[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#27993: Oniguruma (PHP and Ruby) security issues
|
From: |
Leo Famulari |
|
Subject: |
bug#27993: Oniguruma (PHP and Ruby) security issues |
|
Date: |
Sun, 6 Aug 2017 16:29:33 -0400 |
|
User-agent: |
Mutt/1.8.3 (2017-05-23) |
Recently several serious bugs were fixed in Oniguruma,
CVE-2017-{9224,9225,9226,9227,9228,9229}:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=oniguruma
https://github.com/kkos/oniguruma#fixed-security-issues
I'm not sure exactly which Oniguruma release fixed the bugs.
Ruby includes vulnerable code from Oniguruma. I didn't see any fixes in
the Ruby Git repo.
I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP test
suite fails like this:
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt]
Test mb_ereg_replace() function : usage variations - <type here specifics of
this variation> [ext/mbstring/tests/mb_ereg_replace_variation1.phpt]
Test mb_ereg() function : usage variations - pass different character classes
to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt]
=====================================================================
I tried using the bundled Oniguruma, which includes the fixes, and it
fails like this:
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #60120 proc_open hangs with stdin/out with 2048+ bytes
[ext/standard/tests/streams/proc_open_bug60120.phpt]
=====================================================================
signature.asc
Description: PGP signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#27993: Oniguruma (PHP and Ruby) security issues,
Leo Famulari <=