summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/ruby
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2018-02-19 13:06:35 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-03-04 11:12:12 +0000
commitc323026d9ca3f57628dca4114ed394a279637427 (patch)
tree9152e5fcddf83c40946b79c0e75f43caf8c4b2f4 /meta/recipes-devtools/ruby
parent3c735b01da4ddcf81b426b9f032e8f8494401fae (diff)
downloadpoky-c323026d9ca3f57628dca4114ed394a279637427.tar.gz
ruby: update to 2.4.3
This fixes a segfault in arm64 multilib. Drop CVE-2017-14064.patch Additional CVE included are 2.4.3: CVE-2017-17405: Command injection vulnerability in Net::FTP Additional CVE included are 2.4.2: CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode CVE-2017-14064: Heap exposure in generating JSON Ruby Gems: DNS request hijacking vulnerability. (CVE-2017-0902) ANSI escape sequence vulnerability. (CVE-2017-0899) DoS vulnerability in the query command. (CVE-2017-0900) vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. (CVE-2017-0901) (From OE-Core rev: 5bf664ba85c06d17c6e8c200301e42bc5fdab75e) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/ruby')
-rw-r--r--meta/recipes-devtools/ruby/ruby/CVE-2017-14064.patch353
-rw-r--r--meta/recipes-devtools/ruby/ruby_2.4.3.bb (renamed from meta/recipes-devtools/ruby/ruby_2.4.0.bb)5
2 files changed, 2 insertions, 356 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2017-14064.patch b/meta/recipes-devtools/ruby/ruby/CVE-2017-14064.patch
deleted file mode 100644
index 700d1bc58e..0000000000
--- a/meta/recipes-devtools/ruby/ruby/CVE-2017-14064.patch
+++ /dev/null
@@ -1,353 +0,0 @@
1From d86d283fcb35d1442a121b92030884523908a331 Mon Sep 17 00:00:00 2001
2From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
3Date: Sat, 22 Apr 2017 07:29:01 +0000
4Subject: [PATCH] merge revision(s) 58323,58324:
5
6 Merge json-2.0.4.
7
8 * https://github.com/flori/json/releases/tag/v2.0.4
9 * https://github.com/flori/json/blob/09fabeb03e73ed88dc8ce8f19d76ac59e51dae20/CHANGES.md#2017-03-23-204
10 Use `assert_raise` instead of `assert_raises`.
11
12git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@58445 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
13
14Upstream-Status: Backport
15CVE: CVE-2017-14064
16
17Signed-off-by: Armin Kuster <akuster@mvisa.com>
18
19---
20 ext/json/fbuffer/fbuffer.h | 3 ---
21 ext/json/generator/generator.c | 12 +++++-----
22 ext/json/generator/generator.h | 1 -
23 ext/json/json.gemspec | Bin 5473 -> 5474 bytes
24 ext/json/lib/json/version.rb | 2 +-
25 ext/json/parser/parser.c | 48 +++++++++++++++++++++++----------------
26 ext/json/parser/parser.rl | 14 +++++++++---
27 test/json/json_encoding_test.rb | 2 ++
28 test/json/json_generator_test.rb | 0
29 version.h | 2 +-
30 10 files changed, 49 insertions(+), 35 deletions(-)
31 mode change 100755 => 100644 test/json/json_generator_test.rb
32
33Index: ruby-2.4.0/ext/json/fbuffer/fbuffer.h
34===================================================================
35--- ruby-2.4.0.orig/ext/json/fbuffer/fbuffer.h
36+++ ruby-2.4.0/ext/json/fbuffer/fbuffer.h
37@@ -12,9 +12,6 @@
38 #define RFLOAT_VALUE(val) (RFLOAT(val)->value)
39 #endif
40
41-#ifndef RARRAY_PTR
42-#define RARRAY_PTR(ARRAY) RARRAY(ARRAY)->ptr
43-#endif
44 #ifndef RARRAY_LEN
45 #define RARRAY_LEN(ARRAY) RARRAY(ARRAY)->len
46 #endif
