Fix buffer overrun in String-to-Float conversion.

Backported from upstream Ruby 2.6.10:
<69f9992ed4>

Resolves: CVE-2022-28739
This commit is contained in:
Jarek Prokop 2023-06-12 20:08:04 +02:00
parent 064a52cca5
commit 446d49ffd1
2 changed files with 80 additions and 0 deletions

View File

@ -0,0 +1,73 @@
From 8e2ed0b9d965a526b29f9dc3bff8e9fe33dae98d Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Tue, 12 Apr 2022 11:49:45 +0000
Subject: [PATCH] Fix CVE-2022-28739 Buffer overrun in str2float.
CVE-2022-28739: Buffer overrun in String-to-Float conversion
Backported from upstream Ruby 2.6.10,
Git commit:
https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306
==== Original commit message
Fix dtoa buffer overrun
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67957 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
test/ruby/test_float.rb | 18 ++++++++++++++++++
util.c | 3 ++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/test/ruby/test_float.rb b/test/ruby/test_float.rb
index 7fabfd3..78c63c2 100644
--- a/test/ruby/test_float.rb
+++ b/test/ruby/test_float.rb
@@ -171,6 +171,24 @@ class TestFloat < Test::Unit::TestCase
assert_raise(ArgumentError, n += z + "A") {Float(n)}
assert_raise(ArgumentError, n += z + ".0") {Float(n)}
end
+
+ x = nil
+ 2000.times do
+ x = Float("0x"+"0"*30)
+ break unless x == 0.0
+ end
+ assert_equal(0.0, x, ->{"%a" % x})
+ x = nil
+ 2000.times do
+ begin
+ x = Float("0x1."+"0"*270)
+ rescue ArgumentError => e
+ raise unless /"0x1\.0{270}"/ =~ e.message
+ else
+ break
+ end
+ end
+ assert_nil(x, ->{"%a" % x})
end
def test_divmod
diff --git a/util.c b/util.c
index 2222744..f1d910f 100644
--- a/util.c
+++ b/util.c
@@ -2046,6 +2046,7 @@ break2:
if (!*++s || !(s1 = strchr(hexdigit, *s))) goto ret0;
if (*s == '0') {
while (*++s == '0');
+ if (!*s) goto ret;
s1 = strchr(hexdigit, *s);
}
if (s1 != NULL) {
@@ -2068,7 +2069,7 @@ break2:
for (; *s && (s1 = strchr(hexdigit, *s)); ++s) {
adj += aadj * ((s1 - hexdigit) & 15);
if ((aadj /= 16) == 0.0) {
- while (strchr(hexdigit, *++s));
+ while (*++s && strchr(hexdigit, *s));
break;
}
}
--
2.41.0

View File

@ -216,6 +216,10 @@ Patch38: ruby-2.7.7-Fix-CVE-2021-33621-HTTP-response-splitting-in-CGI.patch
# to retain compatibility. # to retain compatibility.
# https://github.com/ruby/cgi/commit/5e09d632f3b56d85b2659ab47d5571ae9e270e10 # https://github.com/ruby/cgi/commit/5e09d632f3b56d85b2659ab47d5571ae9e270e10
Patch39: rubygem-cgi-0.3.6-Loosen-the-domain-regex-to-accept-dot.patch Patch39: rubygem-cgi-0.3.6-Loosen-the-domain-regex-to-accept-dot.patch
# CVE-2022-28739: Buffer overrun in String-to-Float conversion.
# Backported from:
# https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306
Patch40: ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -626,6 +630,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
%patch37 -p1 %patch37 -p1
%patch38 -p1 %patch38 -p1
%patch39 -p1 %patch39 -p1
%patch40 -p1
# Provide an example of usage of the tapset: # Provide an example of usage of the tapset:
cp -a %{SOURCE3} . cp -a %{SOURCE3} .
@ -1181,6 +1186,8 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
* Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111 * Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
- Fix HTTP response splitting in CGI. - Fix HTTP response splitting in CGI.
Resolves: CVE-2021-33621 Resolves: CVE-2021-33621
- Fix Buffer overrun in String-to-Float conversion.
Resolves: CVE-2022-28739
* Thu May 25 2023 Todd Zullinger <tmz@pobox.com> - 2.5.9-111 * Thu May 25 2023 Todd Zullinger <tmz@pobox.com> - 2.5.9-111
- Fix rdoc parsing of nil text tokens. - Fix rdoc parsing of nil text tokens.