ruby: fix CVE-2017-922{6-9}

CVE-2017-9226 : check too big code point value for single byte CVE-2017-9227 : access to invalid address by reg->dmin value CVE-2017-9228 : invalid state(CCS_VALUE) in parse_char_class() CVE-2017-9229 : access to invalid address by reg->dmax value (From OE-Core rev: f15f01edbaa431829a50053d07ed6d6b333584c7) (From OE-Core rev: 4077e088b6e750c4143a59c5d89258ab682ed96b) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joe Slater <jslater@windriver.com> 2017-08-18 10:43:44 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-09-11 22:15:58 +0100
commit: c63480c9605a22b3000dc4f0e9198e67365832e9 (patch)
tree: 06f61b7391e60f35eba0675e96ce225776e1a242 /meta/recipes-devtools/ruby
parent: 62e244d71354f20e8680606e015565690f1bd4f5 (diff)
download: poky-c63480c9605a22b3000dc4f0e9198e67365832e9.tar.gz
5 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
new file mode 100644
index 0000000000..0f2a4307cc
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
@@ -0,0 +1,41 @@
+From b4bf968ad52afe14e60a2dc8a95d3555c543353a Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Thu, 18 May 2017 17:05:27 +0900
+Subject: [PATCH] fix #55 : check too big code point value for single byte
+ value in next_state_val()
+---
+ regparse.c |    3 +++
+ 1 file changed, 3 insertions(+)
+--- end of original header
+CVE: CVE-2017-9226
+Add check for octal number bigger than 255.
+Upstream-Status: Pending
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+--- ruby-2.4.1.orig/regparse.c
+++ ruby-2.4.1/regparse.c
+@@ -3644,7 +3644,7 @@ fetch_token(OnigToken* tok, UChar** src,
+       if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
+        prev = p;
+        num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
+-       if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
+       if (num < 0 || 0xff < num) return ONIGERR_TOO_BIG_NUMBER;
+        if (p == prev) {  /* can't read nothing. */
+          num = 0; /* but, it's not error */
+        }
+@@ -4450,6 +4450,9 @@ next_state_val(CClassNode* cc, CClassNod
+   switch (*state) {
+   case CCS_VALUE:
+     if (*type == CCV_SB) {
+      if (*vs > 0xff)
+          return ONIGERR_INVALID_CODE_POINT_VALUE;
+
+       BITSET_SET_BIT_CHKDUP(cc->bs, (int )(*vs));
+       if (IS_NOT_NULL(asc_cc))
+        BITSET_SET_BIT(asc_cc->bs, (int )(*vs));
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch
new file mode 100644
index 0000000000..85e7ccb369
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch
@@ -0,0 +1,32 @@
+From 9690d3ab1f9bcd2db8cbe1fe3ee4a5da606b8814 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Tue, 23 May 2017 16:15:35 +0900
+Subject: [PATCH] fix #58 : access to invalid address by reg->dmin value
+---
+ regexec.c |    2 ++
+ 1 file changed, 2 insertions(+)
+--- end of original header
+CVE: CVE-2017-9227
+Upstream-Status: Inappropriate [not author]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/regexec.c b/regexec.c
+index d4e577d..2fa0f3d 100644
+--- a/regexec.c
+++ b/regexec.c
+@@ -3154,6 +3154,8 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s,
+     }
+     else {
+       UChar *q = p + reg->dmin;
+
+      if (q >= end) return 0; /* fail */
+       while (p < q) p += enclen(reg->enc, p, end);
+     }
+   }
+-- 
+1.7.9.5
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
new file mode 100644
index 0000000000..d8bfba486c
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
@@ -0,0 +1,34 @@
+From 3b63d12038c8d8fc278e81c942fa9bec7c704c8b Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Wed, 24 May 2017 13:43:25 +0900
+Subject: [PATCH] fix #60 : invalid state(CCS_VALUE) in parse_char_class()
+---
+ regparse.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+--- end of original header
+CVE: CVE-2017-9228
+Upstream-Status: Inappropriate [not author]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/regparse.c b/regparse.c
+index 69875fa..1988747 100644
+--- a/regparse.c
+++ b/regparse.c
