Fix Buffer overread vulnerability in StringIO (CVE-2024-27280).
Resolves: RHEL-34125
This commit is contained in:
parent
3a6a1691ce
commit
d004cd092a
@ -0,0 +1,81 @@
|
|||||||
|
From 740289bf02c9bea54f75b702f62862c62c62672b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
|
||||||
|
Date: Thu, 21 Mar 2024 15:55:48 +0900
|
||||||
|
Subject: [PATCH] Merge StringIO 3.0.1.1
|
||||||
|
|
||||||
|
---
|
||||||
|
ext/stringio/stringio.c | 2 +-
|
||||||
|
test/stringio/test_stringio.rb | 27 ++++++++++++++++++++++-----
|
||||||
|
2 files changed, 23 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
|
||||||
|
index f537054b5d..946ae06da4 100644
|
||||||
|
--- a/ext/stringio/stringio.c
|
||||||
|
+++ b/ext/stringio/stringio.c
|
||||||
|
@@ -833,7 +833,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl)
|
||||||
|
len = RSTRING_LEN(str);
|
||||||
|
rest = pos - len;
|
||||||
|
if (cl > pos) {
|
||||||
|
- long ex = (rest < 0 ? cl-pos : cl+rest);
|
||||||
|
+ long ex = cl - (rest < 0 ? pos : len);
|
||||||
|
rb_str_modify_expand(str, ex);
|
||||||
|
rb_str_set_len(str, len + ex);
|
||||||
|
s = RSTRING_PTR(str);
|
||||||
|
diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
|
||||||
|
index f5169f641a..c055b901e3 100644
|
||||||
|
--- a/test/stringio/test_stringio.rb
|
||||||
|
+++ b/test/stringio/test_stringio.rb
|
||||||
|
@@ -693,6 +693,15 @@ def test_ungetc_padding
|
||||||
|
assert_equal("b""\0""a", s.string)
|
||||||
|
end
|
||||||
|
|
||||||
|
+ def test_ungetc_fill
|
||||||
|
+ count = 100
|
||||||
|
+ s = StringIO.new
|
||||||
|
+ s.print 'a' * count
|
||||||
|
+ s.ungetc('b' * (count * 5))
|
||||||
|
+ assert_equal((count * 5), s.string.size)
|
||||||
|
+ assert_match(/\Ab+\z/, s.string)
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
def test_ungetbyte_pos
|
||||||
|
b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
|
||||||
|
s = StringIO.new( b )
|
||||||
|
@@ -718,6 +727,15 @@ def test_ungetbyte_padding
|
||||||
|
assert_equal("b""\0""a", s.string)
|
||||||
|
end
|
||||||
|
|
||||||
|
+ def test_ungetbyte_fill
|
||||||
|
+ count = 100
|
||||||
|
+ s = StringIO.new
|
||||||
|
+ s.print 'a' * count
|
||||||
|
+ s.ungetbyte('b' * (count * 5))
|
||||||
|
+ assert_equal((count * 5), s.string.size)
|
||||||
|
+ assert_match(/\Ab+\z/, s.string)
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
def test_frozen
|
||||||
|
s = StringIO.new
|
||||||
|
s.freeze
|
||||||
|
@@ -760,18 +778,17 @@ def test_new_block_warning
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_overflow
|
||||||
|
- skip if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
|
||||||
|
+ return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
|
||||||
|
limit = (1 << (RbConfig::SIZEOF["void*"]*8-1)) - 0x10
|
||||||
|
assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
|
||||||
|
begin;
|
||||||
|
limit = #{limit}
|
||||||
|
ary = []
|
||||||
|
- while true
|
||||||
|
+ begin
|
||||||
|
x = "a"*0x100000
|
||||||
|
break if [x].pack("p").unpack("i!")[0] < 0
|
||||||
|
ary << x
|
||||||
|
- skip if ary.size > 100
|
||||||
|
- end
|
||||||
|
+ end while ary.size <= 100
|
||||||
|
s = StringIO.new(x)
|
||||||
|
s.gets("xxx", limit)
|
||||||
|
assert_equal(0x100000, s.pos)
|
@ -239,6 +239,10 @@ Patch43: ruby-3.4.0-ruby-net-http-Renew-test-certificates.patch
|
|||||||
# Tests not included as assert_linear_time was introduced in Ruby 2.7.
|
# Tests not included as assert_linear_time was introduced in Ruby 2.7.
|
||||||
# https://github.com/ruby/ruby/commit/616926b55e306a0704254a7ddfd6e9834d06c7f2
|
# https://github.com/ruby/ruby/commit/616926b55e306a0704254a7ddfd6e9834d06c7f2
|
||||||
Patch44: ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch
|
Patch44: ruby-3.0.7-Fix-CVE-2023-36617-Upstreams-incomplete-fix-for-CVE-2023-28755.patch
|
||||||
|
# CVE-2024-27280 Buffer overread vulnerability in StringIO.
|
||||||
|
# Backported from:
|
||||||
|
# https://github.com/ruby/ruby/commit/bd9424c71c15896a997d5a092bf5e1ed453defa6
|
||||||
|
Patch45: ruby-3.0.7-Fix-CVE-2024-27280-Buffer-overread-in-StringIO.patch
|
||||||
|
|
||||||
|
|
||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
@ -654,6 +658,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
|
|||||||
%patch42 -p1
|
%patch42 -p1
|
||||||
%patch43 -p1
|
%patch43 -p1
|
||||||
%patch44 -p1
|
%patch44 -p1
|
||||||
|
%patch45 -p1
|
||||||
|
|
||||||
# Provide an example of usage of the tapset:
|
# Provide an example of usage of the tapset:
|
||||||
cp -a %{SOURCE3} .
|
cp -a %{SOURCE3} .
|
||||||
@ -1210,6 +1215,9 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
|
|||||||
- Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755.
|
- Fix ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755.
|
||||||
(CVE-2023-36617)
|
(CVE-2023-36617)
|
||||||
Resolves: RHEL-5614
|
Resolves: RHEL-5614
|
||||||
|
- Fix Buffer overread vulnerability in StringIO.
|
||||||
|
(CVE-2024-27280)
|
||||||
|
Resolves: RHEL-34125
|
||||||
|
|
||||||
* Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
|
* Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
|
||||||
- Fix HTTP response splitting in CGI.
|
- Fix HTTP response splitting in CGI.
|
||||||
|
Loading…
Reference in New Issue
Block a user