Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 30 Sep 2020 19:42:34 +0000
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: [cve-request@...re.org: Re: [scr966354] oniguruma regular expression
 library - fixed in devel version cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0]

Hello, Eduardo Barretto discovered a one-byte buffer overflow in the
oniguruma regular expression library while doing a coverity scan. It
appears to be part of compiling a regular expression, and I'm not sure if
the overflow is actually reachable from untrusted inputs.

To be on the safe side we've allocated a CVE number for this overflow.

Thanks

----- Forwarded message from cve-request@...re.org -----

Date: Wed, 30 Sep 2020 08:40:12 -0400 (EDT)
From: cve-request@...re.org
To: security@...ntu.com
Cc: cve-request@...re.org
Subject: Re: [scr966354] oniguruma regular expression library - fixed in devel version
	cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
Message-Id: <20200930124012.C2BC39295BB@...prhmv1.mitre.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [Suggested description]
> In Oniguruma 6.9.5_rev1,
> an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte
> in concat_opt_exact_str in src/regcomp.c.
> 
> ------------------------------------------
> 
> [Additional Information]
> We haven't confirmed that this is reachable by an untrusted actor, nor that it has real-world consequences. Thanks.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Buffer Overflow
> 
> ------------------------------------------
> 
> [Vendor of Product]
> oniguruma regular expression library
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> oniguruma regular expression library - fixed in devel version cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
> 
> ------------------------------------------
> 
> [Affected Component]
> concat_opt_exact_str() function in  src/regcomp.c
> 
> ------------------------------------------
> 
> [Attack Type]
> Context-dependent
> 
> ------------------------------------------
> 
> [Attack Vectors]
> An attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte.
> 
> ------------------------------------------
> 
> [Reference]
> https://github.com/kkos/oniguruma/issues/207
> https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
> 
> ------------------------------------------
> 
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
> 
> ------------------------------------------
> 
> [Discoverer]
> Eduardo Barretto

Use CVE-2020-26159.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJfdHx6AAoJEPNX0OmQPkAI2KUQAKv3Lkv3qK7Eo6piCpicU6Ut
hBVcB4JB5H8T1Cp1M6fX2X09OwJW/CBBlz/KuQbLmq2ty8uS6dPwEQ9GJMO62CLr
oPdezDnBxhqlvz1iqPfR0UYbvSIKToDP1sZOxRrV+FmlesV5vddEv68jQk1r16Bk
TI3Q73F3NreuaNrs4rHBJ22H8nHGHo/IYOHaPQPdMRGjtSifC+kn0Cootwce6hEG
sKAwVZJgDMPnwIh/BQ4mDSSA+haWfwtj+mRBomjFUrKSsWZTy3UqvapKzmhPrZ2h
WHgT2ZE9jj2I/neyChguwLiGpwrjdLRiv+9Xy6qcwKRMaHDYwhfv/7BNgVweVB/i
cZaFwCzlFRsGmQIilqPzpQ8R41CVjmj/faXDIcfmfQfz+DU0p2MNw7+pDkbrDPsw
NJQbaP6HUteKlfdsmKqSc9dT4vJiA9Hwow+dkZQaDZdclet/AUGMPAzzUONTyrvW
Vg1YYEtbLcJmqDG+65ANT38nuFXmfyNBJzQvZ3ut0pRwm/fo9FU+8YR7k+ER3Js8
iwIE+rGhiqGNVi88GKinJCLbP/ojKW2vLWRi3VFCdYqdebuyGp2dUruIrRO91NP6
ntC4Ci6Jq4v3HBkLoIPP0W9A5kQDngIxYjs0NpjyzHQRCIeUb5qoJxT0baMg1Rsi
eDui/It7tMfjjDk4/+J1
=o0hc
-----END PGP SIGNATURE-----


----- End forwarded message -----

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.