oss-sec mailing list archives
[cve-request () mitre org: Re: [scr966354] oniguruma regular expression library - fixed in devel version cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0]
From: Seth Arnold <seth.arnold () canonical com>
Date: Wed, 30 Sep 2020 19:42:34 +0000
Hello, Eduardo Barretto discovered a one-byte buffer overflow in the oniguruma regular expression library while doing a coverity scan. It appears to be part of compiling a regular expression, and I'm not sure if the overflow is actually reachable from untrusted inputs. To be on the safe side we've allocated a CVE number for this overflow. Thanks ----- Forwarded message from cve-request () mitre org ----- Date: Wed, 30 Sep 2020 08:40:12 -0400 (EDT) From: cve-request () mitre org To: security () ubuntu com Cc: cve-request () mitre org Subject: Re: [scr966354] oniguruma regular expression library - fixed in devel version cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 Message-Id: <20200930124012.C2BC39295BB () smtprhmv1 mitre org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
[Suggested description] In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte in concat_opt_exact_str in src/regcomp.c. ------------------------------------------ [Additional Information] We haven't confirmed that this is reachable by an untrusted actor, nor that it has real-world consequences. Thanks. ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] oniguruma regular expression library ------------------------------------------ [Affected Product Code Base] oniguruma regular expression library - fixed in devel version cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 ------------------------------------------ [Affected Component] concat_opt_exact_str() function in src/regcomp.c ------------------------------------------ [Attack Type] Context-dependent ------------------------------------------ [Attack Vectors] An attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte. ------------------------------------------ [Reference] https://github.com/kkos/oniguruma/issues/207 https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Eduardo Barretto
Use CVE-2020-26159. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJfdHx6AAoJEPNX0OmQPkAI2KUQAKv3Lkv3qK7Eo6piCpicU6Ut hBVcB4JB5H8T1Cp1M6fX2X09OwJW/CBBlz/KuQbLmq2ty8uS6dPwEQ9GJMO62CLr oPdezDnBxhqlvz1iqPfR0UYbvSIKToDP1sZOxRrV+FmlesV5vddEv68jQk1r16Bk TI3Q73F3NreuaNrs4rHBJ22H8nHGHo/IYOHaPQPdMRGjtSifC+kn0Cootwce6hEG sKAwVZJgDMPnwIh/BQ4mDSSA+haWfwtj+mRBomjFUrKSsWZTy3UqvapKzmhPrZ2h WHgT2ZE9jj2I/neyChguwLiGpwrjdLRiv+9Xy6qcwKRMaHDYwhfv/7BNgVweVB/i cZaFwCzlFRsGmQIilqPzpQ8R41CVjmj/faXDIcfmfQfz+DU0p2MNw7+pDkbrDPsw NJQbaP6HUteKlfdsmKqSc9dT4vJiA9Hwow+dkZQaDZdclet/AUGMPAzzUONTyrvW Vg1YYEtbLcJmqDG+65ANT38nuFXmfyNBJzQvZ3ut0pRwm/fo9FU+8YR7k+ER3Js8 iwIE+rGhiqGNVi88GKinJCLbP/ojKW2vLWRi3VFCdYqdebuyGp2dUruIrRO91NP6 ntC4Ci6Jq4v3HBkLoIPP0W9A5kQDngIxYjs0NpjyzHQRCIeUb5qoJxT0baMg1Rsi eDui/It7tMfjjDk4/+J1 =o0hc -----END PGP SIGNATURE----- ----- End forwarded message -----
Attachment:
signature.asc
Description:
Current thread:
- [cve-request () mitre org: Re: [scr966354] oniguruma regular expression library - fixed in devel version cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0] Seth Arnold (Sep 30)