Fix Arbitrary memory address read vulnerability with Regex search (CVE-2024-27282).

Resolves: RHEL-33867
2024-05-30 20:21:56 +02:00 · 2024-05-30 20:21:56 +02:00 · c4b8f7cfcf
commit c4b8f7cfcf
parent 46b6a33dba
2 changed files with 56 additions and 0 deletions
--- a/ruby-3.0.7-Fix-CVE-2024-27282-Memory-address-read-with-Regex.patch
+++ b/ruby-3.0.7-Fix-CVE-2024-27282-Memory-address-read-with-Regex.patch
@ -0,0 +1,48 @@
+From 9eda3000e3efd5bdd4ed60d07e2f43633e39d361 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Tue, 23 Apr 2024 19:22:22 +0900
+Subject: [PATCH] merge revision(s) 33e5b47c16f1fd3382186e6ffe73cfc6e00946f7:
+
+	Fix handling of reg->dmin in Regex matching
+
+	---
+	 regexec.c | 10 ++++++++++
+	 1 file changed, 10 insertions(+)
+---
+ regexec.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/regexec.c b/regexec.c
+index 4582c35c3f..36ac1d4bc5 100644
+--- a/regexec.c
+++ b/regexec.c
+@@ -3900,12 +3900,17 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s,
+ 		     UChar* range, UChar** low, UChar** high, UChar** low_prev)
+ {
+   UChar *p, *pprev = (UChar* )NULL;
+  size_t input_len = end - str;
+ 
+ #ifdef ONIG_DEBUG_SEARCH
+   fprintf(stderr, "forward_search_range: str: %"PRIuPTR" (%p), end: %"PRIuPTR" (%p), s: %"PRIuPTR" (%p), range: %"PRIuPTR" (%p)\n",
+ 	  (uintptr_t )str, str, (uintptr_t )end, end, (uintptr_t )s, s, (uintptr_t )range, range);
+ #endif
+ 
+  if (reg->dmin > input_len) {
+    return 0;
+  }
+
+   p = s;
+   if (reg->dmin > 0) {
+     if (ONIGENC_IS_SINGLEBYTE(reg->enc)) {
+@@ -4042,6 +4047,11 @@ backward_search_range(regex_t* reg, const UChar* str, const UChar* end,
+ 		      UChar** low, UChar** high)
+ {
+   UChar *p;
+  size_t input_len = end - str;
+
+  if (reg->dmin > input_len) {
+    return 0;
+  }
+ 
+   range += reg->dmin;
+   p = s;
--- a/ruby.spec
+++ b/ruby.spec
@ -247,6 +247,10 @@ Patch45: ruby-3.0.7-Fix-CVE-2024-27280-Buffer-overread-in-StringIO.patch
 # Backported from:
 # https://github.com/ruby/ruby/commit/7957a25edf844c966de45848fa7e9e2513955660
 Patch46: ruby-3.0.7-Fix-CVE-2024-27281-RCE-vulnerability-with-rdoc_options.patch
+# CVE-2024-27282 Arbitrary memory address read vulnerability with Regex search.
+# Backported from:
+# https://github.com/ruby/ruby/commit/6c6dca749d3f732b7be04bae20095a040c50fdb8
+Patch47: ruby-3.0.7-Fix-CVE-2024-27282-Memory-address-read-with-Regex.patch


 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -664,6 +668,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
 %patch44 -p1
 %patch45 -p1
 %patch46 -p1
+%patch47 -p1

 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1226,6 +1231,9 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
 - Fix RCE vulnerability with .rdoc_options in RDoc.
  (CVE-2024-27281)
  Resolves: RHEL-34117
+- Fix Arbitrary memory address read vulnerability with Regex search.
+  (CVE-2024-27282)
+  Resolves: RHEL-33867

 * Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
 - Fix HTTP response splitting in CGI.