fix CVE-2023-36617

(cherry picked from commit 9a7fa721d0f8fa346057b4ce22b115124a751cee)
2023-07-08 12:06:52 +08:00 · 2023-07-08 12:06:52 +08:00 · ed91f1161d
commit ed91f1161d
parent 3646425b75
2 changed files with 49 additions and 1 deletions
--- a/backport-CVE-2023-36617.patch
+++ b/backport-CVE-2023-36617.patch
@ -0,0 +1,44 @@
+From 616926b55e306a0704254a7ddfd6e9834d06c7f2 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Thu, 29 Jun 2023 22:25:17 +0900
+Subject: [PATCH] CVE-2023-36617 for Ruby 3.0 (#7997)
+
+* Merge URI-0.10.3
+
+* Merge URI-0.10.0.3 for Bundler
+---
+ lib/uri/rfc2396_parser.rb |  4 ++--
+ lib/uri/rfc3986_parser.rb |  2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb
+index b9e7b2b..c7c3ecd 100644
+--- a/lib/uri/rfc2396_parser.rb
+++ b/lib/uri/rfc2396_parser.rb
+@@ -502,8 +502,8 @@ module URI
+       ret = {}
+ 
+       # for URI::split
+-      ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+-      ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+      ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+      ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ 
+       # for URI::extract
+       ret[:URI_REF]     = Regexp.new(pattern[:URI_REF])
+diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb
+index ad32368..1accd03 100644
+--- a/lib/uri/rfc3986_parser.rb
+++ b/lib/uri/rfc3986_parser.rb
+@@ -106,7 +106,7 @@ module URI
+         QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         OPAQUE: /\A(?:[^\/].*)?\z/,
+-        PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
+        PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
+       }
+     end
+ 
+-- 
+2.27.0
+
--- a/ruby.spec
+++ b/ruby.spec
@ -1,6 +1,6 @@
 Name:      ruby
 Version:   2.5.8
-Release:   119
+Release:   120
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/
@ -55,6 +55,7 @@ Patch6011: backport-Loosen-the-domain-regex-to-accept-.-29.patch
 Patch6012: backport-CVE-2023-28755.patch
 Patch6013: backport-0001-CVE-2023-28756.patch
 Patch6014: backport-0002-CVE-2023-28756.patch
+Patch6015: backport-CVE-2023-36617.patch

 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@ -592,6 +593,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.*

 %changelog
+* Sat Jul 08 2023 shixuantong <shixuantong1@huawei.com> - 2.5.8-120
+- fix CVE-2023-36617
+
 * Wed Apr 12 2023 shixuantong <shixuantong1@huawei.com> - 2.5.8-119
 - fix CVE-2023-28755 CVE-2023-28756