CVE-2017-9229

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-9229
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9229.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-9229
Downstream
Related
Published
2017-05-24T15:29:00Z
Modified
2025-09-16T06:51:58.380129Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in leftadjustcharhead() during regular expression compilation. Invalid handling of reg->dmax in forwardsearch_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.

References

Affected packages

Alpine:v3.4 / php5

Package

Name
php5
Purl
pkg:apk/alpine/php5?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.6.31-r0

Affected versions

5.*

5.2.8-r0
5.2.8-r1
5.2.9-r0
5.2.10-r0
5.2.10-r2
5.2.10-r3
5.2.10-r4
5.2.11-r0
5.3.0-r0
5.3.0-r1
5.3.0-r2
5.3.0-r3
5.3.1-r0
5.3.1-r1
5.3.1-r2
5.3.1-r3
5.3.1-r4
5.3.1-r5
5.3.2-r0
5.3.2-r1
5.3.2-r2
5.3.2-r3
5.3.2-r4
5.3.2-r5
5.3.2-r6
5.3.2-r7
5.3.2-r8
5.3.3-r0
5.3.3-r1
5.3.3-r2
5.3.3-r3
5.3.3-r4
5.3.3-r5
5.3.4-r0
5.3.4-r1
5.3.4-r2
5.3.5-r0
5.3.5-r1
5.3.5-r2
5.3.5-r3
5.3.5-r4
5.3.5-r5
5.3.5-r6
5.3.5-r7
5.3.6-r0
5.3.6-r1
5.3.6-r2
5.3.6-r3
5.3.6-r4
5.3.6-r5
5.3.6-r6
5.3.6-r7
5.3.6-r8
5.3.6-r9
5.3.6-r10
5.3.6-r11
5.3.7-r0
5.3.7-r1
5.3.8-r0
5.3.8-r1
5.3.8-r2
5.3.9-r0
5.3.9-r1
5.3.10-r0
5.3.10-r1
5.3.10-r2
5.3.10-r3
5.3.10-r4
5.3.10-r5
5.3.12-r0
5.3.12-r1
5.3.12-r2
5.3.12-r3
5.3.15-r3
5.3.16-r0
5.3.17-r0
5.3.18-r0
5.3.19-r0
5.3.20-r0
5.3.20-r1
5.3.21-r1
5.3.21-r2
5.3.23-r0
5.3.23-r1
5.4.14-r0
5.4.14-r1
5.4.14-r2
5.4.14-r3
5.4.15-r0
5.4.15-r1
5.4.16-r0
5.4.17-r0
5.4.17-r1
5.4.19-r0
5.4.20-r0
5.5.4-r0
5.5.4-r1
5.5.5-r0
5.5.5-r1
5.5.5-r2
5.5.6-r0
5.5.6-r1
5.5.7-r0
5.5.8-r0
5.5.8-r1
5.5.9-r0
5.5.10-r0
5.5.11-r0
5.5.11-r1
5.5.12-r0
5.5.13-r0
5.5.13-r1
5.5.13-r2
5.5.13-r3
5.5.13-r4
5.5.14-r0
5.5.15-r0
5.5.15-r1
5.5.16-r0
5.6.1-r0
5.6.1-r1
5.6.1-r2
5.6.2-r0
5.6.2-r1
5.6.3-r0
5.6.4-r0
5.6.5-r0
5.6.5-r1
5.6.6-r0
5.6.7-r0
5.6.7-r1
5.6.8-r0
5.6.8-r1
5.6.9-r0
5.6.9-r1
5.6.10-r0
5.6.11-r0
5.6.12-r0
5.6.13-r0
5.6.14-r0
5.6.15-r0
5.6.15-r1
5.6.15-r2
5.6.15-r3
5.6.16-r0
5.6.17-r0
5.6.18-r0
5.6.18-r1
5.6.19-r0
5.6.19-r1
5.6.20-r0
5.6.21-r0
5.6.21-r1
5.6.21-r2
5.6.23-r0
5.6.24-r0
5.6.25-r0
5.6.26-r0
5.6.27-r0
5.6.28-r0
5.6.29-r0
5.6.30-r0

Alpine:v3.5 / php5

Package

Name
php5
Purl
pkg:apk/alpine/php5?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.6.31-r0