47Index: ruby-2.4.0/ext/json/generator/generator.c
48===================================================================
49--- ruby-2.4.0.orig/ext/json/generator/generator.c
50+++ ruby-2.4.0/ext/json/generator/generator.c
51@@ -308,7 +308,7 @@ static char *fstrndup(const char *ptr, u
52 char *result;
53 if (len <= 0) return NULL;
54 result = ALLOC_N(char, len);
55- memccpy(result, ptr, 0, len);
56+ memcpy(result, ptr, len);
57 return result;
58 }
59
60@@ -1062,7 +1062,7 @@ static VALUE cState_indent_set(VALUE sel
61 }
62 } else {
63 if (state->indent) ruby_xfree(state->indent);
64- state->indent = strdup(RSTRING_PTR(indent));
65+ state->indent = fstrndup(RSTRING_PTR(indent), len);
66 state->indent_len = len;
67 }
68 return Qnil;
69@@ -1100,7 +1100,7 @@ static VALUE cState_space_set(VALUE self
70 }
71 } else {
72 if (state->space) ruby_xfree(state->space);
73- state->space = strdup(RSTRING_PTR(space));
74+ state->space = fstrndup(RSTRING_PTR(space), len);
75 state->space_len = len;
76 }
77 return Qnil;
78@@ -1136,7 +1136,7 @@ static VALUE cState_space_before_set(VAL
79 }
80 } else {
81 if (state->space_before) ruby_xfree(state->space_before);
82- state->space_before = strdup(RSTRING_PTR(space_before));
83+ state->space_before = fstrndup(RSTRING_PTR(space_before), len);
84 state->space_before_len = len;
85 }
86 return Qnil;
87@@ -1173,7 +1173,7 @@ static VALUE cState_object_nl_set(VALUE
88 }
89 } else {
90 if (state->object_nl) ruby_xfree(state->object_nl);
91- state->object_nl = strdup(RSTRING_PTR(object_nl));
92+ state->object_nl = fstrndup(RSTRING_PTR(object_nl), len);
93 state->object_nl_len = len;
94 }
95 return Qnil;
96@@ -1208,7 +1208,7 @@ static VALUE cState_array_nl_set(VALUE s
97 }
98 } else {
99 if (state->array_nl) ruby_xfree(state->array_nl);
100- state->array_nl = strdup(RSTRING_PTR(array_nl));
101+ state->array_nl = fstrndup(RSTRING_PTR(array_nl), len);
102 state->array_nl_len = len;
103 }
104 return Qnil;
105Index: ruby-2.4.0/ext/json/generator/generator.h
106===================================================================
107--- ruby-2.4.0.orig/ext/json/generator/generator.h
108+++ ruby-2.4.0/ext/json/generator/generator.h
109@@ -1,7 +1,6 @@
110 #ifndef _GENERATOR_H_
111 #define _GENERATOR_H_
112
113-#include <string.h>
114 #include <math.h>
115 #include <ctype.h>
116
117Index: ruby-2.4.0/ext/json/lib/json/version.rb
118===================================================================
119--- ruby-2.4.0.orig/ext/json/lib/json/version.rb
120+++ ruby-2.4.0/ext/json/lib/json/version.rb
121@@ -1,7 +1,7 @@
122 # frozen_string_literal: false
123 module JSON
124 # JSON version
125- VERSION = '2.0.2'
126+ VERSION = '2.0.4'
127 VERSION_ARRAY = VERSION.split(/\./).map { |x| x.to_i } # :nodoc:
128 VERSION_MAJOR = VERSION_ARRAY[0] # :nodoc:
129 VERSION_MINOR = VERSION_ARRAY[1] # :nodoc:
130Index: ruby-2.4.0/ext/json/parser/parser.c
131===================================================================
132--- ruby-2.4.0.orig/ext/json/parser/parser.c
133+++ ruby-2.4.0/ext/json/parser/parser.c
134@@ -1435,13 +1435,21 @@ static VALUE json_string_unescape(VALUE
135 break;
136 case 'u':
137 if (pe > stringEnd - 4) {
138- return Qnil;
139+ rb_enc_raise(
140+ EXC_ENCODING eParserError,
141+ "%u: incomplete unicode character escape sequence at '%s'", __LINE__, p
142+ );
143 } else {
144 UTF32 ch = unescape_unicode((unsigned char *) ++pe);
