php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78380 Oniguruma 6.9.3 fixes CVEs
Submitted: 2019-08-06 09:46 UTC Modified: 2019-08-26 02:52 UTC
From: cmb@php.net Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 7.1.31 OS: *
Private report: No CVE-ID: None
 [2019-08-06 09:46 UTC] cmb@php.net
Description:
------------
The new Oniguruma 6.9.3 fixes two CVEs[1].  These fixes might need
to be backported into our bundled oniguruma.

[1] <https://github.com/kkos/oniguruma/releases/tag/v6.9.3>


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-06 18:58 UTC] stas@php.net
Since these fixes are already public, I think we can merge them immediately. I'll look into it this week if nobody beats me to it.
 [2019-08-21 00:49 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-08-25 06:29 UTC] stas@php.net
CVE-2019-13225 seems to not be present in the version of oniguruma lib we have up to 7.3 - at least I can't find the code that the patch fixes. 
Will merge fix for CVE-2019-13224.
 [2019-08-25 06:30 UTC] stas@php.net
I also wonder if we shouldn't bump oniguruma versions for 7.2 and 7.3 - there seems to be more fixes than that?
 [2019-08-26 02:52 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-08-26 02:52 UTC] stas@php.net
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Sep 15 12:01:26 2019 UTC