Fix Arbitrary memory address read vulnerability with Regex search (CVE-2024-27282).
Resolves: RHEL-33867
This commit is contained in:
parent
46b6a33dba
commit
c4b8f7cfcf
@ -0,0 +1,48 @@
|
||||
From 9eda3000e3efd5bdd4ed60d07e2f43633e39d361 Mon Sep 17 00:00:00 2001
|
||||
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
|
||||
Date: Tue, 23 Apr 2024 19:22:22 +0900
|
||||
Subject: [PATCH] merge revision(s) 33e5b47c16f1fd3382186e6ffe73cfc6e00946f7:
|
||||
|
||||
Fix handling of reg->dmin in Regex matching
|
||||
|
||||
---
|
||||
regexec.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
---
|
||||
regexec.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/regexec.c b/regexec.c
|
||||
index 4582c35c3f..36ac1d4bc5 100644
|
||||
--- a/regexec.c
|
||||
+++ b/regexec.c
|
||||
@@ -3900,12 +3900,17 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s,
|
||||
UChar* range, UChar** low, UChar** high, UChar** low_prev)
|
||||
{
|
||||
UChar *p, *pprev = (UChar* )NULL;
|
||||
+ size_t input_len = end - str;
|
||||
|
||||
#ifdef ONIG_DEBUG_SEARCH
|
||||
fprintf(stderr, "forward_search_range: str: %"PRIuPTR" (%p), end: %"PRIuPTR" (%p), s: %"PRIuPTR" (%p), range: %"PRIuPTR" (%p)\n",
|
||||
(uintptr_t )str, str, (uintptr_t )end, end, (uintptr_t )s, s, (uintptr_t )range, range);
|
||||
#endif
|
||||
|
||||
+ if (reg->dmin > input_len) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
p = s;
|
||||
if (reg->dmin > 0) {
|
||||
if (ONIGENC_IS_SINGLEBYTE(reg->enc)) {
|
||||
@@ -4042,6 +4047,11 @@ backward_search_range(regex_t* reg, const UChar* str, const UChar* end,
|
||||
UChar** low, UChar** high)
|
||||
{
|
||||
UChar *p;
|
||||
+ size_t input_len = end - str;
|
||||
+
|
||||
+ if (reg->dmin > input_len) {
|
||||
+ return 0;
|
||||
+ }
|
||||
|
||||
range += reg->dmin;
|
||||
p = s;
|
@ -247,6 +247,10 @@ Patch45: ruby-3.0.7-Fix-CVE-2024-27280-Buffer-overread-in-StringIO.patch
|
||||
# Backported from:
|
||||
# https://github.com/ruby/ruby/commit/7957a25edf844c966de45848fa7e9e2513955660
|
||||
Patch46: ruby-3.0.7-Fix-CVE-2024-27281-RCE-vulnerability-with-rdoc_options.patch
|
||||
# CVE-2024-27282 Arbitrary memory address read vulnerability with Regex search.
|
||||
# Backported from:
|
||||
# https://github.com/ruby/ruby/commit/6c6dca749d3f732b7be04bae20095a040c50fdb8
|
||||
Patch47: ruby-3.0.7-Fix-CVE-2024-27282-Memory-address-read-with-Regex.patch
|
||||
|
||||
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
@ -664,6 +668,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
|
||||
%patch44 -p1
|
||||
%patch45 -p1
|
||||
%patch46 -p1
|
||||
%patch47 -p1
|
||||
|
||||
# Provide an example of usage of the tapset:
|
||||
cp -a %{SOURCE3} .
|
||||
@ -1226,6 +1231,9 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
|
||||
- Fix RCE vulnerability with .rdoc_options in RDoc.
|
||||
(CVE-2024-27281)
|
||||
Resolves: RHEL-34117
|
||||
- Fix Arbitrary memory address read vulnerability with Regex search.
|
||||
(CVE-2024-27282)
|
||||
Resolves: RHEL-33867
|
||||
|
||||
* Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
|
||||
- Fix HTTP response splitting in CGI.
|
||||
|
Loading…
Reference in New Issue
Block a user