diff --git a/backport-0001-CVE-2023-28756.patch b/backport-0001-CVE-2023-28756.patch new file mode 100644 index 0000000000000000000000000000000000000000..0c8ba5ec86403f08ab8ae467f6333471095e8efc --- /dev/null +++ b/backport-0001-CVE-2023-28756.patch @@ -0,0 +1,28 @@ +From b57db51f577875d3e896dcd2ef1dcaf97f23e943 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Tue, 29 Nov 2022 16:22:15 +0900 +Subject: [PATCH] Fix quadratic backtracking on invalid time + +https://hackerone.com/reports/1485501 +--- + lib/time.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/time.rb b/lib/time.rb +index 43c4d80..2c85f94 100644 +--- a/lib/time.rb ++++ b/lib/time.rb +@@ -509,8 +509,8 @@ class Time + (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ + (\d{2,})\s+ + (\d{2})\s* +- :\s*(\d{2})\s* +- (?::\s*(\d{2}))?\s+ ++ :\s*(\d{2}) ++ (?:\s*:\s*(\d{2}))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +-- +2.33.0 + diff --git a/backport-0002-CVE-2023-28756.patch b/backport-0002-CVE-2023-28756.patch new file mode 100644 index 0000000000000000000000000000000000000000..3fdeb3f5875eb41f854b8bddb826404f3363d808 --- /dev/null +++ b/backport-0002-CVE-2023-28756.patch @@ -0,0 +1,26 @@ +From 3dce6f73d14f5fad6d9b302393fd02df48797b11 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Fri, 30 Dec 2022 14:32:05 +0900 +Subject: [PATCH] Make RFC2822 regexp linear + +https://hackerone.com/reports/1485501 +--- + lib/time.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/time.rb b/lib/time.rb +index 2c85f94..6a13212 100644 +--- a/lib/time.rb ++++ b/lib/time.rb +@@ -510,7 +510,7 @@ class Time + (\d{2,})\s+ + (\d{2})\s* + :\s*(\d{2}) +- (?:\s*:\s*(\d{2}))?\s+ ++ (?:\s*:\s*(\d\d))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +-- +2.33.0 + diff --git a/backport-CVE-2023-28755.patch b/backport-CVE-2023-28755.patch new file mode 100644 index 0000000000000000000000000000000000000000..1fdfe7fb537b93409172de41d33a450ef4634e78 --- /dev/null +++ b/backport-CVE-2023-28755.patch @@ -0,0 +1,28 @@ +From eaf89cc31619d49e67c64d0b58ea9dc38892d175 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Mon, 10 Jan 2022 01:12:57 +0900 +Subject: [PATCH] Fix quadratic backtracking on invalid URI + +https://hackerone.com/reports/1444501 +--- + lib/uri/rfc3986_parser.rb | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index 3e07de4..3c89311 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -3,8 +3,8 @@ module URI + class RFC3986_Parser # :nodoc: + # URI defined in RFC3986 + # this regexp is modified not to host is not empty string +- RFC3986_URI = /\A(?(?[A-Za-z][+\-.0-9A-Za-z]*):(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?\g(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ +- RFC3986_relative_ref = /\A(?(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?(?(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ ++ RFC3986_URI = /\A(?(?[A-Za-z][+\-.0-9A-Za-z]*+):(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])*+))(?::(?\d*+))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g)*+)?)|(?\g(?:\/\g)*+)|(?))(?:\?(?[^#]*+))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ ++ RFC3986_relative_ref = /\A(?(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?\d*+))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g)*+)?)|(?(?(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g)*+)|(?))(?:\?(?[^#]*+))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ + attr_reader :regexp + + def initialize +-- +2.39.1 + diff --git a/ruby.spec b/ruby.spec index 7e88c752c06c90090d9f617a65813304b94c368f..1e1c7d030e670a7b0c52433f1339fef8a1bbb856 100644 --- a/ruby.spec +++ b/ruby.spec @@ -30,7 +30,7 @@ Name: ruby Version: %{ruby_version} -Release: 133 +Release: 134 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/en/ @@ -89,6 +89,9 @@ Patch6008: backport-Fix-test_cgi_cookie_new_with_domain-to-pass-on-older.patch Patch6009: backport-Loosen-the-domain-regex-to-accept-.-29.patch Patch6010: backport-irb-Drop-hard-dependency-on-RDoc.patch Patch6011: backport-Make-io-console-size-as-optional-dependency.patch +Patch6012: backport-CVE-2023-28755.patch +Patch6013: backport-0001-CVE-2023-28756.patch +Patch6014: backport-0002-CVE-2023-28756.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -885,6 +888,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %{gem_dir}/specifications/matrix-%{matrix_version}.gemspec %changelog +* Wed Apr 12 2023 shixuantong - 3.1.3-134 +- fix CVE-2023-28755 CVE-2023-28756 + * Mon Mar 20 2023 shixuantong - 3.1.3-133 - Make 'io/console/size' as optional dependency