+@@ -4081,7 +4081,9 @@ next_state_class(CClassNode* cc, OnigCodePoint* vs, enum CCVALTYPE* type,
+     }
+   }
+ 
+-  *state = CCS_VALUE;
+  if (*state != CCS_START)
+    *state = CCS_VALUE;
+
+   *type  = CCV_CLASS;
+   return 0;
+ }
+-- 
+1.7.9.5
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch
new file mode 100644
index 0000000000..6e765bf6dc
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch
@@ -0,0 +1,59 @@
+From b690371bbf97794b4a1d3f295d4fb9a8b05d402d Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Wed, 24 May 2017 10:27:04 +0900
+Subject: [PATCH] fix #59 : access to invalid address by reg->dmax value
+---
+ regexec.c |   27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+--- end of original header
+CVE: CVE-2017-9229
+Upstream-Status: Inappropriate [not author]
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+diff --git a/regexec.c b/regexec.c
+index 49bcc50..c0626ef 100644
+--- a/regexec.c
+++ b/regexec.c
+@@ -3756,18 +3756,25 @@ forward_search_range(regex_t* reg, const
+     }
+     else {
+       if (reg->dmax != ONIG_INFINITE_DISTANCE) {
+-       *low = p - reg->dmax;
+-       if (*low > s) {
+-         *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
+-                                                             *low, end, (const UChar** )low_prev);
+-         if (low_prev && IS_NULL(*low_prev))
+-           *low_prev = onigenc_get_prev_char_head(reg->enc,
+-                                                  (pprev ? pprev : s), *low, end);
+        if (p - str < reg->dmax) {
+          *low = (UChar* )str;
+          if (low_prev)
+            *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low, end);
+        }
+        else {
+-         if (low_prev)
+-           *low_prev = onigenc_get_prev_char_head(reg->enc,
+-                                              (pprev ? pprev : str), *low, end);
+          *low = p - reg->dmax;
+          if (*low > s) {
+            *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
+                                                 *low, end, (const UChar** )low_prev);
+            if (low_prev && IS_NULL(*low_prev))
+              *low_prev = onigenc_get_prev_char_head(reg->enc,
+                                                     (pprev ? pprev : s), *low, end);
+          }
+          else {
+            if (low_prev)
+              *low_prev = onigenc_get_prev_char_head(reg->enc,
+                                                     (pprev ? pprev : str), *low, end);
+          }
+        }
+       }
+     }
+-- 
+1.7.9.5
diff --git a/meta/recipes-devtools/ruby/ruby_2.4.0.bb b/meta/recipes-devtools/ruby/ruby_2.4.0.bb
index 47e521db84..f1bd8289b6 100644
--- a/meta/recipes-devtools/ruby/ruby_2.4.0.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.4.0.bb
@@ -2,6 +2,10 @@ require ruby.inc
 SRC_URI += " \
           file://ruby-CVE-2017-9224.patch \
+           file://ruby-CVE-2017-9226.patch \
+           file://ruby-CVE-2017-9227.patch \
+           file://ruby-CVE-2017-9228.patch \
+           file://ruby-CVE-2017-9229.patch \
           "
 SRC_URI[md5sum] = "7e9485dcdb86ff52662728de2003e625"
author	Joe Slater <jslater@windriver.com>	2017-08-18 10:43:44 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-09-11 22:15:58 +0100
commit	c63480c9605a22b3000dc4f0e9198e67365832e9 (patch)
tree	06f61b7391e60f35eba0675e96ce225776e1a242 /meta/recipes-devtools/ruby
parent	62e244d71354f20e8680606e015565690f1bd4f5 (diff)
download	poky-c63480c9605a22b3000dc4f0e9198e67365832e9.tar.gz

diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch new file mode 100644 index 0000000000..0f2a4307cc --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
@@ -0,0 +1,41 @@
		1	From b4bf968ad52afe14e60a2dc8a95d3555c543353a Mon Sep 17 00:00:00 2001
		2	From: "K.Kosako" <kosako@sofnec.co.jp>
		3	Date: Thu, 18 May 2017 17:05:27 +0900
		4	Subject: [PATCH] fix #55 : check too big code point value for single byte
		5	value in next_state_val()
		6
		7	---
		8	regparse.c \| 3 +++
		9	1 file changed, 3 insertions(+)
