Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755.
Fix for CVE-2023-36617.
616926b55e
Resolves: RHEL-5614
This commit is contained in:
parent
4485ba4edc
commit
3a6a1691ce
@ -0,0 +1,44 @@
|
|||||||
|
From 5d08bbb0415c2ecc10037837b81e6a27d40ee7be Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
|
||||||
|
Date: Thu, 29 Jun 2023 22:25:17 +0900
|
||||||
|
Subject: [PATCH] CVE-2023-36617 for Ruby 3.0 (#7997)
|
||||||
|
|
||||||
|
* Merge URI-0.10.3
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
Backport note, bundler is not distributed the same as RubyGems in Ruby
|
||||||
|
2.5, therefore we do not use backport for Bundler.
|
||||||
|
---
|
||||||
|
lib/uri/rfc2396_parser.rb | 4 ++--
|
||||||
|
lib/uri/rfc3986_parser.rb | 2 +-
|
||||||
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb
|
||||||
|
index b9e7b2b26e..c7c3ecd96d 100644
|
||||||
|
--- a/lib/uri/rfc2396_parser.rb
|
||||||
|
+++ b/lib/uri/rfc2396_parser.rb
|
||||||
|
@@ -502,8 +502,8 @@ def initialize_regexp(pattern)
|
||||||
|
ret = {}
|
||||||
|
|
||||||
|
# for URI::split
|
||||||
|
- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
|
||||||
|
- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
|
||||||
|
+ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
|
||||||
|
+ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
|
||||||
|
|
||||||
|
# for URI::extract
|
||||||
|
ret[:URI_REF] = Regexp.new(pattern[:URI_REF])
|
||||||
|
diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb
|
||||||
|
index ad32368cfa..1accd03376 100644
|
||||||
|
--- a/lib/uri/rfc3986_parser.rb
|
||||||
|
+++ b/lib/uri/rfc3986_parser.rb
|
||||||
|
@@ -106,7 +106,7 @@ def default_regexp # :nodoc:
|
||||||
|
QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
|
||||||
|
FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
|
||||||
|
OPAQUE: /\A(?:[^\/].*)?\z/,
|
||||||
|
- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
|
||||||
|
+ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
13
ruby.spec
13
ruby.spec
@ -21,7 +21,7 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%global release 111
|
%global release 112
|
||||||
|
|
||||||
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
|
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
|
||||||
|
|
||||||
@ -234,6 +234,11 @@ Patch42: ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch
|
|||||||
# https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416
|
# https://github.com/ruby/ruby/commit/d3933fc753187a055a4904af82f5f3794c88c416
|
||||||
# https://bugs.ruby-lang.org/issues/20106
|
# https://bugs.ruby-lang.org/issues/20106
|
||||||
Patch43: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
|
Patch43: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
|
||||||
|
# CVE-2023-36617 ReDoS vulnerability - upstream's incomplete fix
|
||||||
|
# for CVE-2023-28755.
|
||||||
|
# Tests not included as assert_linear_time was introduced in Ruby 2.7.
|
||||||
|
# https://github.com/ruby/ruby/commit/616926b55e306a0704254a7ddfd6e9834d06c7f2
|
||||||
|
Patch44: ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch
|
||||||
|
|
||||||
|
|
||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
@ -648,6 +653,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
|
|||||||
%patch41 -p1
|
%patch41 -p1
|
||||||
%patch42 -p1
|
%patch42 -p1
|
||||||
%patch43 -p1
|
%patch43 -p1
|
||||||
|
%patch44 -p1
|
||||||
|
|
||||||
# Provide an example of usage of the tapset:
|
# Provide an example of usage of the tapset:
|
||||||
cp -a %{SOURCE3} .
|
cp -a %{SOURCE3} .
|
||||||
@ -1200,6 +1206,11 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
|
|||||||
%{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec
|
%{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 21 2024 Jarek Prokop <jprokop@redhat.com> - 2.5.9-112
|
||||||
|
- Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755.
|
||||||
|
(CVE-2023-36617)
|
||||||
|
Resolves: RHEL-5614
|
||||||
|
|
||||||
* Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
|
* Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
|
||||||
- Fix HTTP response splitting in CGI.
|
- Fix HTTP response splitting in CGI.
|
||||||
Resolves: CVE-2021-33621
|
Resolves: CVE-2021-33621
|
||||||
|
Loading…
Reference in New Issue
Block a user