ruby: fix CVE-2017-922{6-9}
CVE-2017-9226 : check too big code point value for single byte CVE-2017-9227 : access to invalid address by reg->dmin value CVE-2017-9228 : invalid state(CCS_VALUE) in parse_char_class() CVE-2017-9229 : access to invalid address by reg->dmax value (From OE-Core rev: f15f01edbaa431829a50053d07ed6d6b333584c7) (From OE-Core rev: 4077e088b6e750c4143a59c5d89258ab682ed96b) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
62e244d713
commit
c63480c960
|
@ -0,0 +1,41 @@
|
|||
From b4bf968ad52afe14e60a2dc8a95d3555c543353a Mon Sep 17 00:00:00 2001
|
||||
From: "K.Kosako" <kosako@sofnec.co.jp>
|
||||
Date: Thu, 18 May 2017 17:05:27 +0900
|
||||
Subject: [PATCH] fix #55 : check too big code point value for single byte
|
||||
value in next_state_val()
|
||||
|
||||
---
|
||||
regparse.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- end of original header
|
||||
|
||||
CVE: CVE-2017-9226
|
||||
|
||||
Add check for octal number bigger than 255.
|
||||
|
||||
Upstream-Status: Pending
|
||||
Signed-off-by: Joe Slater <joe.slater@windriver.com>
|
||||
|
||||
|
||||
--- ruby-2.4.1.orig/regparse.c
|
||||
+++ ruby-2.4.1/regparse.c
|
||||
@@ -3644,7 +3644,7 @@ fetch_token(OnigToken* tok, UChar** src,
|
||||
if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
|
||||
prev = p;
|
||||
num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
|
||||
- if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
|
||||
+ if (num < 0 || 0xff < num) return ONIGERR_TOO_BIG_NUMBER;
|
||||
if (p == prev) { /* can't read nothing. */
|
||||
num = 0; /* but, it's not error */
|
||||
}
|
||||
@@ -4450,6 +4450,9 @@ next_state_val(CClassNode* cc, CClassNod
|
||||
switch (*state) {
|
||||
case CCS_VALUE:
|
||||
if (*type == CCV_SB) {
|
||||
+ if (*vs > 0xff)
|
||||
+ return ONIGERR_INVALID_CODE_POINT_VALUE;
|
||||
+
|
||||
BITSET_SET_BIT_CHKDUP(cc->bs, (int )(*vs));
|
||||
if (IS_NOT_NULL(asc_cc))
|
||||
BITSET_SET_BIT(asc_cc->bs, (int )(*vs));
|
|
@ -0,0 +1,32 @@
|
|||
From 9690d3ab1f9bcd2db8cbe1fe3ee4a5da606b8814 Mon Sep 17 00:00:00 2001
|
||||
From: "K.Kosako" <kosako@sofnec.co.jp>
|
||||
Date: Tue, 23 May 2017 16:15:35 +0900
|
||||
Subject: [PATCH] fix #58 : access to invalid address by reg->dmin value
|
||||
|
||||
---
|
||||
regexec.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- end of original header
|
||||
|
||||
CVE: CVE-2017-9227
|
||||
|
||||
Upstream-Status: Inappropriate [not author]
|
||||
Signed-off-by: Joe Slater <joe.slater@windriver.com>
|
||||
|
||||
diff --git a/regexec.c b/regexec.c
|
||||
index d4e577d..2fa0f3d 100644
|
||||
--- a/regexec.c
|
||||
+++ b/regexec.c
|
||||
@@ -3154,6 +3154,8 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s,
|
||||
}
|
||||
else {
|
||||
UChar *q = p + reg->dmin;
|
||||
+
|
||||
+ if (q >= end) return 0; /* fail */
|
||||
while (p < q) p += enclen(reg->enc, p, end);
|
||||
}
|
||||
}
|
||||
--
|
||||
1.7.9.5
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From 3b63d12038c8d8fc278e81c942fa9bec7c704c8b Mon Sep 17 00:00:00 2001
|
||||
From: "K.Kosako" <kosako@sofnec.co.jp>
|
||||
Date: Wed, 24 May 2017 13:43:25 +0900
|
||||
