From feeb7af7b507c7a3858c8b0fed2614ace8b613d4 Mon Sep 17 00:00:00 2001 From: shixuantong Date: Sat, 8 Jul 2023 11:36:42 +0800 Subject: [PATCH] fix CVE-2023-36617 (cherry picked from commit 4be3377293b3919f5f1d048dd65f61292be05407) --- backport-CVE-2023-36617.patch | 106 ++++++++++++++++++++++++++++++++++ ruby.spec | 6 +- 2 files changed, 111 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-36617.patch diff --git a/backport-CVE-2023-36617.patch b/backport-CVE-2023-36617.patch new file mode 100644 index 0000000..91bd396 --- /dev/null +++ b/backport-CVE-2023-36617.patch @@ -0,0 +1,106 @@ +From 616926b55e306a0704254a7ddfd6e9834d06c7f2 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Thu, 29 Jun 2023 22:25:17 +0900 +Subject: [PATCH] CVE-2023-36617 for Ruby 3.0 (#7997) + +* Merge URI-0.10.3 + +* Merge URI-0.10.0.3 for Bundler +--- + .../vendor/uri/lib/uri/rfc2396_parser.rb | 4 ++-- + .../vendor/uri/lib/uri/rfc3986_parser.rb | 2 +- + lib/uri/rfc2396_parser.rb | 4 ++-- + lib/uri/rfc3986_parser.rb | 2 +- + test/uri/test_parser.rb | 22 +++++++++++++++++++ + 5 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb +index a0d62ed..7634e16 100644 +--- a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb ++++ b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb +@@ -504,8 +504,8 @@ module Bundler::URI + ret = {} + + # for Bundler::URI::split +- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) +- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) + + # for Bundler::URI::extract + ret[:URI_REF] = Regexp.new(pattern[:URI_REF]) +diff --git a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb +index 07ef439..34093df 100644 +--- a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb ++++ b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb +@@ -106,7 +106,7 @@ module Bundler::URI + QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + OPAQUE: /\A(?:[^\/].*)?\z/, +- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/, ++ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/, + } + end + +diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb +index c719aa0..253c54b 100644 +--- a/lib/uri/rfc2396_parser.rb ++++ b/lib/uri/rfc2396_parser.rb +@@ -491,8 +491,8 @@ module URI + ret = {} + + # for URI::split +- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) +- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) + + # for URI::extract + ret[:URI_REF] = Regexp.new(pattern[:URI_REF]) +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index 145d845..5a9e44e 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -95,7 +95,7 @@ module URI + QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + OPAQUE: /\A(?:[^\/].*)?\z/, +- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/, ++ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/, + } + end + +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index 37e7107..e2f50cf 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -65,4 +65,26 @@ class URI::TestParser < Test::Unit::TestCase + assert_equal([nil, nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("//example.com")) + assert_equal([nil, nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("//[0::0]")) + end ++ ++ def test_rfc2822_parse_relative_uri ++ pre = ->(length) { ++ " " * length + "\0" ++ } ++ parser = URI::RFC2396_Parser.new ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri| ++ assert_raise(URI::InvalidURIError) do ++ parser.split(uri) ++ end ++ end ++ end ++ ++ def test_rfc3986_port_check ++ pre = ->(length) {"\t" * length + "a"} ++ uri = URI.parse("http://my.example.com") ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port| ++ assert_raise(URI::InvalidComponentError) do ++ uri.port = port ++ end ++ end ++ end + end +-- +2.27.0 + diff --git a/ruby.spec b/ruby.spec index 8b34fc6..3c7656d 100644 --- a/ruby.spec +++ b/ruby.spec @@ -33,7 +33,7 @@ Name: ruby Version: %{ruby_version} -Release: 130 +Release: 131 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/en/ @@ -187,6 +187,7 @@ Patch6015: backport-0002-CVE-2023-28755.patch Patch6016: backport-0001-CVE-2023-28756.patch Patch6017: backport-0002-CVE-2023-28756.patch Patch6018: backport-0003-CVE-2023-28756.patch +Patch6019: backport-CVE-2023-36617.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -1185,6 +1186,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed %changelog +* Sat Jul 08 2023 shixuantong - 3.0.3-131 +- fix CVE-2023-36617 + * Fri Jun 02 2023 shixuantong - 3.0.3-130 - remove rubygem-power_assert -- Gitee