libonig: CVE-2017-9225

Debian Bug report logs - #863313
libonig: CVE-2017-9225

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libonig: CVE-2017-9225

Date: Thu, 25 May 2017 13:37:54 +0200

Source: libonig
Version: 6.1.3-1
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/kkos/oniguruma/issues/56

Hi,

the following vulnerability was published for libonig.

CVE-2017-9225[0]:
| An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
| Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
| out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str()
| occurs during regular expression compilation. Code point 0xFFFFFFFF is
| not properly handled in unicode_unfold_key(). A malformed regular
| expression could result in 4 bytes being written off the end of a stack
| buffer of expand_case_fold_string() during the call to
| onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer
| overflow.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-9225
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9225
[1] https://github.com/kkos/oniguruma/issues/56
[2] https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f

Please adjust the affected versions in the BTS as needed. AFAICT this
only affects the version in stretch and sid, but not older.

Regards,
Salvatore

Message #10 received at 863313-close@bugs.debian.org (full text, mbox, reply):

From: Jörg Frings-Fürst <debian@jff-webhosting.net>

To: 863313-close@bugs.debian.org

Subject: Bug#863313: fixed in libonig 6.1.3-2

Date: Sun, 28 May 2017 06:03:36 +0000

Source: libonig
Source-Version: 6.1.3-2

We believe that the bug you reported is fixed in the latest version of
libonig, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863313@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jörg Frings-Fürst <debian@jff-webhosting.net> (supplier of updated libonig package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 27 May 2017 12:05:50 +0200
Source: libonig
Binary: libonig4 libonig4-dbg libonig-dev
Architecture: source
Version: 6.1.3-2
Distribution: unstable
Urgency: high
Maintainer: Jörg Frings-Fürst <debian@jff-webhosting.net>
Changed-By: Jörg Frings-Fürst <debian@jff-webhosting.net>
Description:
 libonig-dev - regular expressions library — development files
 libonig4   - regular expressions library
 libonig4-dbg - regular expressions library — debugging symbols
Closes: 863312 863313 863314 863315 863316 863318
Changes:
 libonig (6.1.3-2) unstable; urgency=high
 .
   * New debian/patches/0500-CVE-2017-922[4-9].patch:
     - Cherrypicked from upstream to correct:
       + CVE-2017-9224 (Closes: #863312)
       + CVE-2017-9225 (Closes: #863313)
       + CVE-2017-9226 (Closes: #863314)
       + CVE-2017-9227 (Closes: #863315)
       + CVE-2017-9228 (Closes: #863316)
       + CVE-2017-9229 (Closes: #863318)
Checksums-Sha1:
 8878bdc9175853ad8f7d68dd18be483313b1b181 1974 libonig_6.1.3-2.dsc
 0b34ed9aa2fa49687e73455b1371e9f05085bc1a 8376 libonig_6.1.3-2.debian.tar.xz
Checksums-Sha256:
 890c77479a6d3a90085f6983d49b954c1c795d29953bc5265b28adbd98bf9527 1974 libonig_6.1.3-2.dsc
 0e7112bd8eeaeba54212b8211f707b914bdf0c15c2075e3430d21f56c3ad212c 8376 libonig_6.1.3-2.debian.tar.xz
Files:
 2938f89898d134d321017ae1ff314199 1974 libs extra libonig_6.1.3-2.dsc
 bdbad76addb7c9320a8789b75e0bc8fd 8376 libs extra libonig_6.1.3-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE1TqBWjy3ZZr4guOVju3MG6ofMv8FAlkqY60ACgkQju3MG6of
Mv/AUQ/+JUm1qL1cZpXjyPLsBUeZLFFsl/NYC3Qsg5HwXEKym3nyq6TBzloZABf+
4lvpaXlVwe/MkBIT4mm4MpLtD4u+bhjxzo+YgELiutVeRp2zKUZEXWbDM/lXz6o5
EVjeBW3o3f0UQRboBVSUN+H0u8A0UImMxijMZ5FcxDOM9YLsUVGzWwnNl5kcdseb
LbGaGzRmXQsBw6jLueZVA9oLpd0y1anWQMZ4mpyz5p1okCQgTVd6ynzsVUc+vOCU
dhSDdJBhzuRJPMK3027LEySwGCmOmr1Efc4RIHgCbLRBYWp+AZ8jvJj77wfRGuoj
ny6bsVsJE0hxfe0P+AhuMkjvhwyow2n/rv7ELeXd5PrJjFnZNvLWvY7aXqzoJS0c
+pJmESiEi2SxudkHKtWs2DibH0vU9GuNnHxJoeUNIHj4OBs1atkLoqpgFubPUa8a
qikZzxe5XHCG3foA9MaC0dB3utVB2kII57oE9IR3Qaz91EsOW5UiYFbSXMG17lSH
nQaF9yyC3vgD1QbfSHZ2A7nHj4Cd62hs/P7KUP5I4vXBv7RlHtkGuuatM3GzyPR9
a9ubWgXuMviCj/SMUOSuNTLLcB8AkIOZWrE88888vH+03YYph7846pgX/YCB8E//
ECadBdOdqgZ3rJtXCztNZbACS6PZNwsK/xpPMImfTCqw/2ghlKA=
=g5n5
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.