summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorJoe Slater <jslater@windriver.com>2017-08-18 10:43:44 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-08-19 22:15:39 +0100
commitee195eb03460e9dca41084695d4775ec830cfde7 (patch)
tree3a21ec16fe8dd9cfc618eee966c2b23784f41c8b /meta
parent342393587cdc364c12c0a0ba1694f3198cd49158 (diff)
downloadpoky-ee195eb03460e9dca41084695d4775ec830cfde7.tar.gz
ruby: fix CVE-2017-922{6-9}
CVE-2017-9226 : check too big code point value for single byte CVE-2017-9227 : access to invalid address by reg->dmin value CVE-2017-9228 : invalid state(CCS_VALUE) in parse_char_class() CVE-2017-9229 : access to invalid address by reg->dmax value (From OE-Core rev: f15f01edbaa431829a50053d07ed6d6b333584c7) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch41
-rw-r--r--meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch32
-rw-r--r--meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch34
-rw-r--r--meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch59
-rw-r--r--meta/recipes-devtools/ruby/ruby_2.4.1.bb4
5 files changed, 170 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
new file mode 100644
index 0000000000..0f2a4307cc
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
@@ -0,0 +1,41 @@
1From b4bf968ad52afe14e60a2dc8a95d3555c543353a Mon Sep 17 00:00:00 2001
2From: "K.Kosako" <kosako@sofnec.co.jp>
3Date: Thu, 18 May 2017 17:05:27 +0900
4Subject: [PATCH] fix #55 : check too big code point value for single byte
5 value in next_state_val()
6
7---
8 regparse.c | 3 +++
9 1 file changed, 3 insertions(+)
10
11--- end of original header
12
13CVE: CVE-2017-9226
14
15Add check for octal number bigger than 255.
16
17Upstream-Status: Pending
18Signed-off-by: Joe Slater <joe.slater@windriver.com>
19
20
21--- ruby-2.4.1.orig/regparse.c
22+++ ruby-2.4.1/regparse.c
23@@ -3644,7 +3644,7 @@ fetch_token(OnigToken* tok, UChar** src,
24 if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
25 prev = p;
26 num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
27- if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
28+ if (num < 0 || 0xff < num) return ONIGERR_TOO_BIG_NUMBER;
29 if (p == prev) { /* can't read nothing. */
30 num = 0; /* but, it's not error */
31 }
32@@ -4450,6 +4450,9 @@ next_state_val(CClassNode* cc, CClassNod
33 switch (*state) {
34 case CCS_VALUE:
35 if (*type == CCV_SB) {
36+ if (*vs > 0xff)
37+ return ONIGERR_INVALID_CODE_POINT_VALUE;
38+
39 BITSET_SET_BIT_CHKDUP(cc->bs, (int )(*vs));
40 if (IS_NOT_NULL(asc_cc))
41 BITSET_SET_BIT(asc_cc->bs, (int )(*vs));
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch
new file mode 100644
index 0000000000..85e7ccb369
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9227.patch
@@ -0,0 +1,32 @@
1From 9690d3ab1f9bcd2db8cbe1fe3ee4a5da606b8814 Mon Sep 17 00:00:00 2001
2From: "K.Kosako" <kosako@sofnec.co.jp>
3Date: Tue, 23 May 2017 16:15:35 +0900
4Subject: [PATCH] fix #58 : access to invalid address by reg->dmin value
5
6---
7 regexec.c | 2 ++
8 1 file changed, 2 insertions(+)
9
10--- end of original header
11
12CVE: CVE-2017-9227
13
14Upstream-Status: Inappropriate [not author]
15Signed-off-by: Joe Slater <joe.slater@windriver.com>
16
17diff --git a/regexec.c b/regexec.c
18index d4e577d..2fa0f3d 100644
19--- a/regexec.c
20+++ b/regexec.c
21@@ -3154,6 +3154,8 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s,
22 }
23 else {
24 UChar *q = p + reg->dmin;
25+
26+ if (q >= end) return 0; /* fail */
27 while (p < q) p += enclen(reg->enc, p, end);
28 }
29 }
30--
311.7.9.5
32
