!146 [sync] PR-139: fix CVE-2024-27280

From: @openeuler-sync-bot Reviewed-by: @shinwell_hu Signed-off-by: @shinwell_hu
2024-04-01 02:34:35 +00:00 · 2024-04-01 02:34:35 +00:00 · ae7ba67453
commit ae7ba67453
parent 97800e5342 dccf488ae3
2 changed files with 90 additions and 1 deletions
--- a/backport-CVE-2024-27280.patch
+++ b/backport-CVE-2024-27280.patch
@ -0,0 +1,85 @@
 From a35268a3ac1b5f0058e5b7c1a041a7e86d9da067 Mon Sep 17 00:00:00 2001
 From: Nobuyoshi Nakada <nobu@ruby-lang.org>
 Date: Tue, 16 Nov 2021 17:39:32 +0900
 Subject: [PATCH] Fix expanding size at ungetc/ungetbyte
 Reference:https://github.com/ruby/stringio/commit/a35268a3ac1b5f0058e5b7c1a041a7e86d9da067
 ---
 ext/stringio/stringio.c        |  2 +-
 test/stringio/test_stringio.rb | 25 +++++++++++++++++++++----
 2 files changed, 22 insertions(+), 5 deletions(-)
 diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
 index c9ca3e0..cb8b370 100644
 --- a/ext/stringio/stringio.c
 +++ b/ext/stringio/stringio.c
@@ -833,7 +833,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl)
     len = RSTRING_LEN(str);
     rest = pos - len;
     if (cl > pos) {
 -	long ex = (rest < 0 ? cl-pos : cl+rest);
 +	long ex = cl - (rest < 0 ? pos : len);
 	rb_str_modify_expand(str, ex);
 	rb_str_set_len(str, len + ex);
 	s = RSTRING_PTR(str);
 diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
 index f5169f6..486d464 100644
 --- a/test/stringio/test_stringio.rb
 +++ b/test/stringio/test_stringio.rb
@@ -693,6 +693,15 @@ class TestStringIO < Test::Unit::TestCase
     assert_equal("b""\0""a", s.string)
   end
 +  def test_ungetc_fill
 +    count = 100
 +    s = StringIO.new
 +    s.print 'a' * count
 +    s.ungetc('b' * (count * 5))
 +    assert_equal((count * 5), s.string.size)
 +    assert_match(/\Ab+\z/, s.string)
 +  end
 +
   def test_ungetbyte_pos
     b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
     s = StringIO.new( b )
@@ -718,6 +727,15 @@ class TestStringIO < Test::Unit::TestCase
     assert_equal("b""\0""a", s.string)
   end
 +  def test_ungetbyte_fill
 +    count = 100
 +    s = StringIO.new
 +    s.print 'a' * count
 +    s.ungetbyte('b' * (count * 5))
 +    assert_equal((count * 5), s.string.size)
 +    assert_match(/\Ab+\z/, s.string)
 +  end
 +
   def test_frozen
     s = StringIO.new
     s.freeze
@@ -760,18 +778,17 @@ class TestStringIO < Test::Unit::TestCase
   end
   def test_overflow
 -    skip if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
 +    return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
     limit = (1 << (RbConfig::SIZEOF["void*"]*8-1)) - 0x10
     assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
     begin;
       limit = #{limit}
       ary = []
 -      while true
 +      begin
         x = "a"*0x100000
         break if [x].pack("p").unpack("i!")[0] < 0
         ary << x
 -        skip if ary.size > 100
 -      end
 +      end while ary.size <= 100
       s = StringIO.new(x)
       s.gets("xxx", limit)
       assert_equal(0x100000, s.pos)
 -- 
 2.27.0
--- a/ruby.spec
+++ b/ruby.spec
@ -1,6 +1,6 @@
 Name:      ruby
 Version:   2.5.8
-Release:   120
+Release:   121
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/
@ -56,6 +56,7 @@ Patch6012: backport-CVE-2023-28755.patch
 Patch6013: backport-0001-CVE-2023-28756.patch
 Patch6014: backport-0002-CVE-2023-28756.patch
 Patch6015: backport-CVE-2023-36617.patch
 Patch6016: backport-CVE-2024-27280.patch
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@ -593,6 +594,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.*
 %changelog
 * Tue Mar 26 2024 shixuantong <shixuantong1@huawei.com> - 2.5.8-121
 - fix CVE-2024-27280
 * Sat Jul 08 2023 shixuantong <shixuantong1@huawei.com> - 2.5.8-120
 - fix CVE-2023-36617