diff options
| author | Yogita Urade <yogita.urade@windriver.com> | 2024-06-21 12:25:27 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-06-26 05:04:39 -0700 |
| commit | 52f1435174e2b2c35e9ffe02fe7fbb65c7ff7e60 (patch) | |
| tree | e15d4ed3973cb2631fa7222c274dfdf141a46916 /meta/recipes-devtools/ruby | |
| parent | 064e000b18e10c14c4d2e602d498ec119e62f921 (diff) | |
| download | poky-52f1435174e2b2c35e9ffe02fe7fbb65c7ff7e60.tar.gz | |
ruby: fix CVE-2024-27280
A buffer-overread issue was discovered in StringIO 3.0.1, as
distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through
3.1.4. The ungetbyte and ungetc methods on a StringIO can
read past the end of a string, and a subsequent call to
StringIO.gets may return the memory value. 3.0.3 is the main
fixed version; however, for Ruby 3.0 users, a fixed version
is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version
is stringio 3.0.1.2.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-27280
(From OE-Core rev: 729310d17310dff955c51811ff3339fdbc017b95)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/ruby')
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch | 87 | ||||
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 |
2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch new file mode 100644 index 0000000000..2595feb6e9 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch | |||
| @@ -0,0 +1,87 @@ | |||
| 1 | From a35268a3ac1b5f0058e5b7c1a041a7e86d9da067 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Nobuyoshi Nakada <nobu@ruby-lang.org> | ||
| 3 | Date: Mon, 10 Jun 2024 11:46:53 +0000 | ||
| 4 | Subject: [PATCH] Fix expanding size at ungetc/ungetbyte | ||
| 5 | |||
| 6 | CVE: CVE-2024-27280 | ||
| 7 | Upstream-Status: Backport [https://github.com/ruby/stringio/commit/a35268a3ac1b5f0058e5b7c1a041a7e86d9da067] | ||
| 8 | |||
| 9 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
| 10 | --- | ||
| 11 | ext/stringio/stringio.c | 2 +- | ||
| 12 | test/stringio/test_stringio.rb | 25 +++++++++++++++++++++---- | ||
| 13 | 2 files changed, 22 insertions(+), 5 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c | ||
| 16 | index 8df07e8..b2e8632 100644 | ||
| 17 | --- a/ext/stringio/stringio.c | ||
| 18 | +++ b/ext/stringio/stringio.c | ||
| 19 | @@ -984,7 +984,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl) | ||
| 20 | len = RSTRING_LEN(str); | ||
| 21 | rest = pos - len; | ||
| 22 | if (cl > pos) { | ||
| 23 | - long ex = (rest < 0 ? cl-pos : cl+rest); | ||
| 24 | + long ex = cl - (rest < 0 ? pos : len); | ||
| 25 | rb_str_modify_expand(str, ex); | ||
| 26 | rb_str_set_len(str, len + ex); | ||
| 27 | s = RSTRING_PTR(str); | ||
| 28 | diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb | ||
| 29 | index e0b4504..4853513 100644 | ||
| 30 | --- a/test/stringio/test_stringio.rb | ||
| 31 | +++ b/test/stringio/test_stringio.rb | ||
| 32 | @@ -757,6 +757,15 @@ class TestStringIO < Test::Unit::TestCase | ||
| 33 | assert_equal("b""\0""a", s.string) | ||
| 34 | end | ||
| 35 | |||
| 36 | + def test_ungetc_fill | ||
| 37 | + count = 100 | ||
| 38 | + s = StringIO.new | ||
| 39 | + s.print 'a' * count | ||
| 40 | + s.ungetc('b' * (count * 5)) | ||
| 41 | + assert_equal((count * 5), s.string.size) | ||
| 42 | + assert_match(/\Ab+\z/, s.string) | ||
| 43 | + end | ||
| 44 | + | ||
| 45 | def test_ungetbyte_pos | ||
| 46 | b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011' | ||
| 47 | s = StringIO.new( b ) | ||
| 48 | @@ -782,6 +791,15 @@ class TestStringIO < Test::Unit::TestCase | ||
| 49 | assert_equal("b""\0""a", s.string) | ||
| 50 | end | ||
| 51 | |||
| 52 | + def test_ungetbyte_fill | ||
| 53 | + count = 100 | ||
| 54 | + s = StringIO.new | ||
| 55 | + s.print 'a' * count | ||
| 56 | + s.ungetbyte('b' * (count * 5)) | ||
| 57 | + assert_equal((count * 5), s.string.size) | ||
| 58 | + assert_match(/\Ab+\z/, s.string) | ||
| 59 | + end | ||
| 60 | + | ||
| 61 | def test_frozen | ||
| 62 | s = StringIO.new | ||
| 63 | s.freeze | ||
| 64 | @@ -825,18 +843,17 @@ class TestStringIO < Test::Unit::TestCase | ||
| 65 | end | ||
| 66 | |||
| 67 | def test_overflow | ||
| 68 | - omit if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"] | ||
| 69 | + return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"] | ||
| 70 | limit = RbConfig::LIMITS["INTPTR_MAX"] - 0x10 | ||
| 71 | assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}") | ||
| 72 | begin; | ||
| 73 | limit = #{limit} | ||
| 74 | ary = [] | ||
| 75 | - while true | ||
| 76 | + begin | ||
| 77 | x = "a"*0x100000 | ||
| 78 | break if [x].pack("p").unpack("i!")[0] < 0 | ||
| 79 | ary << x | ||
| 80 | - omit if ary.size > 100 | ||
| 81 | - end | ||
| 82 | + end while ary.size <= 100 | ||
| 83 | s = StringIO.new(x) | ||
| 84 | s.gets("xxx", limit) | ||
| 85 | assert_equal(0x100000, s.pos) | ||
| 86 | -- | ||
| 87 | 2.40.0 | ||
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb index 2ad3c9e207..d4b977cdfe 100644 --- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb +++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb | |||
| @@ -34,6 +34,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \ | |||
| 34 | file://CVE-2023-36617_1.patch \ | 34 | file://CVE-2023-36617_1.patch \ |
| 35 | file://CVE-2023-36617_2.patch \ | 35 | file://CVE-2023-36617_2.patch \ |
| 36 | file://CVE-2024-27281.patch \ | 36 | file://CVE-2024-27281.patch \ |
| 37 | file://CVE-2024-27280.patch \ | ||
| 37 | " | 38 | " |
| 38 | UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" | 39 | UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/" |
| 39 | 40 | ||