rpms/ruby
5
0
Fork 0
Code Issues Pull Requests Releases Activity
82a19c4144
ruby/ruby-3.1.5-CVE-2023-36617-for-Ruby-3.1.patch
Jarek Prokop 82a19c4144 Upgrade to Ruby 3.1.4 
Fix HTTP response splitting in CGI.
Fix ReDos vulnerability in URI.
Fix ReDos vulnerability in Time.
Make RDoc soft dependency in IRB.

Rebased from latest Ruby 3.1 present in Fedora 37, commit:
4048f893da1d56ed65667e7f15405224653c83e2

Resolves: RHEL-5584
Resolves: CVE-2021-33621
Resolves: CVE-2023-28755
Resolves: CVE-2023-36617
Resolves: CVE-2023-28756
Resolves: RHEL-5615
2024-03-05 14:35:37 +01:00

136 lines
5.3 KiB
Diff
Raw Blame History

From 7af748ba924ba6119251ff959231c126784621e2 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Wed, 21 Jun 2023 13:26:37 +0900
Subject: [PATCH 1/2] Bump up v0.12.2
---
lib/uri/rfc2396_parser.rb | 4 ++--
lib/uri/rfc3986_parser.rb | 2 +-
lib/uri/version.rb | 2 +-
test/uri/test_parser.rb | 22 ++++++++++++++++++++++
4 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb
index 76a8f99fd48ccd..00c66cf0422213 100644
--- a/lib/uri/rfc2396_parser.rb
+++ b/lib/uri/rfc2396_parser.rb
@@ -497,8 +497,8 @@ def initialize_regexp(pattern)
ret = {}
# for URI::split
- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
# for URI::extract
ret[:URI_REF] = Regexp.new(pattern[:URI_REF])
diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb
index dd24a409ea174e..9b1663dbb6efe3 100644
--- a/lib/uri/rfc3986_parser.rb
+++ b/lib/uri/rfc3986_parser.rb
@@ -100,7 +100,7 @@ def default_regexp # :nodoc:
QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
OPAQUE: /\A(?:[^\/].*)?\z/,
- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
+ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
}
end
diff --git a/lib/uri/version.rb b/lib/uri/version.rb
index 7497a7d31a5df7..f0aca586acab4f 100644
--- a/lib/uri/version.rb
+++ b/lib/uri/version.rb
@@ -1,6 +1,6 @@
module URI
# :stopdoc:
- VERSION_CODE = '001201'.freeze
+ VERSION_CODE = '001202'.freeze
VERSION = VERSION_CODE.scan(/../).collect{|n| n.to_i}.join('.').freeze
# :startdoc:
end
diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb
index 72fb5901d963f6..cee0acb4b57c87 100644
--- a/test/uri/test_parser.rb
+++ b/test/uri/test_parser.rb
@@ -79,4 +79,26 @@ def test_split
assert_equal([nil, nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("//example.com"))
assert_equal([nil, nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("//[0::0]"))
end
+
+ def test_rfc2822_parse_relative_uri
+ pre = ->(length) {
+ " " * length + "\0"
+ }
+ parser = URI::RFC2396_Parser.new
+ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri|
+ assert_raise(URI::InvalidURIError) do
+ parser.split(uri)
+ end
+ end
+ end
+
+ def test_rfc3986_port_check
+ pre = ->(length) {"\t" * length + "a"}
+ uri = URI.parse("http://my.example.com")
+ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port|
+ assert_raise(URI::InvalidComponentError) do
+ uri.port = port
+ end
+ end
+ end
end
From b2deea8a2e71ab880370080a9ddf243747abc8fd Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Wed, 21 Jun 2023 14:15:26 +0900
Subject: [PATCH 2/2] Merge URI-0.10.3 for Bundler
---
lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb | 4 ++--
lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb | 2 +-
lib/bundler/vendor/uri/lib/uri/version.rb | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
index e48e164f4c13e7..09ed40754d5bfe 100644
--- a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
+++ b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
@@ -491,8 +491,8 @@ def initialize_regexp(pattern)
ret = {}
# for Bundler::URI::split
- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
# for Bundler::URI::extract
ret[:URI_REF] = Regexp.new(pattern[:URI_REF])
diff --git a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
index cd4dd0c7526630..870720e5b3e8d0 100644
--- a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+++ b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
@@ -95,7 +95,7 @@ def default_regexp # :nodoc:
QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
OPAQUE: /\A(?:[^\/].*)?\z/,
- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
+ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
}
end
diff --git a/lib/bundler/vendor/uri/lib/uri/version.rb b/lib/bundler/vendor/uri/lib/uri/version.rb
index 3895df0de5c53a..d65b7e5b7574d8 100644
--- a/lib/bundler/vendor/uri/lib/uri/version.rb
+++ b/lib/bundler/vendor/uri/lib/uri/version.rb
@@ -1,6 +1,6 @@
module Bundler::URI
# :stopdoc:
- VERSION_CODE = '001002'.freeze
+ VERSION_CODE = '001003'.freeze
VERSION = VERSION_CODE.scan(/../).collect{|n| n.to_i}.join('.').freeze
# :startdoc:
end
Reference in New Issue View Git Blame Copy Permalink