oss-sec mailing list archives

[cve-request () mitre org: Re: [scr966354] oniguruma regular expression library - fixed in devel version cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0]

From: Seth Arnold <seth.arnold () canonical com>
Date: Wed, 30 Sep 2020 19:42:34 +0000

Hello, Eduardo Barretto discovered a one-byte buffer overflow in the
oniguruma regular expression library while doing a coverity scan. It
appears to be part of compiling a regular expression, and I'm not sure if
the overflow is actually reachable from untrusted inputs.

To be on the safe side we've allocated a CVE number for this overflow.

Thanks

----- Forwarded message from cve-request () mitre org -----

Date: Wed, 30 Sep 2020 08:40:12 -0400 (EDT)
From: cve-request () mitre org
To: security () ubuntu com
Cc: cve-request () mitre org
Subject: Re: [scr966354] oniguruma regular expression library - fixed in devel version
        cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
Message-Id: <20200930124012.C2BC39295BB () smtprhmv1 mitre org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

[Suggested description]
In Oniguruma 6.9.5_rev1,
an attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte
in concat_opt_exact_str in src/regcomp.c.

------------------------------------------

[Additional Information]
We haven't confirmed that this is reachable by an untrusted actor, nor that it has real-world consequences. Thanks.

------------------------------------------

[Vulnerability Type]
Buffer Overflow

------------------------------------------

[Vendor of Product]
oniguruma regular expression library

------------------------------------------

[Affected Product Code Base]
oniguruma regular expression library - fixed in devel version cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0

------------------------------------------

[Affected Component]
concat_opt_exact_str() function in  src/regcomp.c

------------------------------------------

[Attack Type]
Context-dependent

------------------------------------------

[Attack Vectors]
An attacker able to supply a regular expression for compilation may be able to overflow a buffer by one byte.

------------------------------------------

[Reference]
https://github.com/kkos/oniguruma/issues/207
https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Eduardo Barretto


Use CVE-2020-26159.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJfdHx6AAoJEPNX0OmQPkAI2KUQAKv3Lkv3qK7Eo6piCpicU6Ut
hBVcB4JB5H8T1Cp1M6fX2X09OwJW/CBBlz/KuQbLmq2ty8uS6dPwEQ9GJMO62CLr
oPdezDnBxhqlvz1iqPfR0UYbvSIKToDP1sZOxRrV+FmlesV5vddEv68jQk1r16Bk
TI3Q73F3NreuaNrs4rHBJ22H8nHGHo/IYOHaPQPdMRGjtSifC+kn0Cootwce6hEG
sKAwVZJgDMPnwIh/BQ4mDSSA+haWfwtj+mRBomjFUrKSsWZTy3UqvapKzmhPrZ2h
WHgT2ZE9jj2I/neyChguwLiGpwrjdLRiv+9Xy6qcwKRMaHDYwhfv/7BNgVweVB/i
cZaFwCzlFRsGmQIilqPzpQ8R41CVjmj/faXDIcfmfQfz+DU0p2MNw7+pDkbrDPsw
NJQbaP6HUteKlfdsmKqSc9dT4vJiA9Hwow+dkZQaDZdclet/AUGMPAzzUONTyrvW
Vg1YYEtbLcJmqDG+65ANT38nuFXmfyNBJzQvZ3ut0pRwm/fo9FU+8YR7k+ER3Js8
iwIE+rGhiqGNVi88GKinJCLbP/ojKW2vLWRi3VFCdYqdebuyGp2dUruIrRO91NP6
ntC4Ci6Jq4v3HBkLoIPP0W9A5kQDngIxYjs0NpjyzHQRCIeUb5qoJxT0baMg1Rsi
eDui/It7tMfjjDk4/+J1
=o0hc
-----END PGP SIGNATURE-----


----- End forwarded message -----

Attachment: signature.asc
Description:

Current thread:

[cve-request () mitre org: Re: [scr966354] oniguruma regular expression library - fixed in devel version cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0] Seth Arnold (Sep 30)