From 446d49ffd1c9b1cc71544dcb7a555cb3dd1aa4f7 Mon Sep 17 00:00:00 2001 From: Jarek Prokop Date: Mon, 12 Jun 2023 20:08:04 +0200 Subject: [PATCH] Fix buffer overrun in String-to-Float conversion. Backported from upstream Ruby 2.6.10: Resolves: CVE-2022-28739 --- ...22-28739-Buffer-overrun-in-str2float.patch | 73 +++++++++++++++++++ ruby.spec | 7 ++ 2 files changed, 80 insertions(+) create mode 100644 ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch diff --git a/ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch b/ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch new file mode 100644 index 0000000..5c7aec5 --- /dev/null +++ b/ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch @@ -0,0 +1,73 @@ +From 8e2ed0b9d965a526b29f9dc3bff8e9fe33dae98d Mon Sep 17 00:00:00 2001 +From: usa +Date: Tue, 12 Apr 2022 11:49:45 +0000 +Subject: [PATCH] Fix CVE-2022-28739 Buffer overrun in str2float. + +CVE-2022-28739: Buffer overrun in String-to-Float conversion +Backported from upstream Ruby 2.6.10, +Git commit: +https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306 + +==== Original commit message + +Fix dtoa buffer overrun + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67957 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + test/ruby/test_float.rb | 18 ++++++++++++++++++ + util.c | 3 ++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/test/ruby/test_float.rb b/test/ruby/test_float.rb +index 7fabfd3..78c63c2 100644 +--- a/test/ruby/test_float.rb ++++ b/test/ruby/test_float.rb +@@ -171,6 +171,24 @@ class TestFloat < Test::Unit::TestCase + assert_raise(ArgumentError, n += z + "A") {Float(n)} + assert_raise(ArgumentError, n += z + ".0") {Float(n)} + end ++ ++ x = nil ++ 2000.times do ++ x = Float("0x"+"0"*30) ++ break unless x == 0.0 ++ end ++ assert_equal(0.0, x, ->{"%a" % x}) ++ x = nil ++ 2000.times do ++ begin ++ x = Float("0x1."+"0"*270) ++ rescue ArgumentError => e ++ raise unless /"0x1\.0{270}"/ =~ e.message ++ else ++ break ++ end ++ end ++ assert_nil(x, ->{"%a" % x}) + end + + def test_divmod +diff --git a/util.c b/util.c +index 2222744..f1d910f 100644 +--- a/util.c ++++ b/util.c +@@ -2046,6 +2046,7 @@ break2: + if (!*++s || !(s1 = strchr(hexdigit, *s))) goto ret0; + if (*s == '0') { + while (*++s == '0'); ++ if (!*s) goto ret; + s1 = strchr(hexdigit, *s); + } + if (s1 != NULL) { +@@ -2068,7 +2069,7 @@ break2: + for (; *s && (s1 = strchr(hexdigit, *s)); ++s) { + adj += aadj * ((s1 - hexdigit) & 15); + if ((aadj /= 16) == 0.0) { +- while (strchr(hexdigit, *++s)); ++ while (*++s && strchr(hexdigit, *s)); + break; + } + } +-- +2.41.0 + diff --git a/ruby.spec b/ruby.spec index fb05bef..54d8e96 100644 --- a/ruby.spec +++ b/ruby.spec @@ -216,6 +216,10 @@ Patch38: ruby-2.7.7-Fix-CVE-2021-33621-HTTP-response-splitting-in-CGI.patch # to retain compatibility. # https://github.com/ruby/cgi/commit/5e09d632f3b56d85b2659ab47d5571ae9e270e10 Patch39: rubygem-cgi-0.3.6-Loosen-the-domain-regex-to-accept-dot.patch +# CVE-2022-28739: Buffer overrun in String-to-Float conversion. +# Backported from: +# https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306 +Patch40: ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -626,6 +630,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \ %patch37 -p1 %patch38 -p1 %patch39 -p1 +%patch40 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1181,6 +1186,8 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ * Mon Jun 12 2023 Jarek Prokop - 2.5.9-111 - Fix HTTP response splitting in CGI. Resolves: CVE-2021-33621 +- Fix Buffer overrun in String-to-Float conversion. + Resolves: CVE-2022-28739 * Thu May 25 2023 Todd Zullinger - 2.5.9-111 - Fix rdoc parsing of nil text tokens.