From 73cefa374b4fed905ed1fb50906333e636046621 Mon Sep 17 00:00:00 2001 From: Jarek Prokop Date: Mon, 12 Jun 2023 20:15:40 +0200 Subject: [PATCH] Fix ReDoS vulnerability in Time. Do not include the test case, as assert_linear_time was introduced in Ruby 2.7. Backported from: Ruby 2.7.8 Backported from the following commits: https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a Resolves: CVE-2023-28756 --- ...23-28756-ReDoS-vulnerability-in-Time.patch | 41 +++++++++++++++++++ ruby.spec | 9 ++++ 2 files changed, 50 insertions(+) create mode 100644 ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch diff --git a/ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch b/ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch new file mode 100644 index 0000000..455d823 --- /dev/null +++ b/ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch @@ -0,0 +1,41 @@ +From 71c37c29defeab2c98ad4291807efe12427a209f Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Tue, 29 Nov 2022 16:22:15 +0900 +Subject: [PATCH] Fix CVE-2023-28756 ReDoS vulnerability in Time. + +Backported from: Ruby 2.7.8 +Backported from the following commits: +https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f +https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a + +Do not include the test case, as assert_linear_time was introduced in Ruby 2.7. + +==== Original commit message(s) + +Fix quadratic backtracking on invalid time + +Make RFC2822 regexp linear + +https://hackerone.com/reports/1485501 +--- + lib/time.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/time.rb b/lib/time.rb +index eb46a03..cb6f1e4 100644 +--- a/lib/time.rb ++++ b/lib/time.rb +@@ -474,8 +474,8 @@ class Time + (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ + (\d{2,})\s+ + (\d{2})\s* +- :\s*(\d{2})\s* +- (?::\s*(\d{2}))?\s+ ++ :\s*(\d{2}) ++ (?:\s*:\s*(\d\d))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +-- +2.41.0 + diff --git a/ruby.spec b/ruby.spec index 575bb3b..ddb604c 100644 --- a/ruby.spec +++ b/ruby.spec @@ -224,6 +224,12 @@ Patch40: ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch # Backported from: # https://github.com/ruby/ruby/commit/6855779d580358a6a0b4c9ee06f20e7cae72955a Patch41: ruby-2.7.8-Fix-CVE-2023-28755-ReDos-vulnerability-in-URI.patch +# CVE-2023-28756 ReDoS vulnerability in Time. +# Tests not included as assert_linear_time was introduced in Ruby 2.7. +# Backported from: +# https://github.com/ruby/ruby/commit/2cb830602f52e7e76c6781115e7938b21f881c4f +# https://github.com/ruby/ruby/commit/e3f18f7d2e034f20053d7bf2fc7a50f8b7e1a27a +Patch42: ruby-2.7.8-Fix-CVE-2023-28756-ReDoS-vulnerability-in-Time.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -636,6 +642,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \ %patch39 -p1 %patch40 -p1 %patch41 -p1 +%patch42 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1195,6 +1202,8 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ Resolves: CVE-2022-28739 - Fix ReDoS vulnerability in URI. Resolves: CVE-2023-28755 +- Fix ReDoS vulnerability in Time. + Resolves: CVE-2023-28756 * Thu May 25 2023 Todd Zullinger - 2.5.9-111 - Fix rdoc parsing of nil text tokens.