Browse code
ruby cve fixes
Change-Id: I672290f7721f7fe96ea7310cf28274a80796f3f3
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/2975
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Divya Thaluru <dthaluru@vmware.com>
Priyesh Padmavilasom authored on 2017/06/18 07:20:28Showing 5 changed files
- SPECS/ruby/ruby-CVE-2017-9224.patch
- SPECS/ruby/ruby-CVE-2017-9226.patch
- SPECS/ruby/ruby-CVE-2017-9227.patch
- SPECS/ruby/ruby-CVE-2017-9229.patch
- SPECS/ruby/ruby.spec
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,24 @@ |
| 0 |
+From 690313a061f7a4fa614ec5cc8368b4f2284e059b Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: "K.Kosako" <kosako@sofnec.co.jp> |
|
| 2 |
+Date: Tue, 23 May 2017 10:28:58 +0900 |
|
| 3 |
+Subject: [PATCH] fix #57 : DATA_ENSURE() check must be before data access |
|
| 4 |
+ |
|
| 5 |
+diff --git a/regexec.c b/regexec.c.1 |
|
| 6 |
+index 9e5f559..505cb83 100644 |
|
| 7 |
+--- a/regexec.c |
|
| 8 |
+@@ -1811,14 +1811,9 @@ match_at(regex_t* reg, const UChar* str, const UChar* end, |
|
| 9 |
+ NEXT; |
|
| 10 |
+ |
|
| 11 |
+ CASE(OP_EXACT1) MOP_IN(OP_EXACT1); |
|
| 12 |
+-#if 0 |
|
| 13 |
+ DATA_ENSURE(1); |
|
| 14 |
+ if (*p != *s) goto fail; |
|
| 15 |
+ p++; s++; |
|
| 16 |
+-#endif |
|
| 17 |
+- if (*p != *s++) goto fail; |
|
| 18 |
+- DATA_ENSURE(0); |
|
| 19 |
+- p++; |
|
| 20 |
+ MOP_OUT; |
|
| 21 |
+ NEXT; |
|
| 22 |
+ |
| 0 | 23 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,37 @@ |
| 0 |
+From: "K.Kosako" <kosako@sofnec.co.jp> |
|
| 1 |
+Date: Fri, 19 May 2017 15:44:47 +0900 |
|
| 2 |
+Subject: [PATCH] fix #55 : Byte value expressed in octal must be smaller than |
|
| 3 |
+ 256 |
|
| 4 |
+ |
|
| 5 |
+diff --git a/regparse.c b/regparse.c.1 |
|
| 6 |
+index 1e0dfd9..cd412ec 100644 |
|
| 7 |
+--- a/regparse.c |
|
| 8 |
+@@ -3084,7 +3084,7 @@ fetch_token_in_cc(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) |
|
| 9 |
+ if (PPEEK_IS('{') && IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_X_BRACE_HEX8)) {
|
|
| 10 |
+ PINC; |
|
| 11 |
+ num = scan_unsigned_hexadecimal_number(&p, end, 0, 8, enc); |
|
| 12 |
+- if (num < 0) return ONIGERR_TOO_BIG_WIDE_CHAR_VALUE; |
|
| 13 |
++ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_WIDE_CHAR_VALUE; |
|
| 14 |
+ if (!PEND) {
|
|
| 15 |
+ c2 = PPEEK; |
|
| 16 |
+ if (ONIGENC_IS_CODE_XDIGIT(enc, c2)) |
|
| 17 |
+@@ -3534,7 +3534,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) |
|
| 18 |
+ if (PPEEK_IS('{') && IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_X_BRACE_HEX8)) {
|
|
| 19 |
+ PINC; |
|
| 20 |
+ num = scan_unsigned_hexadecimal_number(&p, end, 0, 8, enc); |
|
| 21 |
+- if (num < 0) return ONIGERR_TOO_BIG_WIDE_CHAR_VALUE; |
