CVE-2017-9228
published 2017-05-24CVE-2017-9228: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs…
PriorityP350critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.26%
92.7th percentile
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libonig | < libonig 6.1.3-2 (bookworm) | libonig 6.1.3-2 (bookworm) |
| oniguruma_project | oniguruma | — | — |
| php | php | >= 5.6.0 < 5.6.31 | 5.6.31 |
| php | php | >= 7.0.0 < 7.0.21 | 7.0.21 |
| php | php | >= 7.1.0 < 7.1.7 | 7.1.7 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.22 | 5.5.9+dfsg-1ubuntu4.22 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2017-12-18·CVSS 7.5
CVE-2016-10397 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
USN-3382-1 fixed several vulnerabilities in PHP. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that the PHP URL parser incorrectly handled certain URI
components. A remote attacker could possibly use this issue to bypass
hostname-specific URL checks. (CVE-2016-10397)
It was discovered that PHP incorrectly handled certain boolean parameters
when unserializing data. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. (CVE-2017-11143)
Sebastian Li, Wei Lei, Xie Xiaofei, and Liu Yang discovered that PHP
incorrectly handled the OpenSSL sealing function. A remote attacker could
possibly use thi
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2017-08-10·CVSS 7.5
CVE-2015-8994 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that the PHP opcache created keys for files it cached
based on their filepath. A local attacker could possibly use this issue in
a shared hosting environment to obtain sensitive information. This issue
only affected Ubuntu 14.04 LTS. (CVE-2015-8994)
It was discovered that the PHP URL parser incorrectly handled certain URI
components. A remote attacker could possibly use this issue to bypass
hostname-specific URL checks. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-10397)
It was discovered that PHP incorrectly handled certain boolean parameters
when unserializing data. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. This issue
Red Hat
oniguruma: Out-of-bounds heap write in bitset_set_range()
vendor_redhat·2017-05-23·CVSS 9.8
CVE-2017-9228 [CRITICAL] CWE-122 oniguruma: Out-of-bounds heap write in bitset_set_range()
oniguruma: Out-of-bounds heap write in bitset_set_range()
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.
Package: rh-ruby22-ruby (CloudForms Management Engine 5) - Under investigation
Package: ruby-200-ruby (CloudForms Management Engine 5) - Under investigation
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53
Debian
CVE-2017-9228: libonig - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby thr...
vendor_debian·2017·CVSS 9.8
CVE-2017-9228 [CRITICAL] CVE-2017-9228: libonig - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby thr...
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.
Scope: local
bookworm: resolved (fixed in 6.1.3-2)
bullseye: resolved (fixed in 6.1.3-2)
forky: resolved (fixed in 6.1.3-2)
sid: resolved (fixed in 6.1.3-2)
trixie: resolved (fixed in 6.1.3-2)
GHSA
GHSA-qc5j-7652-9f34: An issue was discovered in Oniguruma 6
ghsa_unreviewed·2022-05-14
CVE-2017-9228 [CRITICAL] CWE-787 GHSA-qc5j-7652-9f34: An issue was discovered in Oniguruma 6
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.
OSV
php5, php7.0 vulnerabilities
osv·2017-08-10·CVSS 7.5
CVE-2015-8994 [HIGH] php5, php7.0 vulnerabilities
php5, php7.0 vulnerabilities
It was discovered that the PHP opcache created keys for files it cached
based on their filepath. A local attacker could possibly use this issue in
a shared hosting environment to obtain sensitive information. This issue
only affected Ubuntu 14.04 LTS. (CVE-2015-8994)
It was discovered that the PHP URL parser incorrectly handled certain URI
components. A remote attacker could possibly use this issue to bypass
hostname-specific URL checks. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-10397)
It was discovered that PHP incorrectly handled certain boolean parameters
when unserializing data. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS. (CVE-2017-11143)
S
OSV
CVE-2017-9228: An issue was discovered in Oniguruma 6
osv·2017-05-24·CVSS 9.8
CVE-2017-9228 [CRITICAL] CVE-2017-9228: An issue was discovered in Oniguruma 6
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.
No detection rules found.
No public exploits indexed.
HackerOne
PHP mbstring / Oniguruma multiple remote heap/stack corruptions
hackerone·2019-10-14·CVSS 9.8
[CRITICAL] PHP mbstring / Oniguruma multiple remote heap/stack corruptions
PHP mbstring / Oniguruma multiple remote heap/stack corruptions
Oniguruma [1] by K. Kosako is a BSD licensed regular expression library that supports a variety of character encodings. The Ruby programming language, in version 1.9, as well as PHP's multi-byte string module (since PHP5), use Oniguruma as their regular expression engine. It is also used in products such as Atom, Take Command Console, Tera Term, TextMate, Sublime Text and SubEthaEdit.
We've identified six remote memory corruption issues in Oniguruma that affect the latest stable release v6.2.0 and the develop branch, they have received upstream patch in the latest stable version v6.3.0; PHP upstream has now included 5 of the patches (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229) that are applicab
Bugzilla
CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
bugzilla·2017-06-30·CVSS 9.8
CVE-2017-9228 [CRITICAL] CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in
Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write occurs in bitset_set_range() during regular
expression compilation due to an uninitialized variable from an
incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption.
Upstream bug:
https://github.com/kkos/oniguruma/issues/60
Upstream patch:
https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8b
Discussion:
Created oniguruma tracking bugs for this issue
Bugzilla
CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 oniguruma: various flaws [fedora-all]
bugzilla·2017-06-30·CVSS 9.8
CVE-2017-9224 [CRITICAL] CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 oniguruma: various flaws [fedora-all]
CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 oniguruma: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: th
Bugzilla
CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 php: various flaws [fedora-all]
bugzilla·2017-06-30·CVSS 9.8
CVE-2017-9224 [CRITICAL] CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 php: various flaws [fedora-all]
CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 php: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this iss
Bugzilla
CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 oniguruma: various flaws [epel-7]
bugzilla·2017-06-30·CVSS 9.8
CVE-2017-9224 [CRITICAL] CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 oniguruma: various flaws [epel-7]
CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 oniguruma: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use
Bugzilla
CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 ruby: various flaws [fedora-all]
bugzilla·2017-06-30·CVSS 9.8
CVE-2017-9224 [CRITICAL] CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 ruby: various flaws [fedora-all]
CVE-2017-9224 CVE-2017-9225 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 ruby: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this is
https://access.redhat.com/errata/RHSA-2018:1296https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8bhttps://github.com/kkos/oniguruma/issues/60https://access.redhat.com/errata/RHSA-2018:1296https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8bhttps://github.com/kkos/oniguruma/issues/60
2017-05-24
Published