145 pe += 3;
146 if (UNI_SUR_HIGH_START == (ch & 0xFC00)) {
147 pe++;
148- if (pe > stringEnd - 6) return Qnil;
149+ if (pe > stringEnd - 6) {
150+ rb_enc_raise(
151+ EXC_ENCODING eParserError,
152+ "%u: incomplete surrogate pair at '%s'", __LINE__, p
153+ );
154+ }
155 if (pe[0] == '\\' && pe[1] == 'u') {
156 UTF32 sur = unescape_unicode((unsigned char *) pe + 2);
157 ch = (((ch & 0x3F) << 10) | ((((ch >> 6) & 0xF) + 1) << 16)
158@@ -1471,7 +1479,7 @@ static VALUE json_string_unescape(VALUE
159 }
160
161
162-#line 1475 "parser.c"
163+#line 1483 "parser.c"
164 enum {JSON_string_start = 1};
165 enum {JSON_string_first_final = 8};
166 enum {JSON_string_error = 0};
167@@ -1479,7 +1487,7 @@ enum {JSON_string_error = 0};
168 enum {JSON_string_en_main = 1};
169
170
171-#line 504 "parser.rl"
172+#line 512 "parser.rl"
173
174
175 static int
176@@ -1501,15 +1509,15 @@ static char *JSON_parse_string(JSON_Pars
177
178 *result = rb_str_buf_new(0);
179
180-#line 1505 "parser.c"
181+#line 1513 "parser.c"
182 {
183 cs = JSON_string_start;
184 }
185
186-#line 525 "parser.rl"
187+#line 533 "parser.rl"
188 json->memo = p;
189
190-#line 1513 "parser.c"
191+#line 1521 "parser.c"
192 {
193 if ( p == pe )
194 goto _test_eof;
195@@ -1534,7 +1542,7 @@ case 2:
196 goto st0;
197 goto st2;
198 tr2:
199-#line 490 "parser.rl"
200+#line 498 "parser.rl"
201 {
202 *result = json_string_unescape(*result, json->memo + 1, p);
203 if (NIL_P(*result)) {
204@@ -1545,14 +1553,14 @@ tr2:
205 {p = (( p + 1))-1;}
206 }
207 }
208-#line 501 "parser.rl"
209+#line 509 "parser.rl"
210 { p--; {p++; cs = 8; goto _out;} }
211 goto st8;
212 st8:
213 if ( ++p == pe )
214 goto _test_eof8;
215 case 8:
216-#line 1556 "parser.c"
217+#line 1564 "parser.c"
218 goto st0;
219 st3:
220 if ( ++p == pe )
221@@ -1628,7 +1636,7 @@ case 7:
222 _out: {}
223 }
224
225-#line 527 "parser.rl"
226+#line 535 "parser.rl"
227
228 if (json->create_additions && RTEST(match_string = json->match_string)) {
229 VALUE klass;
230@@ -1675,7 +1683,7 @@ static VALUE convert_encoding(VALUE sour
231 }
232 FORCE_UTF8(source);
233 } else {
234- source = rb_str_conv_enc(source, NULL, rb_utf8_encoding());
235+ source = rb_str_conv_enc(source, rb_enc_get(source), rb_utf8_encoding());
236 }
237 #endif
238 return source;
239@@ -1808,7 +1816,7 @@ static VALUE cParser_initialize(int argc
240 }
241
242
243-#line 1812 "parser.c"
244+#line 1820 "parser.c"
245 enum {JSON_start = 1};
246 enum {JSON_first_final = 10};
247 enum {JSON_error = 0};
248@@ -1816,7 +1824,7 @@ enum {JSON_error = 0};
249 enum {JSON_en_main = 1};
250
251
252-#line 720 "parser.rl"
253+#line 728 "parser.rl"
254
255
256 /*
257@@ -1833,16 +1841,16 @@ static VALUE cParser_parse(VALUE self)
258 GET_PARSER;
259
260
261-#line 1837 "parser.c"
262+#line 1845 "parser.c"
263 {
264 cs = JSON_start;
265 }
266
267-#line 736 "parser.rl"
268+#line 744 "parser.rl"
269 p = json->source;
270 pe = p + json->len;
271
272-#line 1846 "parser.c"
273+#line 1854 "parser.c"
274 {
275 if ( p == pe )
276 goto _test_eof;
277@@ -1876,7 +1884,7 @@ st0:
278 cs = 0;
279 goto _out;
280 tr2:
281-#line 712 "parser.rl"
282+#line 720 "parser.rl"
283 {
284 char *np = JSON_parse_value(json, p, pe, &result, 0);
285 if (np == NULL) { p--; {p++; cs = 10; goto _out;} } else {p = (( np))-1;}
286@@ -1886,7 +1894,7 @@ st10:
287 if ( ++p == pe )
