Fix Buffer overread vulnerability in StringIO (CVE-2024-27280).
Resolves: RHEL-34125
This commit is contained in:
		
							parent
							
								
									3a6a1691ce
								
							
						
					
					
						commit
						d004cd092a
					
				| @ -0,0 +1,81 @@ | |||||||
|  | From 740289bf02c9bea54f75b702f62862c62c62672b Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Hiroshi SHIBATA <hsbt@ruby-lang.org> | ||||||
|  | Date: Thu, 21 Mar 2024 15:55:48 +0900 | ||||||
|  | Subject: [PATCH] Merge StringIO 3.0.1.1 | ||||||
|  | 
 | ||||||
|  | ---
 | ||||||
|  |  ext/stringio/stringio.c        |  2 +- | ||||||
|  |  test/stringio/test_stringio.rb | 27 ++++++++++++++++++++++----- | ||||||
|  |  2 files changed, 23 insertions(+), 6 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
 | ||||||
|  | index f537054b5d..946ae06da4 100644
 | ||||||
|  | --- a/ext/stringio/stringio.c
 | ||||||
|  | +++ b/ext/stringio/stringio.c
 | ||||||
|  | @@ -833,7 +833,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl)
 | ||||||
|  |      len = RSTRING_LEN(str); | ||||||
|  |      rest = pos - len; | ||||||
|  |      if (cl > pos) { | ||||||
|  | -	long ex = (rest < 0 ? cl-pos : cl+rest);
 | ||||||
|  | +	long ex = cl - (rest < 0 ? pos : len);
 | ||||||
|  |  	rb_str_modify_expand(str, ex); | ||||||
|  |  	rb_str_set_len(str, len + ex); | ||||||
|  |  	s = RSTRING_PTR(str); | ||||||
|  | diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
 | ||||||
|  | index f5169f641a..c055b901e3 100644
 | ||||||
|  | --- a/test/stringio/test_stringio.rb
 | ||||||
|  | +++ b/test/stringio/test_stringio.rb
 | ||||||
|  | @@ -693,6 +693,15 @@ def test_ungetc_padding
 | ||||||
|  |      assert_equal("b""\0""a", s.string) | ||||||
|  |    end | ||||||
|  |   | ||||||
|  | +  def test_ungetc_fill
 | ||||||
|  | +    count = 100
 | ||||||
|  | +    s = StringIO.new
 | ||||||
|  | +    s.print 'a' * count
 | ||||||
|  | +    s.ungetc('b' * (count * 5))
 | ||||||
|  | +    assert_equal((count * 5), s.string.size)
 | ||||||
|  | +    assert_match(/\Ab+\z/, s.string)
 | ||||||
|  | +  end
 | ||||||
|  | +
 | ||||||
|  |    def test_ungetbyte_pos | ||||||
|  |      b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011' | ||||||
|  |      s = StringIO.new( b ) | ||||||
|  | @@ -718,6 +727,15 @@ def test_ungetbyte_padding
 | ||||||
|  |      assert_equal("b""\0""a", s.string) | ||||||
|  |    end | ||||||
|  |   | ||||||
|  | +  def test_ungetbyte_fill
 | ||||||
|  | +    count = 100
 | ||||||
|  | +    s = StringIO.new
 | ||||||
|  | +    s.print 'a' * count
 | ||||||
|  | +    s.ungetbyte('b' * (count * 5))
 | ||||||
|  | +    assert_equal((count * 5), s.string.size)
 | ||||||
|  | +    assert_match(/\Ab+\z/, s.string)
 | ||||||
|  | +  end
 | ||||||
|  | +
 | ||||||
|  |    def test_frozen | ||||||
|  |      s = StringIO.new | ||||||
|  |      s.freeze | ||||||
|  | @@ -760,18 +778,17 @@ def test_new_block_warning
 | ||||||
|  |    end | ||||||
|  |   | ||||||
|  |    def test_overflow | ||||||
|  | -    skip if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
 | ||||||
|  | +    return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
 | ||||||
|  |      limit = (1 << (RbConfig::SIZEOF["void*"]*8-1)) - 0x10 | ||||||
|  |      assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}") | ||||||
|  |      begin; | ||||||
|  |        limit = #{limit} | ||||||
|  |        ary = [] | ||||||
|  | -      while true
 | ||||||
|  | +      begin
 | ||||||
|  |          x = "a"*0x100000 | ||||||
|  |          break if [x].pack("p").unpack("i!")[0] < 0 | ||||||
|  |          ary << x | ||||||
|  | -        skip if ary.size > 100
 | ||||||
|  | -      end
 | ||||||
|  | +      end while ary.size <= 100
 | ||||||
|  |        s = StringIO.new(x) | ||||||
|  |        s.gets("xxx", limit) | ||||||
|  |        assert_equal(0x100000, s.pos) | ||||||
| @ -239,6 +239,10 @@ Patch43: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch | |||||||
| # Tests not included as assert_linear_time was introduced in Ruby 2.7. | # Tests not included as assert_linear_time was introduced in Ruby 2.7. | ||||||
| # https://github.com/ruby/ruby/commit/616926b55e306a0704254a7ddfd6e9834d06c7f2 | # https://github.com/ruby/ruby/commit/616926b55e306a0704254a7ddfd6e9834d06c7f2 | ||||||
| Patch44: ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch | Patch44: ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch | ||||||
|  | # CVE-2024-27280 Buffer overread vulnerability in StringIO. | ||||||
|  | # Backported from: | ||||||
|  | # https://github.com/ruby/ruby/commit/bd9424c71c15896a997d5a092bf5e1ed453defa6 | ||||||
|  | Patch45: ruby-3.0.7-Fix-CVE-2024-27280-Buffer-overread-in-StringIO.patch | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| Requires: %{name}-libs%{?_isa} = %{version}-%{release} | Requires: %{name}-libs%{?_isa} = %{version}-%{release} | ||||||
| @ -654,6 +658,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \ | |||||||
| %patch42 -p1 | %patch42 -p1 | ||||||
| %patch43 -p1 | %patch43 -p1 | ||||||
| %patch44 -p1 | %patch44 -p1 | ||||||
|  | %patch45 -p1 | ||||||
| 
 | 
 | ||||||
| # Provide an example of usage of the tapset: | # Provide an example of usage of the tapset: | ||||||
| cp -a %{SOURCE3} . | cp -a %{SOURCE3} . | ||||||
| @ -1210,6 +1215,9 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ | |||||||
| - Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755. | - Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755. | ||||||
|   (CVE-2023-36617) |   (CVE-2023-36617) | ||||||
|   Resolves: RHEL-5614 |   Resolves: RHEL-5614 | ||||||
|  | - Fix Buffer overread vulnerability in StringIO. | ||||||
|  |   (CVE-2024-27280) | ||||||
|  |   Resolves: RHEL-34125 | ||||||
| 
 | 
 | ||||||
| * Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111 | * Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111 | ||||||
| - Fix HTTP response splitting in CGI. | - Fix HTTP response splitting in CGI. | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user