|
| 22 |
++ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_WIDE_CHAR_VALUE; |
|
| 23 |
+ if (!PEND) {
|
|
| 24 |
+ if (ONIGENC_IS_CODE_XDIGIT(enc, PPEEK)) |
|
| 25 |
+ return ONIGERR_TOO_LONG_WIDE_CHAR_VALUE; |
|
| 26 |
+@@ -4450,6 +4450,9 @@ next_state_val(CClassNode* cc, CClassNode* asc_cc, |
|
| 27 |
+ switch (*state) {
|
|
| 28 |
+ case CCS_VALUE: |
|
| 29 |
+ if (*type == CCV_SB) {
|
|
| 30 |
++ if (*vs > 0xff) |
|
| 31 |
++ return ONIGERR_INVALID_CODE_POINT_VALUE; |
|
| 32 |
++ |
|
| 33 |
+ BITSET_SET_BIT_CHKDUP(cc->bs, (int )(*vs)); |
|
| 34 |
+ if (IS_NOT_NULL(asc_cc)) |
|
| 35 |
+ BITSET_SET_BIT(asc_cc->bs, (int )(*vs)); |
| 0 | 36 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,23 @@ |
| 0 |
+From 9690d3ab1f9bcd2db8cbe1fe3ee4a5da606b8814 Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: "K.Kosako" <kosako@sofnec.co.jp> |
|
| 2 |
+Date: Tue, 23 May 2017 16:15:35 +0900 |
|
| 3 |
+Subject: [PATCH] fix #58 : access to invalid address by reg->dmin value |
|
| 4 |
+ |
|
| 5 |
+--- |
|
| 6 |
+ regexec.c | 2 ++ |
|
| 7 |
+ 1 file changed, 2 insertions(+) |
|
| 8 |
+ |
|
| 9 |
+diff --git a/regexec.c b/regexec.c.1 |
|
| 10 |
+index 9e5f559..0c6d7df 100644 |
|
| 11 |
+--- a/regexec.c |
|
| 12 |
+@@ -3917,6 +3917,8 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s, |
|
| 13 |
+ } |
|
| 14 |
+ else {
|
|
| 15 |
+ UChar *q = p + reg->dmin; |
|
| 16 |
++ |
|
| 17 |
++ if (q >= end) return 0; /* fail */ |
|
| 18 |
+ while (p < q) p += enclen(reg->enc, p, end); |
|
| 19 |
+ } |
|
| 20 |
+ } |
|
| 21 |
+ |
| 0 | 22 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,49 @@ |
| 0 |
+From b690371bbf97794b4a1d3f295d4fb9a8b05d402d Mon Sep 17 00:00:00 2001 |
|
| 1 |
+From: "K.Kosako" <kosako@sofnec.co.jp> |
|
| 2 |
+Date: Wed, 24 May 2017 10:27:04 +0900 |
|
| 3 |
+Subject: [PATCH] fix #59 : access to invalid address by reg->dmax value |
|
| 4 |
+ |
|
| 5 |
+--- |
|
| 6 |
+ regexec.c | 27 +++++++++++++++++---------- |
|
| 7 |
+ 1 file changed, 17 insertions(+), 10 deletions(-) |
|
| 8 |
+ |
|
| 9 |
+diff --git a/regexec.c b/regexec.c.1 |
|
| 10 |
+index 9e5f559..3d18c58 100644 |
|
| 11 |
+--- a/regexec.c |
|
| 12 |
+@@ -4000,18 +4000,25 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s, |
|
| 13 |
+ } |
|
| 14 |
+ else {
|
|
| 15 |
+ if (reg->dmax != ONIG_INFINITE_DISTANCE) {
|
|
| 16 |
+- *low = p - reg->dmax; |
|
| 17 |
+- if (*low > s) {
|
|
| 18 |
+- *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s, |
|
| 19 |
+- *low, end, (const UChar** )low_prev); |
|
| 20 |
+- if (low_prev && IS_NULL(*low_prev)) |
|
| 21 |
+- *low_prev = onigenc_get_prev_char_head(reg->enc, |
|
| 22 |
+- (pprev ? pprev : s), *low, end); |
