diff --git a/ruby-3.0.7-Fix-CVE-2024-27280-Buffer-overread-in-StringIO.patch b/ruby-3.0.7-Fix-CVE-2024-27280-Buffer-overread-in-StringIO.patch new file mode 100644 index 0000000..2ad07bd --- /dev/null +++ b/ruby-3.0.7-Fix-CVE-2024-27280-Buffer-overread-in-StringIO.patch @@ -0,0 +1,81 @@ +From 740289bf02c9bea54f75b702f62862c62c62672b Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Thu, 21 Mar 2024 15:55:48 +0900 +Subject: [PATCH] Merge StringIO 3.0.1.1 + +--- + ext/stringio/stringio.c | 2 +- + test/stringio/test_stringio.rb | 27 ++++++++++++++++++++++----- + 2 files changed, 23 insertions(+), 6 deletions(-) + +diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c +index f537054b5d..946ae06da4 100644 +--- a/ext/stringio/stringio.c ++++ b/ext/stringio/stringio.c +@@ -833,7 +833,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl) + len = RSTRING_LEN(str); + rest = pos - len; + if (cl > pos) { +- long ex = (rest < 0 ? cl-pos : cl+rest); ++ long ex = cl - (rest < 0 ? pos : len); + rb_str_modify_expand(str, ex); + rb_str_set_len(str, len + ex); + s = RSTRING_PTR(str); +diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb +index f5169f641a..c055b901e3 100644 +--- a/test/stringio/test_stringio.rb ++++ b/test/stringio/test_stringio.rb +@@ -693,6 +693,15 @@ def test_ungetc_padding + assert_equal("b""\0""a", s.string) + end + ++ def test_ungetc_fill ++ count = 100 ++ s = StringIO.new ++ s.print 'a' * count ++ s.ungetc('b' * (count * 5)) ++ assert_equal((count * 5), s.string.size) ++ assert_match(/\Ab+\z/, s.string) ++ end ++ + def test_ungetbyte_pos + b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011' + s = StringIO.new( b ) +@@ -718,6 +727,15 @@ def test_ungetbyte_padding + assert_equal("b""\0""a", s.string) + end + ++ def test_ungetbyte_fill ++ count = 100 ++ s = StringIO.new ++ s.print 'a' * count ++ s.ungetbyte('b' * (count * 5)) ++ assert_equal((count * 5), s.string.size) ++ assert_match(/\Ab+\z/, s.string) ++ end ++ + def test_frozen + s = StringIO.new + s.freeze +@@ -760,18 +778,17 @@ def test_new_block_warning + end + + def test_overflow +- skip if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"] ++ return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"] + limit = (1 << (RbConfig::SIZEOF["void*"]*8-1)) - 0x10 + assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}") + begin; + limit = #{limit} + ary = [] +- while true ++ begin + x = "a"*0x100000 + break if [x].pack("p").unpack("i!")[0] < 0 + ary << x +- skip if ary.size > 100 +- end ++ end while ary.size <= 100 + s = StringIO.new(x) + s.gets("xxx", limit) + assert_equal(0x100000, s.pos) diff --git a/ruby.spec b/ruby.spec index 4f1a141..d2688c6 100644 --- a/ruby.spec +++ b/ruby.spec @@ -239,6 +239,10 @@ Patch43: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch # Tests not included as assert_linear_time was introduced in Ruby 2.7. # https://github.com/ruby/ruby/commit/616926b55e306a0704254a7ddfd6e9834d06c7f2 Patch44: ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch +# CVE-2024-27280 Buffer overread vulnerability in StringIO. +# Backported from: +# https://github.com/ruby/ruby/commit/bd9424c71c15896a997d5a092bf5e1ed453defa6 +Patch45: ruby-3.0.7-Fix-CVE-2024-27280-Buffer-overread-in-StringIO.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -654,6 +658,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \ %patch42 -p1 %patch43 -p1 %patch44 -p1 +%patch45 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1210,6 +1215,9 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ - Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755. (CVE-2023-36617) Resolves: RHEL-5614 +- Fix Buffer overread vulnerability in StringIO. + (CVE-2024-27280) + Resolves: RHEL-34125 * Mon Jun 12 2023 Jarek Prokop - 2.5.9-111 - Fix HTTP response splitting in CGI.