php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #78380 Oniguruma 6.9.3 fixes CVEs
Submitted: 2019-08-06 09:46 UTC Modified: 2019-08-26 02:52 UTC
From: cmb@php.net Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 7.1.31 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2019-08-06 09:46 UTC] cmb@php.net 
Description:
------------
The new Oniguruma 6.9.3 fixes two CVEs[1].  These fixes might need
to be backported into our bundled oniguruma.

[1] <https://github.com/kkos/oniguruma/releases/tag/v6.9.3>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-06 18:58 UTC] stas@php.net 
Since these fixes are already public, I think we can merge them immediately. I'll look into it this week if nobody beats me to it.
 [2019-08-21 00:49 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-08-25 06:29 UTC] stas@php.net 
CVE-2019-13225 seems to not be present in the version of oniguruma lib we have up to 7.3 - at least I can't find the code that the patch fixes. 
Will merge fix for CVE-2019-13224.
 [2019-08-25 06:30 UTC] stas@php.net 
I also wonder if we shouldn't bump oniguruma versions for 7.2 and 7.3 - there seems to be more fixes than that?
 [2019-08-26 02:52 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-08-26 02:52 UTC] stas@php.net 
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Nov 22 12:01:29 2024 UTC