|
| 23 |
++ if (p - str < reg->dmax) {
|
|
| 24 |
++ *low = (UChar* )str; |
|
| 25 |
++ if (low_prev) |
|
| 26 |
++ *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low, end); |
|
| 27 |
+ } |
|
| 28 |
+ else {
|
|
| 29 |
+- if (low_prev) |
|
| 30 |
+- *low_prev = onigenc_get_prev_char_head(reg->enc, |
|
| 31 |
+- (pprev ? pprev : str), *low, end); |
|
| 32 |
++ *low = p - reg->dmax; |
|
| 33 |
++ if (*low > s) {
|
|
| 34 |
++ *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s, |
|
| 35 |
++ *low, end, (const UChar** )low_prev); |
|
| 36 |
++ if (low_prev && IS_NULL(*low_prev)) |
|
| 37 |
++ *low_prev = onigenc_get_prev_char_head(reg->enc, |
|
| 38 |
++ (pprev ? pprev : s), *low, end); |
|
| 39 |
++ } |
|
| 40 |
++ else {
|
|
| 41 |
++ if (low_prev) |
|
| 42 |
++ *low_prev = onigenc_get_prev_char_head(reg->enc, |
|
| 43 |
++ (pprev ? pprev : str), *low, end); |
|
| 44 |
++ } |
|
| 45 |
+ } |
|
| 46 |
+ } |
|
| 47 |
+ } |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
Summary: Ruby |
| 2 | 2 |
Name: ruby |
| 3 | 3 |
Version: 2.4.0 |
| 4 |
-Release: 2%{?dist}
|
|
| 4 |
+Release: 3%{?dist}
|
|
| 5 | 5 |
License: BSDL |
| 6 | 6 |
URL: https://www.ruby-lang.org/en/ |
| 7 | 7 |
Group: System Environment/Security |
| ... | ... |
@@ -9,6 +9,10 @@ Vendor: VMware, Inc. |
| 9 | 9 |
Distribution: Photon |
| 10 | 10 |
Source0: http://cache.ruby-lang.org/pub/ruby/%{version}/%{name}-%{version}.tar.gz
|
| 11 | 11 |
%define sha1 ruby=d44a3c50a0e742341ed3033d5db79d865151a4f4 |
| 12 |
+Patch0: ruby-CVE-2017-9224.patch |
|
| 13 |
+Patch1: ruby-CVE-2017-9226.patch |
|
| 14 |
+Patch2: ruby-CVE-2017-9227.patch |
|
| 15 |
+Patch3: ruby-CVE-2017-9229.patch |
|
| 12 | 16 |
BuildRequires: openssl-devel |
| 13 | 17 |
BuildRequires: ca-certificates |
| 14 | 18 |
BuildRequires: readline-devel |
| ... | ... |
@@ -22,6 +26,10 @@ This is useful for object-oriented scripting. |
| 22 | 22 |
|
| 23 | 23 |
%prep |
| 24 | 24 |
%setup -q |
| 25 |
+%patch0 -p1 |
|
| 26 |
+%patch1 -p1 |
|
| 27 |
+%patch2 -p1 |
|
| 28 |
+%patch3 -p1 |
|
| 25 | 29 |
%build |
| 26 | 30 |
./configure \ |
| 27 | 31 |
--prefix=%{_prefix} \
|
| ... | ... |
@@ -49,6 +57,9 @@ rm -rf %{buildroot}/*
|
| 49 | 49 |
%{_docdir}/%{name}-%{version}
|
| 50 | 50 |
%{_mandir}/man1/*
|
| 51 | 51 |
%changelog |
| 52 |
+* Tue Jun 13 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.0-3 |
|
| 53 |
+- [security] CVE-2017-9224,CVE-2017-9225 |
|
| 54 |
+- [security] CVE-2017-9227,CVE-2017-9229 |
|
| 52 | 55 |
* Wed May 31 2017 Divya Thaluru <dthaluru@vmware.com> 2.4.0-2 |
| 53 | 56 |
- Bump release to build with latest openssl |
| 54 | 57 |
* Wed Jan 18 2017 Anish Swaminathan <anishs@vmware.com> 2.4.0-1 |