		10
		11	--- end of original header
		12
		13	CVE: CVE-2017-9226
		14
		15	Add check for octal number bigger than 255.
		16
		17	Upstream-Status: Pending
		18	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		19
		20
		21	--- ruby-2.4.1.orig/regparse.c
		22	+++ ruby-2.4.1/regparse.c
		23	@@ -3644,7 +3644,7 @@ fetch_token(OnigToken* tok, UChar** src,
		24	if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
		25	prev = p;
		26	num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
		27	- if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
		28	+ if (num < 0 \|\| 0xff < num) return ONIGERR_TOO_BIG_NUMBER;
		29	if (p == prev) { /* can't read nothing. */
		30	num = 0; /* but, it's not error */
		31	}
		32	@@ -4450,6 +4450,9 @@ next_state_val(CClassNode* cc, CClassNod
		33	switch (*state) {
		34	case CCS_VALUE:
		35	if (*type == CCV_SB) {
		36	+ if (*vs > 0xff)
		37	+ return ONIGERR_INVALID_CODE_POINT_VALUE;
		38	+
		39	BITSET_SET_BIT_CHKDUP(cc->bs, (int )(*vs));
		40	if (IS_NOT_NULL(asc_cc))
		41	BITSET_SET_BIT(asc_cc->bs, (int )(*vs));


diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch new file mode 100644 index 0000000000..85e7ccb369 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch
@@ -0,0 +1,32 @@
		1	From 9690d3ab1f9bcd2db8cbe1fe3ee4a5da606b8814 Mon Sep 17 00:00:00 2001
		2	From: "K.Kosako" <kosako@sofnec.co.jp>
		3	Date: Tue, 23 May 2017 16:15:35 +0900
		4	Subject: [PATCH] fix #58 : access to invalid address by reg->dmin value
		5
		6	---
		7	regexec.c \| 2 ++
		8	1 file changed, 2 insertions(+)
		9
		10	--- end of original header
		11
		12	CVE: CVE-2017-9227
		13
		14	Upstream-Status: Inappropriate [not author]
		15	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		16
		17	diff --git a/regexec.c b/regexec.c
		18	index d4e577d..2fa0f3d 100644
		19	--- a/regexec.c
		20	+++ b/regexec.c
		21	@@ -3154,6 +3154,8 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s,
		22	}
		23	else {
		24	UChar *q = p + reg->dmin;
		25	+
		26	+ if (q >= end) return 0; /* fail */
		27	while (p < q) p += enclen(reg->enc, p, end);
		28	}
		29	}
		30	--
		31	1.7.9.5
		32


diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch new file mode 100644 index 0000000000..d8bfba486c --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
@@ -0,0 +1,34 @@
		1	From 3b63d12038c8d8fc278e81c942fa9bec7c704c8b Mon Sep 17 00:00:00 2001
		2	From: "K.Kosako" <kosako@sofnec.co.jp>
		3	Date: Wed, 24 May 2017 13:43:25 +0900
		4	Subject: [PATCH] fix #60 : invalid state(CCS_VALUE) in parse_char_class()
		5
		6	---
		7	regparse.c \| 4 +++-
		8	1 file changed, 3 insertions(+), 1 deletion(-)
		9
		10	--- end of original header
		11
		12	CVE: CVE-2017-9228
		13
		14	Upstream-Status: Inappropriate [not author]
		15	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		16
		17	diff --git a/regparse.c b/regparse.c
		18	index 69875fa..1988747 100644
		19	--- a/regparse.c
		20	+++ b/regparse.c
