1 files changed, 89 insertions, 0 deletions

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2017-14033.patch b/meta/recipes-devtools/ruby/ruby/CVE-2017-14033.patch
new file mode 100644
index 0000000000..cbcd18c788
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2017-14033.patch
@@ -0,0 +1,89 @@
+From 1648afef33c1d97fb203c82291b8a61269e85d3b Mon Sep 17 00:00:00 2001
+From: Kazuki Yamaguchi <k@rhe.jp>
+Date: Mon, 19 Sep 2016 15:38:44 +0900
+Subject: [PATCH] asn1: fix out-of-bounds read in decoding constructed objects
+
+OpenSSL::ASN1.{decode,decode_all,traverse} have a bug of out-of-bounds
+read. int_ossl_asn1_decode0_cons() does not give the correct available
+length to ossl_asn1_decode() when decoding the inner components of a
+constructed object. This can cause out-of-bounds read if a crafted input
+given.
+
+Reference: https://hackerone.com/reports/170316
+
+Upstream-Status: Backport
+CVE: CVE-2017-14033
+
+Signed-off-by: Rajkumar Veer<rveer@mvista.com>
+---
+ ext/openssl/ossl_asn1.c | 13 ++++++-------
+ test/test_asn1.rb       | 23 +++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 7 deletions(-)
+--- a/ext/openssl/ossl_asn1.c
++++ b/ext/openssl/ossl_asn1.c
+@@ -871,19 +871,18 @@
+ {
+     VALUE value, asn1data, ary;
+     int infinite;
+-    long off = *offset;
++    long available_len, off = *offset;
+ 
+     infinite = (j == 0x21);
+     ary = rb_ary_new();
+ 
+-    while (length > 0 || infinite) {
++    available_len = infinite ? max_len : length;
++    while (available_len > 0 ) {
+        long inner_read = 0;
+-       value = ossl_asn1_decode0(pp, max_len, &off, depth + 1, yield, &inner_read);
++       value = ossl_asn1_decode0(pp, available_len, &off, depth + 1, yield, &inner_read);
+        *num_read += inner_read;
+-       max_len -= inner_read;
++       available_len -= inner_read;
+        rb_ary_push(ary, value);
+-       if (length > 0)
+-           length -= inner_read;
+ 
+        if (infinite &&
+            NUM2INT(ossl_asn1_get_tag(value)) == V_ASN1_EOC &&
+@@ -974,7 +973,7 @@
+     if(j & V_ASN1_CONSTRUCTED) {
+        *pp += hlen;
+        off += hlen;
+-       asn1data = int_ossl_asn1_decode0_cons(pp, length, len, &off, depth, yield, j, tag, tag_class, &inner_read);
++       asn1data = int_ossl_asn1_decode0_cons(pp, length - hlen, len, &off, depth, yield, j, tag, tag_class, &inner_read);
+        inner_read += hlen;
+     }
+     else {
+--- a/test/openssl/test_asn1.rb
++++ b/test/openssl/test_asn1.rb
+@@ -595,6 +595,29 @@
+     assert_equal(false, asn1.value[3].infinite_length)
+   end
+ 
++  def test_decode_constructed_overread
++    test = %w{ 31 06 31 02 30 02 05 00 }
++    #                          ^ <- invalid
++    raw = [test.join].pack("H*")
++    ret = []
++    assert_raise(OpenSSL::ASN1::ASN1Error) {
++      OpenSSL::ASN1.traverse(raw) { |x| ret << x }
++    }
++    assert_equal 2, ret.size
++    assert_equal 17, ret[0][6]
++    assert_equal 17, ret[1][6]
++
++    test = %w{ 31 80 30 03 00 00 }
++    #                    ^ <- invalid
++    raw = [test.join].pack("H*")
++    ret = []
++    assert_raise(OpenSSL::ASN1::ASN1Error) {
++      OpenSSL::ASN1.traverse(raw) { |x| ret << x }
++    }
++    assert_equal 1, ret.size
++    assert_equal 17, ret[0][6]
++  end
++
+   private
+ 
+   def assert_universal(tag, asn1)