summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/ruby
diff options
context:
space:
mode:
authorHitendra Prajapati <hprajapati@mvista.com>2023-04-13 11:06:02 +0530
committerSteve Sakoman <steve@sakoman.com>2023-04-19 04:32:59 -1000
commitbcb3c107d36958ae991773eb5ef14ed558f41737 (patch)
treec02f73494ba5ecd9999c10c33762efd4d1460423 /meta/recipes-devtools/ruby
parenta526ef88ee960f6fce8ccae0230d5469309fd03a (diff)
downloadpoky-bcb3c107d36958ae991773eb5ef14ed558f41737.tar.gz
ruby: CVE-2023-28756 ReDoS vulnerability in Time
Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e (From OE-Core rev: 52d26edffdd0444588ecad56b40a65e225889a01) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/ruby')
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch61
-rw-r--r--meta/recipes-devtools/ruby/ruby_2.7.6.bb1
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
new file mode 100644
index 0000000000..c25a147d36
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
@@ -0,0 +1,61 @@
1From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001
2From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
3Date: Wed, 29 Mar 2023 13:28:25 +0900
4Subject: [PATCH] CVE-2023-28756
5
6CVE: CVE-2023-28756
7Upstream-Status: Backport [https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e]
8
9Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
10---
11 lib/time.rb | 6 +++---
12 test/test_time.rb | 9 +++++++++
13 2 files changed, 12 insertions(+), 3 deletions(-)
14
15diff --git a/lib/time.rb b/lib/time.rb
16index f27bacd..4a86e8e 100644
17--- a/lib/time.rb
18+++ b/lib/time.rb
19@@ -501,8 +501,8 @@ class Time
20 (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
21 (\d{2,})\s+
22 (\d{2})\s*
23- :\s*(\d{2})\s*
24- (?::\s*(\d{2}))?\s+
25+ :\s*(\d{2})
26+ (?:\s*:\s*(\d\d))?\s+
27 ([+-]\d{4}|
28 UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
29 # Since RFC 2822 permit comments, the regexp has no right anchor.
30@@ -717,7 +717,7 @@ class Time
31 #
32 # If self is a UTC time, Z is used as TZD. [+-]hh:mm is used otherwise.
33 #
34- # +fractional_digits+ specifies a number of digits to use for fractional
35+ # +fraction_digits+ specifies a number of digits to use for fractional
36 # seconds. Its default value is 0.
37 #
38 # require 'time'
39diff --git a/test/test_time.rb b/test/test_time.rb
40index ca20788..4f11048 100644
41--- a/test/test_time.rb
42+++ b/test/test_time.rb
43@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc:
44 assert_equal(true, t.utc?)
45 end
46
47+ def test_rfc2822_nonlinear
48+ pre = ->(n) {"0 Feb 00 00 :00" + " " * n}
49+ assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s|
50+ assert_raise(ArgumentError) do
51+ Time.rfc2822(s)
52+ end
53+ end
54+ end
55+
56 def test_encode_rfc2822
57 t = Time.utc(1)
58 assert_equal("Mon, 01 Jan 0001 00:00:00 -0000", t.rfc2822)
59--
602.25.1
61
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.6.bb b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
index 3af321a83e..91ffde5fa3 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.6.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.6.bb
@@ -7,6 +7,7 @@ SRC_URI += " \
7 file://run-ptest \ 7 file://run-ptest \
8 file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \ 8 file://0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch \
9 file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \ 9 file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
10 file://CVE-2023-28756.patch \
10 " 11 "
11 12
12SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042" 13SRC_URI[md5sum] = "f972fb0cce662966bec10d5c5f32d042"