Fix ReDoS vulnerability in Time.

Do not include the test case, as assert_linear_time was introduced in Ruby 2.7. Backported from: Ruby 2.7.8 Backported from the following commits: 2cb830602f e3f18f7d2e Resolves: CVE-2023-28756
2023-06-12 20:15:40 +02:00 · 2023-06-12 20:15:40 +02:00 · 73cefa374b
parent 838b4276a7
commit 73cefa374b
2 changed files with 50 additions and 0 deletions
--- a/ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch
+++ b/ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch
@ -0,0 +1,41 @@
+From 71c37c29defeab2c98ad4291807efe12427a209f Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Tue, 29 Nov 2022 16:22:15 +0900
+Subject: [PATCH] Fix CVE-2023-28756 ReDoS vulnerability in Time.
+
+Backported from: Ruby 2.7.8
+Backported from the following commits:
+https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f
+https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a
+
+Do not include the test case, as assert_linear_time was introduced in Ruby 2.7.
+
+==== Original commit message(s)
+
+Fix quadratic backtracking on invalid time
+
+Make RFC2822 regexp linear
+
+https://hackerone.com/reports/1485501
+---
+ lib/time.rb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/time.rb b/lib/time.rb
+index eb46a03..cb6f1e4 100644
+--- a/lib/time.rb
+++ b/lib/time.rb
+@@ -474,8 +474,8 @@ class Time
+           (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
+           (\d{2,})\s+
+           (\d{2})\s*
+-          :\s*(\d{2})\s*
+-          (?::\s*(\d{2}))?\s+
+          :\s*(\d{2})
+          (?:\s*:\s*(\d\d))?\s+
+           ([+-]\d{4}|
+            UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
+         # Since RFC 2822 permit comments, the regexp has no right anchor.
+-- 
+2.41.0
+
--- a/ruby.spec
+++ b/ruby.spec
@ -224,6 +224,12 @@ Patch40: ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch
 # Backported from:
 # https://github.com/ruby/ruby/commit/6855779d580358a6a0b4c9ee06f20e7cae72955a
 Patch41: ruby-2.7.8-Fix-CVE-2023-28755-ReDos-vulnerability-in-URI.patch
+# CVE-2023-28756 ReDoS vulnerability in Time.
+# Tests not included as assert_linear_time was introduced in Ruby 2.7.
+# Backported from:
+# https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f
+# https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a
+Patch42: ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch


 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -636,6 +642,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
 %patch39 -p1
 %patch40 -p1
 %patch41 -p1
+%patch42 -p1

 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1195,6 +1202,8 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
  Resolves: CVE-2022-28739
 - Fix ReDoS vulnerability in URI.
  Resolves: CVE-2023-28755
+- Fix ReDoS vulnerability in Time.
+  Resolves: CVE-2023-28756

 * Thu May 25 2023 Todd Zullinger <tmz@pobox.com> - 2.5.9-111
 - Fix rdoc parsing of nil text tokens.