Affected versions

5.*

5.2.8-r0
5.2.8-r1
5.2.9-r0
5.2.10-r0
5.2.10-r2
5.2.10-r3
5.2.10-r4
5.2.11-r0
5.3.0-r0
5.3.0-r1
5.3.0-r2
5.3.0-r3
5.3.1-r0
5.3.1-r1
5.3.1-r2
5.3.1-r3
5.3.1-r4
5.3.1-r5
5.3.2-r0
5.3.2-r1
5.3.2-r2
5.3.2-r3
5.3.2-r4
5.3.2-r5
5.3.2-r6
5.3.2-r7
5.3.2-r8
5.3.3-r0
5.3.3-r1
5.3.3-r2
5.3.3-r3
5.3.3-r4
5.3.3-r5
5.3.4-r0
5.3.4-r1
5.3.4-r2
5.3.5-r0
5.3.5-r1
5.3.5-r2
5.3.5-r3
5.3.5-r4
5.3.5-r5
5.3.5-r6
5.3.5-r7
5.3.6-r0
5.3.6-r1
5.3.6-r2
5.3.6-r3
5.3.6-r4
5.3.6-r5
5.3.6-r6
5.3.6-r7
5.3.6-r8
5.3.6-r9
5.3.6-r10
5.3.6-r11
5.3.7-r0
5.3.7-r1
5.3.8-r0
5.3.8-r1
5.3.8-r2
5.3.9-r0
5.3.9-r1
5.3.10-r0
5.3.10-r1
5.3.10-r2
5.3.10-r3
5.3.10-r4
5.3.10-r5
5.3.12-r0
5.3.12-r1
5.3.12-r2
5.3.12-r3
5.3.15-r3
5.3.16-r0
5.3.17-r0
5.3.18-r0
5.3.19-r0
5.3.20-r0
5.3.20-r1
5.3.21-r1
5.3.21-r2
5.3.23-r0
5.3.23-r1
5.4.14-r0
5.4.14-r1
5.4.14-r2
5.4.14-r3
5.4.15-r0
5.4.15-r1
5.4.16-r0
5.4.17-r0
5.4.17-r1
5.4.19-r0
5.4.20-r0
5.5.4-r0
5.5.4-r1
5.5.5-r0
5.5.5-r1
5.5.5-r2
5.5.6-r0
5.5.6-r1
5.5.7-r0
5.5.8-r0
5.5.8-r1
5.5.9-r0
5.5.10-r0
5.5.11-r0
5.5.11-r1
5.5.12-r0
5.5.13-r0
5.5.13-r1
5.5.13-r2
5.5.13-r3
5.5.13-r4
5.5.14-r0
5.5.15-r0
5.5.15-r1
5.5.16-r0
5.6.1-r0
5.6.1-r1
5.6.1-r2
5.6.2-r0
5.6.2-r1
5.6.3-r0
5.6.4-r0
5.6.5-r0
5.6.5-r1
5.6.6-r0
5.6.7-r0
5.6.7-r1
5.6.8-r0
5.6.8-r1
5.6.9-r0
5.6.9-r1
5.6.10-r0
5.6.11-r0
5.6.12-r0
5.6.13-r0
5.6.14-r0
5.6.15-r0
5.6.15-r1
5.6.15-r2
5.6.15-r3
5.6.16-r0
5.6.17-r0
5.6.18-r0
5.6.18-r1
5.6.19-r0
5.6.19-r1
5.6.20-r0
5.6.21-r0
5.6.21-r1
5.6.21-r2
5.6.22-r0
5.6.23-r0
5.6.24-r0
5.6.25-r0
5.6.25-r1
5.6.26-r0
5.6.26-r1
5.6.27-r0
5.6.28-r0
5.6.29-r0
5.6.29-r1
5.6.30-r0

Debian:11 / libonig

Package

Name
libonig
Purl
pkg:deb/debian/libonig?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.3-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / libonig

Package

Name
libonig
Purl
pkg:deb/debian/libonig?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.3-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / libonig

Package

Name
libonig
Purl
pkg:deb/debian/libonig?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.3-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / libonig

Package

Name
libonig
Purl
pkg:deb/debian/libonig?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.3-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/kkos/oniguruma

Affected ranges

Type
GIT
Repo
https://github.com/kkos/oniguruma
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b690371bbf97794b4a1d3f295d4fb9a8b05d402d
Type
GIT
Repo
https://github.com/php/php-src
Events
Introduced
fc1df8e7a6886e29a6ed5bef3f674ac61164e847
Fixed
de96a08a90e480f1afb655bcfeac8ac28a14228e

Affected versions

v5.*

v5.9.6

v6.*

v6.0.0
v6.1.0
v6.1.1
v6.1.2
v6.1.3

Database specific 

{
    "vanir_signatures": [
        {
            "source": "https://github.com/kkos/oniguruma/commit/b690371bbf97794b4a1d3f295d4fb9a8b05d402d",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Function",
            "id": "CVE-2017-9229-2b3e9cd2",
            "digest": {
                "function_hash": "105094539439841922480547185931894644113",
                "length": 3086.0
            },
            "target": {
                "file": "src/regexec.c",
                "function": "forward_search_range"
            }
        },
        {
            "source": "https://github.com/kkos/oniguruma/commit/b690371bbf97794b4a1d3f295d4fb9a8b05d402d",
            "deprecated": false,
            "signature_version": "v1",
            "signature_type": "Line",
            "id": "CVE-2017-9229-7c84093e",
            "digest": {
                "line_hashes": [
                    "238193524994326941537268933406975216315",
                    "323539855602310814567028195441961855234",
                    "219948217909986542639566319432215472492",
                    "29692786740800380382408848046168031926",
                    "297123705308508685111363668584463538286",
                    "35490740505333762553166574200435388724",
                    "206860580592534291063270562780357167672",
                    "231276264933485246742963358198498899993",
                    "223498094614570401752945301332299570037",
                    "241074634920618019596635727660223892802",
                    "302066423732294138736347109270700250069",
                    "223933234807833074803479263502432519355",
                    "250386841442677365720412883020285542002",
                    "23757839308301754900811200943268626812",
                    "36125937906016925669278558201631510719"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "src/regexec.c"
            }
        }
    ]
}