Fix ReDoS vulnerability in Time.

Do not include the test case, as assert_linear_time was introduced in Ruby 2.7.
Backported from: Ruby 2.7.8
Backported from the following commits:
2cb830602f
e3f18f7d2e

Resolves: CVE-2023-28756
This commit is contained in:
Jarek Prokop 2023-06-12 20:15:40 +02:00
parent 838b4276a7
commit 73cefa374b
2 changed files with 50 additions and 0 deletions

View File

@ -0,0 +1,41 @@
From 71c37c29defeab2c98ad4291807efe12427a209f Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Tue, 29 Nov 2022 16:22:15 +0900
Subject: [PATCH] Fix CVE-2023-28756 ReDoS vulnerability in Time.
Backported from: Ruby 2.7.8
Backported from the following commits:
https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f
https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a
Do not include the test case, as assert_linear_time was introduced in Ruby 2.7.
==== Original commit message(s)
Fix quadratic backtracking on invalid time
Make RFC2822 regexp linear
https://hackerone.com/reports/1485501
---
lib/time.rb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/time.rb b/lib/time.rb
index eb46a03..cb6f1e4 100644
--- a/lib/time.rb
+++ b/lib/time.rb
@@ -474,8 +474,8 @@ class Time
(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
(\d{2,})\s+
(\d{2})\s*
- :\s*(\d{2})\s*
- (?::\s*(\d{2}))?\s+
+ :\s*(\d{2})
+ (?:\s*:\s*(\d\d))?\s+
([+-]\d{4}|
UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
# Since RFC 2822 permit comments, the regexp has no right anchor.
--
2.41.0

View File

@ -224,6 +224,12 @@ Patch40: ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch
# Backported from:
# https://github.com/ruby/ruby/commit/6855779d580358a6a0b4c9ee06f20e7cae72955a
Patch41: ruby-2.7.8-Fix-CVE-2023-28755-ReDos-vulnerability-in-URI.patch
# CVE-2023-28756 ReDoS vulnerability in Time.
# Tests not included as assert_linear_time was introduced in Ruby 2.7.
# Backported from:
# https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f
# https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a
Patch42: ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -636,6 +642,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
%patch39 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
# Provide an example of usage of the tapset:
cp -a %{SOURCE3} .
@ -1195,6 +1202,8 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
Resolves: CVE-2022-28739
- Fix ReDoS vulnerability in URI.
Resolves: CVE-2023-28755
- Fix ReDoS vulnerability in Time.
Resolves: CVE-2023-28756
* Thu May 25 2023 Todd Zullinger <tmz@pobox.com> - 2.5.9-111
- Fix rdoc parsing of nil text tokens.