOM9YLsUVGzWwnNl5kcdseb
LbGaGzRmXQsBw6jLueZVA9oLpd0y1anWQMZ4mpyz5p1okCQgTVd6ynzsVUc+vOCU
dhSDdJBhzuRJPMK3027LEySwGCmOmr1Efc4RIHgCbLRBYWp+AZ8jvJj77wfRGuoj
ny6bsVsJE0hxfe0P+AhuMkjvhwyow2n/rv7ELeXd5PrJjFnZNvLWvY7aXqzoJS0c
+pJmESiEi2SxudkHKtWs2DibH0vU9GuNnHxJoeUNIHj4OBs1atkLoqpgFubPUa8a
qikZzxe5XHCG3foA9MaC0dB3utVB2kII57oE9IR3Qaz91EsOW5UiYFbSXMG17lSH
nQaF9yyC3vgD1QbfSHZ2A7nHj4Cd62hs/P7KUP5I4vXBv7RlHtkGuuatM3GzyPR9
a9ubWgXuMviCj/SMUOSuNTLLcB8AkIOZWrE88888vH+03YYph7846pgX/YCB8E//
ECadBdOdqgZ3rJtXCztNZbACS6PZNwsK/xpPMImfTCqw/2ghlKA=
=g5n5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 27 Jun 2017 07:25:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:05:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.