diff options
| author | Ovidiu Panait <ovidiu.panait@windriver.com> | 2017-09-15 14:36:58 +0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-09-18 11:07:30 +0100 |
| commit | 80aa68fa758652b168bbd9235f8e8b77d7904cf5 (patch) | |
| tree | 85d718b2ca5a68633aa0cca1cc46a24340289932 /meta | |
| parent | 50b205ee274f2f29280a1da5401ce7ef61b6c0c7 (diff) | |
| download | poky-80aa68fa758652b168bbd9235f8e8b77d7904cf5.tar.gz | |
ruby: CVE-2017-14064
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose
arbitrary memory during a JSON.generate call. The issues lies in using
strdup in ext/json/ext/generator/generator.c, which will stop after
encountering a '\0' byte, returning a pointer to a string of length zero,
which is not the length stored in space_len.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2017-14064
Upstream patch:
https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85
(From OE-Core rev: 17dbfd967019f9b50a9f6aa3f48cd3658fcccc70)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-14064.patch | 87 | ||||
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby_2.4.1.bb | 1 |
2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-14064.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-14064.patch new file mode 100644 index 0000000000..88e693c94e --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-14064.patch | |||
| @@ -0,0 +1,87 @@ | |||
| 1 | From 8f782fd8e181d9cfe9387ded43a5ca9692266b85 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Florian Frank <flori@ping.de> | ||
| 3 | Date: Thu, 2 Mar 2017 12:12:33 +0100 | ||
| 4 | Subject: [PATCH] Fix arbitrary heap exposure problem | ||
| 5 | |||
| 6 | Upstream-Status: Backport | ||
| 7 | CVE: CVE-2017-14064 | ||
| 8 | |||
| 9 | Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> | ||
| 10 | --- | ||
| 11 | ext/json/generator/generator.c | 12 ++++++------ | ||
| 12 | ext/json/generator/generator.h | 1 - | ||
| 13 | 2 files changed, 6 insertions(+), 7 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/ext/json/generator/generator.c b/ext/json/generator/generator.c | ||
| 16 | index ef85bb7..c88818c 100644 | ||
| 17 | --- a/ext/json/generator/generator.c | ||
| 18 | +++ b/ext/json/generator/generator.c | ||
| 19 | @@ -308,7 +308,7 @@ static char *fstrndup(const char *ptr, unsigned long len) { | ||
| 20 | char *result; | ||
| 21 | if (len <= 0) return NULL; | ||
| 22 | result = ALLOC_N(char, len); | ||
| 23 | - memccpy(result, ptr, 0, len); | ||
| 24 | + memcpy(result, ptr, len); | ||
| 25 | return result; | ||
| 26 | } | ||
| 27 | |||
| 28 | @@ -1062,7 +1062,7 @@ static VALUE cState_indent_set(VALUE self, VALUE indent) | ||
| 29 | } | ||
| 30 | } else { | ||
| 31 | if (state->indent) ruby_xfree(state->indent); | ||
| 32 | - state->indent = strdup(RSTRING_PTR(indent)); | ||
| 33 | + state->indent = fstrndup(RSTRING_PTR(indent), len); | ||
| 34 | state->indent_len = len; | ||
| 35 | } | ||
| 36 | return Qnil; | ||
| 37 | @@ -1100,7 +1100,7 @@ static VALUE cState_space_set(VALUE self, VALUE space) | ||
| 38 | } | ||
| 39 | } else { | ||
| 40 | if (state->space) ruby_xfree(state->space); | ||
| 41 | - state->space = strdup(RSTRING_PTR(space)); | ||
| 42 | + state->space = fstrndup(RSTRING_PTR(space), len); | ||
| 43 | state->space_len = len; | ||
| 44 | } | ||
| 45 | return Qnil; | ||
| 46 | @@ -1136,7 +1136,7 @@ static VALUE cState_space_before_set(VALUE self, VALUE space_before) | ||
| 47 | } | ||
| 48 | } else { | ||
| 49 | if (state->space_before) ruby_xfree(state->space_before); | ||
| 50 | - state->space_before = strdup(RSTRING_PTR(space_before)); | ||
| 51 | + state->space_before = fstrndup(RSTRING_PTR(space_before), len); | ||
| 52 | state->space_before_len = len; | ||
| 53 | } | ||
| 54 | return Qnil; | ||
| 55 | @@ -1173,7 +1173,7 @@ static VALUE cState_object_nl_set(VALUE self, VALUE object_nl) | ||
| 56 | } | ||
| 57 | } else { | ||
| 58 | if (state->object_nl) ruby_xfree(state->object_nl); | ||
| 59 | - state->object_nl = strdup(RSTRING_PTR(object_nl)); | ||
| 60 | + state->object_nl = fstrndup(RSTRING_PTR(object_nl), len); | ||
| 61 | state->object_nl_len = len; | ||
| 62 | } | ||
| 63 | return Qnil; | ||
| 64 | @@ -1208,7 +1208,7 @@ static VALUE cState_array_nl_set(VALUE self, VALUE array_nl) | ||
| 65 | } | ||
| 66 | } else { | ||
| 67 | if (state->array_nl) ruby_xfree(state->array_nl); | ||
| 68 | - state->array_nl = strdup(RSTRING_PTR(array_nl)); | ||
| 69 | + state->array_nl = fstrndup(RSTRING_PTR(array_nl), len); | ||
| 70 | state->array_nl_len = len; | ||
| 71 | } | ||
| 72 | return Qnil; | ||
| 73 | diff --git a/ext/json/generator/generator.h b/ext/json/generator/generator.h | ||
| 74 | index 900b4d5..c367a62 100644 | ||
| 75 | --- a/ext/json/generator/generator.h | ||
| 76 | +++ b/ext/json/generator/generator.h | ||
| 77 | @@ -1,7 +1,6 @@ | ||
| 78 | #ifndef _GENERATOR_H_ | ||
| 79 | #define _GENERATOR_H_ | ||
| 80 | |||
| 81 | -#include <string.h> | ||
| 82 | #include <math.h> | ||
| 83 | #include <ctype.h> | ||
| 84 | |||
| 85 | -- | ||
| 86 | 2.10.2 | ||
| 87 | |||
diff --git a/meta/recipes-devtools/ruby/ruby_2.4.1.bb b/meta/recipes-devtools/ruby/ruby_2.4.1.bb index 4443146b57..7d27ac84ec 100644 --- a/meta/recipes-devtools/ruby/ruby_2.4.1.bb +++ b/meta/recipes-devtools/ruby/ruby_2.4.1.bb | |||
| @@ -6,6 +6,7 @@ SRC_URI += " \ | |||
| 6 | file://ruby-CVE-2017-9227.patch \ | 6 | file://ruby-CVE-2017-9227.patch \ |
| 7 | file://ruby-CVE-2017-9228.patch \ | 7 | file://ruby-CVE-2017-9228.patch \ |
| 8 | file://ruby-CVE-2017-9229.patch \ | 8 | file://ruby-CVE-2017-9229.patch \ |
| 9 | file://ruby-CVE-2017-14064.patch \ | ||
| 9 | " | 10 | " |
| 10 | 11 | ||
| 11 | SRC_URI[md5sum] = "782bca562e474dd25956dd0017d92677" | 12 | SRC_URI[md5sum] = "782bca562e474dd25956dd0017d92677" |