diff options
author | Mingli Yu <mingli.yu@windriver.com> | 2023-04-24 17:16:01 +0800 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-05-03 04:17:12 -1000 |
commit | 6cff3875fe60802742937a5e562d5954f0eb50fe (patch) | |
tree | 1f164e76daa485e2a1dcee6429a33df2409f7591 /meta | |
parent | 4cc0e9438b450b43749730e128b6b9adb30f9663 (diff) | |
download | poky-6cff3875fe60802742937a5e562d5954f0eb50fe.tar.gz |
ruby: Fix CVE-2023-28755
Backport patch [1] to fix CVE-2023-28755.
[1] https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300
(From OE-Core rev: 605634cf1adef2d9cf6dc6fdf17aa4032385497f)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch | 68 | ||||
-rw-r--r-- | meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 |
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch new file mode 100644 index 0000000000..d611c41dcc --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28755.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From db4bb57d4af6d097a0c29490536793d95f1d8983 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hiroshi SHIBATA <hsbt@ruby-lang.org> | ||
3 | Date: Mon, 24 Apr 2023 08:27:24 +0000 | ||
4 | Subject: [PATCH] Merge URI-0.12.1 | ||
5 | |||
6 | CVE: CVE-2023-28755 | ||
7 | |||
8 | Upstream-Status: Backport [https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300] | ||
9 | |||
10 | Signed-off-by: Mingli Yu <mingli.yu@windriver.com> | ||
11 | --- | ||
12 | lib/uri/rfc3986_parser.rb | 4 ++-- | ||
13 | lib/uri/version.rb | 2 +- | ||
14 | test/uri/test_common.rb | 11 +++++++++++ | ||
15 | 3 files changed, 14 insertions(+), 3 deletions(-) | ||
16 | |||
17 | diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb | ||
18 | index 3e07de4..3c89311 100644 | ||
19 | --- a/lib/uri/rfc3986_parser.rb | ||
20 | +++ b/lib/uri/rfc3986_parser.rb | ||
21 | @@ -3,8 +3,8 @@ module URI | ||
22 | class RFC3986_Parser # :nodoc: | ||
23 | # URI defined in RFC3986 | ||
24 | # this regexp is modified not to host is not empty string | ||
25 | - RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ | ||
26 | - RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?<host>(?<IP-literal>\[(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?<port>\d*))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g<segment>)*)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g<segment>)*)|(?<path-empty>))(?:\?(?<query>[^#]*))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ | ||
27 | + RFC3986_URI = /\A(?<URI>(?<scheme>[A-Za-z][+\-.0-9A-Za-z]*+):(?<hier-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])*+))(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-rootless>\g<segment-nz>(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ | ||
28 | + RFC3986_relative_ref = /\A(?<relative-ref>(?<relative-part>\/\/(?<authority>(?:(?<userinfo>(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?<host>(?<IP-literal>\[(?:(?<IPv6address>(?:\h{1,4}:){6}(?<ls32>\h{1,4}:\h{1,4}|(?<IPv4address>(?<dec-octet>[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g<dec-octet>\.\g<dec-octet>\.\g<dec-octet>))|::(?:\h{1,4}:){5}\g<ls32>|\h{1,4}?::(?:\h{1,4}:){4}\g<ls32>|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g<ls32>|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g<ls32>|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g<ls32>|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g<ls32>|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?<IPvFuture>v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g<IPv4address>|(?<reg-name>(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?<port>\d*+))?)(?<path-abempty>(?:\/(?<segment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?<path-absolute>\/(?:(?<segment-nz>(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g<segment>)*+)?)|(?<path-noscheme>(?<segment-nz-nc>(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g<segment>)*+)|(?<path-empty>))(?:\?(?<query>[^#]*+))?(?:\#(?<fragment>(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ | ||
29 | attr_reader :regexp | ||
30 | |||
31 | def initialize | ||
32 | diff --git a/lib/uri/version.rb b/lib/uri/version.rb | ||
33 | index 82188e2..7497a7d 100644 | ||
34 | --- a/lib/uri/version.rb | ||
35 | +++ b/lib/uri/version.rb | ||
36 | @@ -1,6 +1,6 @@ | ||
37 | module URI | ||
38 | # :stopdoc: | ||
39 | - VERSION_CODE = '001100'.freeze | ||
40 | + VERSION_CODE = '001201'.freeze | ||
41 | VERSION = VERSION_CODE.scan(/../).collect{|n| n.to_i}.join('.').freeze | ||
42 | # :startdoc: | ||
43 | end | ||
44 | diff --git a/test/uri/test_common.rb b/test/uri/test_common.rb | ||
45 | index 5e30cda..1d34783 100644 | ||
46 | --- a/test/uri/test_common.rb | ||
47 | +++ b/test/uri/test_common.rb | ||
48 | @@ -78,6 +78,17 @@ class TestCommon < Test::Unit::TestCase | ||
49 | assert_raise(NoMethodError) { Object.new.URI("http://www.ruby-lang.org/") } | ||
50 | end | ||
51 | |||
52 | + def test_parse_timeout | ||
53 | + pre = ->(n) { | ||
54 | + 'https://example.com/dir/' + 'a' * (n * 100) + '/##.jpg' | ||
55 | + } | ||
56 | + assert_linear_performance((1..10).map {|i| i * 100}, rehearsal: 1000, pre: pre) do |uri| | ||
57 | + assert_raise(URI::InvalidURIError) do | ||
58 | + URI.parse(uri) | ||
59 | + end | ||
60 | + end | ||
61 | + end | ||
62 | + | ||
63 | def test_encode_www_form_component | ||
64 | assert_equal("%00+%21%22%23%24%25%26%27%28%29*%2B%2C-.%2F09%3A%3B%3C%3D%3E%3F%40" \ | ||
65 | "AZ%5B%5C%5D%5E_%60az%7B%7C%7D%7E", | ||
66 | -- | ||
67 | 2.35.5 | ||
68 | |||
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb index 92efc5db91..72030508dd 100644 --- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb +++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb | |||
@@ -30,6 +30,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ | |||
30 | file://0006-Make-gemspecs-reproducible.patch \ | 30 | file://0006-Make-gemspecs-reproducible.patch \ |
31 | file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ | 31 | file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \ |
32 | file://CVE-2023-28756.patch \ | 32 | file://CVE-2023-28756.patch \ |
33 | file://CVE-2023-28755.patch \ | ||
33 | " | 34 | " |
34 | UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" | 35 | UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" |
35 | 36 | ||