FreeBSD : oniguruma -- multiple vulnerabilities (b396cf6c-62e6-11e7-9def-b499baebfeaf)

critical Nessus Plugin ID 101332

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

the PHP project reports :

- A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer (CVE-2017-9224).

- A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption (CVE-2017-9226).

- A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer (CVE-2017-9227).

- A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption (CVE-2017-9228).

- A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition (CVE-2017-9228).

Solution

Update the affected packages.

See Also

http://php.net/ChangeLog-7.php

http://www.nessus.org/u?d3123c8d

Plugin Details

Severity: Critical

ID: 101332

File Name: freebsd_pkg_b396cf6c62e611e79defb499baebfeaf.nasl

Version: 3.5

Type: local

Published: 7/10/2017

Updated: 1/4/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:libevhtp, p-cpe:/a:freebsd:freebsd:oniguruma4, p-cpe:/a:freebsd:freebsd:oniguruma5, p-cpe:/a:freebsd:freebsd:oniguruma6, p-cpe:/a:freebsd:freebsd:php56-mbstring, p-cpe:/a:freebsd:freebsd:php70-mbstring, p-cpe:/a:freebsd:freebsd:php71-mbstring, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 7/7/2017

Vulnerability Publication Date: 7/6/2017

Reference Information

CVE: CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228