Subject: [PATCH] fix #60 : invalid state(CCS_VALUE) in parse_char_class()
|
||||
|
||||
---
|
||||
regparse.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
--- end of original header
|
||||
|
||||
CVE: CVE-2017-9228
|
||||
|
||||
Upstream-Status: Inappropriate [not author]
|
||||
Signed-off-by: Joe Slater <joe.slater@windriver.com>
|
||||
|
||||
diff --git a/regparse.c b/regparse.c
|
||||
index 69875fa..1988747 100644
|
||||
--- a/regparse.c
|
||||
+++ b/regparse.c
|
||||
@@ -4081,7 +4081,9 @@ next_state_class(CClassNode* cc, OnigCodePoint* vs, enum CCVALTYPE* type,
|
||||
}
|
||||
}
|
||||
|
||||
- *state = CCS_VALUE;
|
||||
+ if (*state != CCS_START)
|
||||
+ *state = CCS_VALUE;
|
||||
+
|
||||
*type = CCV_CLASS;
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
1.7.9.5
|
||||
|
|
@ -0,0 +1,59 @@
|
|||
From b690371bbf97794b4a1d3f295d4fb9a8b05d402d Mon Sep 17 00:00:00 2001
|
||||
From: "K.Kosako" <kosako@sofnec.co.jp>
|
||||
Date: Wed, 24 May 2017 10:27:04 +0900
|
||||
Subject: [PATCH] fix #59 : access to invalid address by reg->dmax value
|
||||
|
||||
---
|
||||
regexec.c | 27 +++++++++++++++++----------
|
||||
1 file changed, 17 insertions(+), 10 deletions(-)
|
||||
|
||||
--- end of original header
|
||||
|
||||
CVE: CVE-2017-9229
|
||||
|
||||
Upstream-Status: Inappropriate [not author]
|
||||
Signed-off-by: Joe Slater <joe.slater@windriver.com>
|
||||
|
||||
diff --git a/regexec.c b/regexec.c
|
||||
index 49bcc50..c0626ef 100644
|
||||
--- a/regexec.c
|
||||
+++ b/regexec.c
|
||||
@@ -3756,18 +3756,25 @@ forward_search_range(regex_t* reg, const
|
||||
}
|
||||
else {
|
||||
if (reg->dmax != ONIG_INFINITE_DISTANCE) {
|
||||
- *low = p - reg->dmax;
|
||||
- if (*low > s) {
|
||||
- *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
|
||||
- *low, end, (const UChar** )low_prev);
|
||||
- if (low_prev && IS_NULL(*low_prev))
|
||||
- *low_prev = onigenc_get_prev_char_head(reg->enc,
|
||||
- (pprev ? pprev : s), *low, end);
|
||||
+ if (p - str < reg->dmax) {
|
||||
+ *low = (UChar* )str;
|
||||
+ if (low_prev)
|
||||
+ *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low, end);
|
||||
}
|
||||
else {
|
||||
- if (low_prev)
|
||||
- *low_prev = onigenc_get_prev_char_head(reg->enc,
|
||||
- (pprev ? pprev : str), *low, end);
|
||||
+ *low = p - reg->dmax;
|
||||
+ if (*low > s) {
|
||||
+ *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
|
||||
+ *low, end, (const UChar** )low_prev);
|
||||
+ if (low_prev && IS_NULL(*low_prev))
|
||||
+ *low_prev = onigenc_get_prev_char_head(reg->enc,
|
||||
+ (pprev ? pprev : s), *low, end);
|
||||
+ }
|
||||
+ else {
|
||||
+ if (low_prev)
|
||||
+ *low_prev = onigenc_get_prev_char_head(reg->enc,
|
||||
+ (pprev ? pprev : str), *low, end);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
--
|
||||
1.7.9.5
|
||||
|
|
@ -2,6 +2,10 @@ require ruby.inc
|
|||
|
||||
SRC_URI += " \
|
||||
file://ruby-CVE-2017-9224.patch \
|
||||
file://ruby-CVE-2017-9226.patch \
|
||||
file://ruby-CVE-2017-9227.patch \
|
||||
file://ruby-CVE-2017-9228.patch \
|
||||
file://ruby-CVE-2017-9229.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "7e9485dcdb86ff52662728de2003e625"
|
||||
|
|
Loading…
Reference in New Issue