diff options
| author | Hitendra Prajapati <hprajapati@mvista.com> | 2023-04-13 11:06:02 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-04-19 04:32:59 -1000 |
| commit | bcb3c107d36958ae991773eb5ef14ed558f41737 (patch) | |
| tree | c02f73494ba5ecd9999c10c33762efd4d1460423 /meta/recipes-devtools/ruby | |
| parent | a526ef88ee960f6fce8ccae0230d5469309fd03a (diff) | |
| download | poky-bcb3c107d36958ae991773eb5ef14ed558f41737.tar.gz | |
ruby: CVE-2023-28756 ReDoS vulnerability in Time
Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e
(From OE-Core rev: 52d26edffdd0444588ecad56b40a65e225889a01)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/ruby')
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch | 61 | ||||
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby_2.7.6.bb | 1 |
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch new file mode 100644 index 0000000000..c25a147d36 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch | |||
| @@ -0,0 +1,61 @@ | |||
| 1 | From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Hiroshi SHIBATA <hsbt@ruby-lang.org> | ||
| 3 | Date: Wed, 29 Mar 2023 13:28:25 +0900 | ||
| 4 | Subject: [PATCH] CVE-2023-28756 | ||
| 5 | |||
| 6 | CVE: CVE-2023-28756 | ||
| 7 | Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e] | ||
| 8 | |||
| 9 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 10 | --- | ||
| 11 | lib/time.rb | 6 +++--- | ||
| 12 | test/test_time.rb | 9 +++++++++ | ||
| 13 | 2 files changed, 12 insertions(+), 3 deletions(-) | ||
| 14 | |||
| 15 | diff --git a/lib/time.rb b/lib/time.rb | ||
| 16 | index f27bacd..4a86e8e 100644 | ||
| 17 | --- a/lib/time.rb | ||
| 18 | +++ b/lib/time.rb | ||
| 19 | @@ -501,8 +501,8 @@ class Time | ||
| 20 | (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ | ||
| 21 | (\d{2,})\s+ | ||
| 22 | (\d{2})\s* | ||
| 23 | - :\s*(\d{2})\s* | ||
| 24 | - (?::\s*(\d{2}))?\s+ | ||
| 25 | + :\s*(\d{2}) | ||
| 26 | + (?:\s*:\s*(\d\d))?\s+ | ||
| 27 | ([+-]\d{4}| | ||
| 28 | UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date | ||
| 29 | # Since RFC 2822 permit comments, the regexp has no right anchor. | ||
| 30 | @@ -717,7 +717,7 @@ class Time | ||
| 31 | # | ||
| 32 | # If self is a UTC time, Z is used as TZD. [+-]hh:mm is used otherwise. | ||
| 33 | # | ||
| 34 | - # +fractional_digits+ specifies a number of digits to use for fractional | ||
| 35 | + # +fraction_digits+ specifies a number of digits to use for fractional | ||
| 36 | # seconds. Its default value is 0. | ||
| 37 | # | ||
| 38 | # require 'time' | ||
| 39 | diff --git a/test/test_time.rb b/test/test_time.rb | ||
| 40 | index ca20788..4f11048 100644 | ||
| 41 | --- a/test/test_time.rb | ||
| 42 | +++ b/test/test_time.rb | ||
| 43 | @@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc: | ||
| 44 | assert_equal(true, t.utc?) | ||
| 45 | end | ||
| 46 | |||
| 47 | + def test_rfc2822_nonlinear | ||
| 48 | + pre = ->(n) {"0 Feb 00 00 :00" + " " * n} | ||
| 49 | + assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s| | ||
| 50 | + assert_raise(ArgumentError) do | ||
| 51 | + Time.rfc2822(s) | ||
| 52 | + end | ||
| 53 | + end | ||
| 54 | + end | ||
| 55 | + | ||
| 56 | def test_encode_rfc2822 | ||
| 57 | t = Time.utc(1) | ||
| 58 | assert_equal("Mon, 01 Jan 0001 00:00:00 -0000", t.rfc2822) | ||
| 59 | -- | ||
| 60 | 2.25.1 | ||
| 61 | |||
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.6.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb index 3af321a83e..91ffde5fa3 100644 --- a/meta/recipes-devtools/ruby/ruby_2.7.6.bb +++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb | |||
| @@ -7,6 +7,7 @@ SRC_URI += " \ | |||
| 7 | file://run-ptest \ | 7 | file://run-ptest \ |
| 8 | file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \ | 8 | file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \ |
| 9 | file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ | 9 | file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ |
| 10 | file://CVE-2023-28756.patch \ | ||
| 10 | " | 11 | " |
| 11 | 12 | ||
| 12 | SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042" | 13 | SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042" |