		21	@@ -4081,7 +4081,9 @@ next_state_class(CClassNode* cc, OnigCodePoint* vs, enum CCVALTYPE* type,
		22	}
		23	}
		24
		25	- *state = CCS_VALUE;
		26	+ if (*state != CCS_START)
		27	+ *state = CCS_VALUE;
		28	+
		29	*type = CCV_CLASS;
		30	return 0;
		31	}
		32	--
		33	1.7.9.5
		34


diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch new file mode 100644 index 0000000000..6e765bf6dc --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch
@@ -0,0 +1,59 @@
		1	From b690371bbf97794b4a1d3f295d4fb9a8b05d402d Mon Sep 17 00:00:00 2001
		2	From: "K.Kosako" <kosako@sofnec.co.jp>
		3	Date: Wed, 24 May 2017 10:27:04 +0900
		4	Subject: [PATCH] fix #59 : access to invalid address by reg->dmax value
		5
		6	---
		7	regexec.c \| 27 +++++++++++++++++----------
		8	1 file changed, 17 insertions(+), 10 deletions(-)
		9
		10	--- end of original header
		11
		12	CVE: CVE-2017-9229
		13
		14	Upstream-Status: Inappropriate [not author]
		15	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		16
		17	diff --git a/regexec.c b/regexec.c
		18	index 49bcc50..c0626ef 100644
		19	--- a/regexec.c
		20	+++ b/regexec.c
		21	@@ -3756,18 +3756,25 @@ forward_search_range(regex_t* reg, const
		22	}
		23	else {
		24	if (reg->dmax != ONIG_INFINITE_DISTANCE) {
		25	- *low = p - reg->dmax;
		26	- if (*low > s) {
		27	- *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
		28	- low, end, (const UChar* )low_prev);
		29	- if (low_prev && IS_NULL(*low_prev))
		30	- *low_prev = onigenc_get_prev_char_head(reg->enc,
		31	- (pprev ? pprev : s), *low, end);
		32	+ if (p - str < reg->dmax) {
		33	+ low = (UChar )str;
		34	+ if (low_prev)
		35	+ low_prev = onigenc_get_prev_char_head(reg->enc, str, low, end);
		36	}
		37	else {
		38	- if (low_prev)
		39	- *low_prev = onigenc_get_prev_char_head(reg->enc,
		40	- (pprev ? pprev : str), *low, end);
		41	+ *low = p - reg->dmax;
		42	+ if (*low > s) {
		43	+ *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
		44	+ low, end, (const UChar* )low_prev);
		45	+ if (low_prev && IS_NULL(*low_prev))
		46	+ *low_prev = onigenc_get_prev_char_head(reg->enc,
		47	+ (pprev ? pprev : s), *low, end);
		48	+ }
		49	+ else {
		50	+ if (low_prev)
		51	+ *low_prev = onigenc_get_prev_char_head(reg->enc,
		52	+ (pprev ? pprev : str), *low, end);
		53	+ }
		54	}
		55	}
		56	}
		57	--
		58	1.7.9.5
		59


diff --git a/meta/recipes-devtools/ruby/ruby_2.4.0.bb b/meta/recipes-devtools/ruby/ruby_2.4.0.bb index 47e521db84..f1bd8289b6 100644 --- a/meta/recipes-devtools/ruby/ruby_2.4.0.bb +++ b/meta/recipes-devtools/ruby/ruby_2.4.0.bb
@@ -2,6 +2,10 @@ require ruby.inc
2		2
3	SRC_URI += " \	3	SRC_URI += " \
4	file://ruby-CVE-2017-9224.patch \	4	file://ruby-CVE-2017-9224.patch \
		5	file://ruby-CVE-2017-9226.patch \
		6	file://ruby-CVE-2017-9227.patch \
		7	file://ruby-CVE-2017-9228.patch \
		8	file://ruby-CVE-2017-9229.patch \
5	"	9	"
6		10
7	SRC_URI[md5sum] = "7e9485dcdb86ff52662728de2003e625"	11	SRC_URI[md5sum] = "7e9485dcdb86ff52662728de2003e625"