Fix buffer overrun in String-to-Float conversion.

Backported from upstream Ruby 2.6.10: <69f9992ed4> Resolves: CVE-2022-28739
2023-06-12 20:08:04 +02:00 · 2023-06-12 20:08:04 +02:00 · 446d49ffd1
commit 446d49ffd1
parent 064a52cca5
2 changed files with 80 additions and 0 deletions
--- a/ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch
+++ b/ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch
@ -0,0 +1,73 @@
+From 8e2ed0b9d965a526b29f9dc3bff8e9fe33dae98d Mon Sep 17 00:00:00 2001
+From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Tue, 12 Apr 2022 11:49:45 +0000
+Subject: [PATCH] Fix CVE-2022-28739 Buffer overrun in str2float.
+
+CVE-2022-28739: Buffer overrun in String-to-Float conversion
+Backported from upstream Ruby 2.6.10,
+Git commit:
+https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306
+
+==== Original commit message
+
+Fix dtoa buffer overrun
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67957 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+---
+ test/ruby/test_float.rb | 18 ++++++++++++++++++
+ util.c                  |  3 ++-
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/test/ruby/test_float.rb b/test/ruby/test_float.rb
+index 7fabfd3..78c63c2 100644
+--- a/test/ruby/test_float.rb
+++ b/test/ruby/test_float.rb
+@@ -171,6 +171,24 @@ class TestFloat < Test::Unit::TestCase
+       assert_raise(ArgumentError, n += z + "A") {Float(n)}
+       assert_raise(ArgumentError, n += z + ".0") {Float(n)}
+     end
+
+    x = nil
+    2000.times do
+      x = Float("0x"+"0"*30)
+      break unless x == 0.0
+    end
+    assert_equal(0.0, x, ->{"%a" % x})
+    x = nil
+    2000.times do
+      begin
+        x = Float("0x1."+"0"*270)
+      rescue ArgumentError => e
+        raise unless /"0x1\.0{270}"/ =~ e.message
+      else
+        break
+      end
+    end
+    assert_nil(x, ->{"%a" % x})
+   end
+ 
+   def test_divmod
+diff --git a/util.c b/util.c
+index 2222744..f1d910f 100644
+--- a/util.c
+++ b/util.c
+@@ -2046,6 +2046,7 @@ break2:
+ 	    if (!*++s || !(s1 = strchr(hexdigit, *s))) goto ret0;
+ 	    if (*s == '0') {
+ 		while (*++s == '0');
+		if (!*s) goto ret;
+ 		s1 = strchr(hexdigit, *s);
+ 	    }
+ 	    if (s1 != NULL) {
+@@ -2068,7 +2069,7 @@ break2:
+ 		for (; *s && (s1 = strchr(hexdigit, *s)); ++s) {
+ 		    adj += aadj * ((s1 - hexdigit) & 15);
+ 		    if ((aadj /= 16) == 0.0) {
+-			while (strchr(hexdigit, *++s));
+			while (*++s && strchr(hexdigit, *s));
+ 			break;
+ 		    }
+ 		}
+-- 
+2.41.0
+
--- a/ruby.spec
+++ b/ruby.spec
@ -216,6 +216,10 @@ Patch38: ruby-2.7.7-Fix-CVE-2021-33621-HTTP-response-splitting-in-CGI.patch
 # to retain compatibility.
 # https://github.com/ruby/cgi/commit/5e09d632f3b56d85b2659ab47d5571ae9e270e10
 Patch39: rubygem-cgi-0.3.6-Loosen-the-domain-regex-to-accept-dot.patch
+# CVE-2022-28739: Buffer overrun in String-to-Float conversion.
+# Backported from:
+# https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306
+Patch40: ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch


 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -626,6 +630,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
 %patch37 -p1
 %patch38 -p1
 %patch39 -p1
+%patch40 -p1

 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1181,6 +1186,8 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
 * Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
 - Fix HTTP response splitting in CGI.
  Resolves: CVE-2021-33621
+- Fix Buffer overrun in String-to-Float conversion.
+  Resolves: CVE-2022-28739

 * Thu May 25 2023 Todd Zullinger <tmz@pobox.com> - 2.5.9-111
 - Fix rdoc parsing of nil text tokens.