Fix ReDoS vulnerability in Time.
Do not include the test case, as assert_linear_time was introduced in Ruby 2.7. Backported from: Ruby 2.7.8 Backported from the following commits:2cb830602f
e3f18f7d2e
Resolves: CVE-2023-28756
This commit is contained in:
parent
838b4276a7
commit
73cefa374b
@ -0,0 +1,41 @@
|
||||
From 71c37c29defeab2c98ad4291807efe12427a209f Mon Sep 17 00:00:00 2001
|
||||
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
|
||||
Date: Tue, 29 Nov 2022 16:22:15 +0900
|
||||
Subject: [PATCH] Fix CVE-2023-28756 ReDoS vulnerability in Time.
|
||||
|
||||
Backported from: Ruby 2.7.8
|
||||
Backported from the following commits:
|
||||
https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f
|
||||
https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a
|
||||
|
||||
Do not include the test case, as assert_linear_time was introduced in Ruby 2.7.
|
||||
|
||||
==== Original commit message(s)
|
||||
|
||||
Fix quadratic backtracking on invalid time
|
||||
|
||||
Make RFC2822 regexp linear
|
||||
|
||||
https://hackerone.com/reports/1485501
|
||||
---
|
||||
lib/time.rb | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/time.rb b/lib/time.rb
|
||||
index eb46a03..cb6f1e4 100644
|
||||
--- a/lib/time.rb
|
||||
+++ b/lib/time.rb
|
||||
@@ -474,8 +474,8 @@ class Time
|
||||
(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
|
||||
(\d{2,})\s+
|
||||
(\d{2})\s*
|
||||
- :\s*(\d{2})\s*
|
||||
- (?::\s*(\d{2}))?\s+
|
||||
+ :\s*(\d{2})
|
||||
+ (?:\s*:\s*(\d\d))?\s+
|
||||
([+-]\d{4}|
|
||||
UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
|
||||
# Since RFC 2822 permit comments, the regexp has no right anchor.
|
||||
--
|
||||
2.41.0
|
||||
|
@ -224,6 +224,12 @@ Patch40: ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch
|
||||
# Backported from:
|
||||
# https://github.com/ruby/ruby/commit/6855779d580358a6a0b4c9ee06f20e7cae72955a
|
||||
Patch41: ruby-2.7.8-Fix-CVE-2023-28755-ReDos-vulnerability-in-URI.patch
|
||||
# CVE-2023-28756 ReDoS vulnerability in Time.
|
||||
# Tests not included as assert_linear_time was introduced in Ruby 2.7.
|
||||
# Backported from:
|
||||
# https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f
|
||||
# https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a
|
||||
Patch42: ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch
|
||||
|
||||
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
@ -636,6 +642,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
|
||||
%patch39 -p1
|
||||
%patch40 -p1
|
||||
%patch41 -p1
|
||||
%patch42 -p1
|
||||
|
||||
# Provide an example of usage of the tapset:
|
||||
cp -a %{SOURCE3} .
|
||||
@ -1195,6 +1202,8 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
|
||||
Resolves: CVE-2022-28739
|
||||
- Fix ReDoS vulnerability in URI.
|
||||
Resolves: CVE-2023-28755
|
||||
- Fix ReDoS vulnerability in Time.
|
||||
Resolves: CVE-2023-28756
|
||||
|
||||
* Thu May 25 2023 Todd Zullinger <tmz@pobox.com> - 2.5.9-111
|
||||
- Fix rdoc parsing of nil text tokens.
|
||||
|
Loading…
Reference in New Issue
Block a user