Fix Arbitrary memory address read vulnerability with Regex search (CVE-2024-27282).

Resolves: RHEL-33867
This commit is contained in:
Jarek Prokop 2024-05-30 20:21:56 +02:00
parent 46b6a33dba
commit c4b8f7cfcf
2 changed files with 56 additions and 0 deletions

View File

@ -0,0 +1,48 @@
From 9eda3000e3efd5bdd4ed60d07e2f43633e39d361 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Tue, 23 Apr 2024 19:22:22 +0900
Subject: [PATCH] merge revision(s) 33e5b47c16f1fd3382186e6ffe73cfc6e00946f7:
Fix handling of reg->dmin in Regex matching
---
regexec.c | 10 ++++++++++
1 file changed, 10 insertions(+)
---
regexec.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/regexec.c b/regexec.c
index 4582c35c3f..36ac1d4bc5 100644
--- a/regexec.c
+++ b/regexec.c
@@ -3900,12 +3900,17 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s,
UChar* range, UChar** low, UChar** high, UChar** low_prev)
{
UChar *p, *pprev = (UChar* )NULL;
+ size_t input_len = end - str;
#ifdef ONIG_DEBUG_SEARCH
fprintf(stderr, "forward_search_range: str: %"PRIuPTR" (%p), end: %"PRIuPTR" (%p), s: %"PRIuPTR" (%p), range: %"PRIuPTR" (%p)\n",
(uintptr_t )str, str, (uintptr_t )end, end, (uintptr_t )s, s, (uintptr_t )range, range);
#endif
+ if (reg->dmin > input_len) {
+ return 0;
+ }
+
p = s;
if (reg->dmin > 0) {
if (ONIGENC_IS_SINGLEBYTE(reg->enc)) {
@@ -4042,6 +4047,11 @@ backward_search_range(regex_t* reg, const UChar* str, const UChar* end,
UChar** low, UChar** high)
{
UChar *p;
+ size_t input_len = end - str;
+
+ if (reg->dmin > input_len) {
+ return 0;
+ }
range += reg->dmin;
p = s;

View File

@ -247,6 +247,10 @@ Patch45: ruby-3.0.7-Fix-CVE-2024-27280-Buffer-overread-in-StringIO.patch
# Backported from: # Backported from:
# https://github.com/ruby/ruby/commit/7957a25edf844c966de45848fa7e9e2513955660 # https://github.com/ruby/ruby/commit/7957a25edf844c966de45848fa7e9e2513955660
Patch46: ruby-3.0.7-Fix-CVE-2024-27281-RCE-vulnerability-with-rdoc_options.patch Patch46: ruby-3.0.7-Fix-CVE-2024-27281-RCE-vulnerability-with-rdoc_options.patch
# CVE-2024-27282 Arbitrary memory address read vulnerability with Regex search.
# Backported from:
# https://github.com/ruby/ruby/commit/6c6dca749d3f732b7be04bae20095a040c50fdb8
Patch47: ruby-3.0.7-Fix-CVE-2024-27282-Memory-address-read-with-Regex.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -664,6 +668,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
%patch44 -p1 %patch44 -p1
%patch45 -p1 %patch45 -p1
%patch46 -p1 %patch46 -p1
%patch47 -p1
# Provide an example of usage of the tapset: # Provide an example of usage of the tapset:
cp -a %{SOURCE3} . cp -a %{SOURCE3} .
@ -1226,6 +1231,9 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
- Fix RCE vulnerability with .rdoc_options in RDoc. - Fix RCE vulnerability with .rdoc_options in RDoc.
(CVE-2024-27281) (CVE-2024-27281)
Resolves: RHEL-34117 Resolves: RHEL-34117
- Fix Arbitrary memory address read vulnerability with Regex search.
(CVE-2024-27282)
Resolves: RHEL-33867
* Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111 * Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
- Fix HTTP response splitting in CGI. - Fix HTTP response splitting in CGI.