bug#27993: Oniguruma (PHP and Ruby) security issues
On Sun, Aug 06, 2017 at 04:29:33PM -0400, Leo Famulari wrote: > Recently several serious bugs were fixed in Oniguruma, > CVE-2017-{9224,9225,9226,9227,9228,9229}: [...] > I'm not sure exactly which Oniguruma release fixed the bugs. I'm still not sure, but our PHP package is using the latest Oniguruma, and a lot of time has passed since this bug was opened. Closing... signature.asc Description: PGP signature
bug#27993: Oniguruma (PHP and Ruby) security issues
Recently several serious bugs were fixed in Oniguruma, CVE-2017-{9224,9225,9226,9227,9228,9229}: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=oniguruma https://github.com/kkos/oniguruma#fixed-security-issues I'm not sure exactly which Oniguruma release fixed the bugs. Ruby includes vulnerable code from Oniguruma. I didn't see any fixes in the Ruby Git repo. I tried building PHP with Oniguruma 6.4.0 or 6.5.0 but the PHP test suite fails like this: = FAILED TEST SUMMARY - Bug #72994 (mbc_to_code() out of bounds read) [ext/mbstring/tests/bug72994.phpt] Test mb_ereg_replace() function : usage variations - [ext/mbstring/tests/mb_ereg_replace_variation1.phpt] Test mb_ereg() function : usage variations - pass different character classes to see they match correctly [ext/mbstring/tests/mb_ereg_variation3.phpt] = I tried using the bundled Oniguruma, which includes the fixes, and it fails like this: = FAILED TEST SUMMARY - Bug #60120 proc_open hangs with stdin/out with 2048+ bytes [ext/standard/tests/streams/proc_open_bug60120.phpt] = signature.asc Description: PGP signature