288 goto _test_eof10;
289 case 10:
290-#line 1890 "parser.c"
291+#line 1898 "parser.c"
292 switch( (*p) ) {
293 case 13: goto st10;
294 case 32: goto st10;
295@@ -1975,7 +1983,7 @@ case 9:
296 _out: {}
297 }
298
299-#line 739 "parser.rl"
300+#line 747 "parser.rl"
301
302 if (cs >= JSON_first_final && p == pe) {
303 return result;
304Index: ruby-2.4.0/ext/json/parser/parser.rl
305===================================================================
306--- ruby-2.4.0.orig/ext/json/parser/parser.rl
307+++ ruby-2.4.0/ext/json/parser/parser.rl
308@@ -446,13 +446,21 @@ static VALUE json_string_unescape(VALUE
309 break;
310 case 'u':
311 if (pe > stringEnd - 4) {
312- return Qnil;
313+ rb_enc_raise(
314+ EXC_ENCODING eParserError,
315+ "%u: incomplete unicode character escape sequence at '%s'", __LINE__, p
316+ );
317 } else {
318 UTF32 ch = unescape_unicode((unsigned char *) ++pe);
319 pe += 3;
320 if (UNI_SUR_HIGH_START == (ch & 0xFC00)) {
321 pe++;
322- if (pe > stringEnd - 6) return Qnil;
323+ if (pe > stringEnd - 6) {
324+ rb_enc_raise(
325+ EXC_ENCODING eParserError,
326+ "%u: incomplete surrogate pair at '%s'", __LINE__, p
327+ );
328+ }
329 if (pe[0] == '\\' && pe[1] == 'u') {
330 UTF32 sur = unescape_unicode((unsigned char *) pe + 2);
331 ch = (((ch & 0x3F) << 10) | ((((ch >> 6) & 0xF) + 1) << 16)
332@@ -570,7 +578,7 @@ static VALUE convert_encoding(VALUE sour
333 }
334 FORCE_UTF8(source);
335 } else {
336- source = rb_str_conv_enc(source, NULL, rb_utf8_encoding());
337+ source = rb_str_conv_enc(source, rb_enc_get(source), rb_utf8_encoding());
338 }
339 #endif
340 return source;
341Index: ruby-2.4.0/test/json/json_encoding_test.rb
342===================================================================
343--- ruby-2.4.0.orig/test/json/json_encoding_test.rb
344+++ ruby-2.4.0/test/json/json_encoding_test.rb
345@@ -79,6 +79,8 @@ class JSONEncodingTest < Test::Unit::Tes
346 json = '["\ud840\udc01"]'
347 assert_equal json, generate(utf8, :ascii_only => true)
348 assert_equal utf8, parse(json)
349+ assert_raise(JSON::ParserError) { parse('"\u"') }
350+ assert_raise(JSON::ParserError) { parse('"\ud800"') }
351 end
352
353 def test_chars
diff --git a/meta/recipes-devtools/ruby/ruby_2.4.0.bb b/meta/recipes-devtools/ruby/ruby_2.4.3.bb
index b08837cfe8..668bc96901 100644
--- a/meta/recipes-devtools/ruby/ruby_2.4.0.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.4.3.bb
@@ -6,11 +6,10 @@ SRC_URI += " \
6 file://ruby-CVE-2017-9227.patch \ 6 file://ruby-CVE-2017-9227.patch \
7 file://ruby-CVE-2017-9228.patch \ 7 file://ruby-CVE-2017-9228.patch \
8 file://ruby-CVE-2017-9229.patch \ 8 file://ruby-CVE-2017-9229.patch \
9 file://CVE-2017-14064.patch \
10 " 9 "
11 10
12SRC_URI[md5sum] = "7e9485dcdb86ff52662728de2003e625" 11SRC_URI[md5sum] = "a00e0d49b454f4c0e528e7852d642925"
13SRC_URI[sha256sum] = "152fd0bd15a90b4a18213448f485d4b53e9f7662e1508190aa5b702446b29e3d" 12SRC_URI[sha256sum] = "fd0375582c92045aa7d31854e724471fb469e11a4b08ff334d39052ccaaa3a98"
14 13
15# it's unknown to configure script, but then passed to extconf.rb 14# it's unknown to configure script, but then passed to extconf.rb
16# maybe it's not really needed as we're hardcoding the result with 15# maybe it's not really needed as we're hardcoding the result with
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-03-20 17:35:48 +0000