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
new file mode 100644
index 0000000000..d8bfba486c
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
@@ -0,0 +1,34 @@
1From 3b63d12038c8d8fc278e81c942fa9bec7c704c8b Mon Sep 17 00:00:00 2001
2From: "K.Kosako" <kosako@sofnec.co.jp>
3Date: Wed, 24 May 2017 13:43:25 +0900
4Subject: [PATCH] fix #60 : invalid state(CCS_VALUE) in parse_char_class()
5
6---
7 regparse.c | 4 +++-
8 1 file changed, 3 insertions(+), 1 deletion(-)
9
10--- end of original header
11
12CVE: CVE-2017-9228
13
14Upstream-Status: Inappropriate [not author]
15Signed-off-by: Joe Slater <joe.slater@windriver.com>
16
17diff --git a/regparse.c b/regparse.c
18index 69875fa..1988747 100644
19--- a/regparse.c
20+++ b/regparse.c
21@@ -4081,7 +4081,9 @@ next_state_class(CClassNode* cc, OnigCodePoint* vs, enum CCVALTYPE* type,
22 }
23 }
24
25- *state = CCS_VALUE;
26+ if (*state != CCS_START)
27+ *state = CCS_VALUE;
28+
29 *type = CCV_CLASS;
30 return 0;
31 }
32--
331.7.9.5
34
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch
new file mode 100644
index 0000000000..6e765bf6dc
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9229.patch
@@ -0,0 +1,59 @@
1From b690371bbf97794b4a1d3f295d4fb9a8b05d402d Mon Sep 17 00:00:00 2001
2From: "K.Kosako" <kosako@sofnec.co.jp>
3Date: Wed, 24 May 2017 10:27:04 +0900
4Subject: [PATCH] fix #59 : access to invalid address by reg->dmax value
5
6---
7 regexec.c | 27 +++++++++++++++++----------
8 1 file changed, 17 insertions(+), 10 deletions(-)
9
10--- end of original header
11
12CVE: CVE-2017-9229
13
14Upstream-Status: Inappropriate [not author]
15Signed-off-by: Joe Slater <joe.slater@windriver.com>
16
17diff --git a/regexec.c b/regexec.c
18index 49bcc50..c0626ef 100644
19--- a/regexec.c
20+++ b/regexec.c
21@@ -3756,18 +3756,25 @@ forward_search_range(regex_t* reg, const
22 }
23 else {
24 if (reg->dmax != ONIG_INFINITE_DISTANCE) {
25- *low = p - reg->dmax;
26- if (*low > s) {
27- *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
28- *low, end, (const UChar** )low_prev);
29- if (low_prev && IS_NULL(*low_prev))
30- *low_prev = onigenc_get_prev_char_head(reg->enc,
31- (pprev ? pprev : s), *low, end);
32+ if (p - str < reg->dmax) {
33+ *low = (UChar* )str;
34+ if (low_prev)
35+ *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low, end);
36 }
37 else {
38- if (low_prev)
39- *low_prev = onigenc_get_prev_char_head(reg->enc,
40- (pprev ? pprev : str), *low, end);
41+ *low = p - reg->dmax;
42+ if (*low > s) {
43+ *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
44+ *low, end, (const UChar** )low_prev);
45+ if (low_prev && IS_NULL(*low_prev))
46+ *low_prev = onigenc_get_prev_char_head(reg->enc,
47+ (pprev ? pprev : s), *low, end);
48+ }
49+ else {
50+ if (low_prev)
51+ *low_prev = onigenc_get_prev_char_head(reg->enc,
52+ (pprev ? pprev : str), *low, end);
53+ }
54 }
55 }
56 }
57--
581.7.9.5
59
diff --git a/meta/recipes-devtools/ruby/ruby_2.4.1.bb b/meta/recipes-devtools/ruby/ruby_2.4.1.bb
index 77e17f199b..4443146b57 100644
--- a/meta/recipes-devtools/ruby/ruby_2.4.1.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.4.1.bb
@@ -2,6 +2,10 @@ require ruby.inc
2 2
3SRC_URI += " \ 3SRC_URI += " \
4 file://ruby-CVE-2017-9224.patch \ 4 file://ruby-CVE-2017-9224.patch \
5 file://ruby-CVE-2017-9226.patch \
6 file://ruby-CVE-2017-9227.patch \
7 file://ruby-CVE-2017-9228.patch \
8 file://ruby-CVE-2017-9229.patch \
5 " 9 "
6 10
7SRC_URI[md5sum] = "782bca562e474dd25956dd0017d92677" 11SRC_URI[md5sum] = "782bca562e474dd25956dd0017d92677"