Fix buffer overrun in String-to-Float conversion.
Backported from upstream Ruby 2.6.10:
<69f9992ed4
>
Resolves: CVE-2022-28739
This commit is contained in:
parent
064a52cca5
commit
446d49ffd1
@ -0,0 +1,73 @@
|
||||
From 8e2ed0b9d965a526b29f9dc3bff8e9fe33dae98d Mon Sep 17 00:00:00 2001
|
||||
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
||||
Date: Tue, 12 Apr 2022 11:49:45 +0000
|
||||
Subject: [PATCH] Fix CVE-2022-28739 Buffer overrun in str2float.
|
||||
|
||||
CVE-2022-28739: Buffer overrun in String-to-Float conversion
|
||||
Backported from upstream Ruby 2.6.10,
|
||||
Git commit:
|
||||
https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306
|
||||
|
||||
==== Original commit message
|
||||
|
||||
Fix dtoa buffer overrun
|
||||
|
||||
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67957 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
||||
---
|
||||
test/ruby/test_float.rb | 18 ++++++++++++++++++
|
||||
util.c | 3 ++-
|
||||
2 files changed, 20 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/test/ruby/test_float.rb b/test/ruby/test_float.rb
|
||||
index 7fabfd3..78c63c2 100644
|
||||
--- a/test/ruby/test_float.rb
|
||||
+++ b/test/ruby/test_float.rb
|
||||
@@ -171,6 +171,24 @@ class TestFloat < Test::Unit::TestCase
|
||||
assert_raise(ArgumentError, n += z + "A") {Float(n)}
|
||||
assert_raise(ArgumentError, n += z + ".0") {Float(n)}
|
||||
end
|
||||
+
|
||||
+ x = nil
|
||||
+ 2000.times do
|
||||
+ x = Float("0x"+"0"*30)
|
||||
+ break unless x == 0.0
|
||||
+ end
|
||||
+ assert_equal(0.0, x, ->{"%a" % x})
|
||||
+ x = nil
|
||||
+ 2000.times do
|
||||
+ begin
|
||||
+ x = Float("0x1."+"0"*270)
|
||||
+ rescue ArgumentError => e
|
||||
+ raise unless /"0x1\.0{270}"/ =~ e.message
|
||||
+ else
|
||||
+ break
|
||||
+ end
|
||||
+ end
|
||||
+ assert_nil(x, ->{"%a" % x})
|
||||
end
|
||||
|
||||
def test_divmod
|
||||
diff --git a/util.c b/util.c
|
||||
index 2222744..f1d910f 100644
|
||||
--- a/util.c
|
||||
+++ b/util.c
|
||||
@@ -2046,6 +2046,7 @@ break2:
|
||||
if (!*++s || !(s1 = strchr(hexdigit, *s))) goto ret0;
|
||||
if (*s == '0') {
|
||||
while (*++s == '0');
|
||||
+ if (!*s) goto ret;
|
||||
s1 = strchr(hexdigit, *s);
|
||||
}
|
||||
if (s1 != NULL) {
|
||||
@@ -2068,7 +2069,7 @@ break2:
|
||||
for (; *s && (s1 = strchr(hexdigit, *s)); ++s) {
|
||||
adj += aadj * ((s1 - hexdigit) & 15);
|
||||
if ((aadj /= 16) == 0.0) {
|
||||
- while (strchr(hexdigit, *++s));
|
||||
+ while (*++s && strchr(hexdigit, *s));
|
||||
break;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.41.0
|
||||
|
@ -216,6 +216,10 @@ Patch38: ruby-2.7.7-Fix-CVE-2021-33621-HTTP-response-splitting-in-CGI.patch
|
||||
# to retain compatibility.
|
||||
# https://github.com/ruby/cgi/commit/5e09d632f3b56d85b2659ab47d5571ae9e270e10
|
||||
Patch39: rubygem-cgi-0.3.6-Loosen-the-domain-regex-to-accept-dot.patch
|
||||
# CVE-2022-28739: Buffer overrun in String-to-Float conversion.
|
||||
# Backported from:
|
||||
# https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306
|
||||
Patch40: ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch
|
||||
|
||||
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
@ -626,6 +630,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
|
||||
%patch37 -p1
|
||||
%patch38 -p1
|
||||
%patch39 -p1
|
||||
%patch40 -p1
|
||||
|
||||
# Provide an example of usage of the tapset:
|
||||
cp -a %{SOURCE3} .
|
||||
@ -1181,6 +1186,8 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
|
||||
* Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
|
||||
- Fix HTTP response splitting in CGI.
|
||||
Resolves: CVE-2021-33621
|
||||
- Fix Buffer overrun in String-to-Float conversion.
|
||||
Resolves: CVE-2022-28739
|
||||
|
||||
* Thu May 25 2023 Todd Zullinger <tmz@pobox.com> - 2.5.9-111
|
||||
- Fix rdoc parsing of nil text tokens.
|
||||
|
Loading…
Reference in New Issue
Block a user