From 9a876937dd56fcd833bb0ae0fa3b66091e5d3b2a Mon Sep 17 00:00:00 2001
From: shixuantong <shixuantong1@huawei.com>
Date: Tue, 26 Mar 2024 19:57:41 +0800
Subject: [PATCH] fix CVE-2024-27280 and CVE-2024-27281

(cherry picked from commit 652039bcc49ab28135864064961d308f9f8a7e63)
---
 backport-0001-CVE-2024-27281.patch | 97 ++++++++++++++++++++++++++++++
 backport-0002-CVE-2024-27281.patch | 66 ++++++++++++++++++++
 backport-0003-CVE-2024-27281.patch | 28 +++++++++
 backport-CVE-2024-27280.patch      | 86 ++++++++++++++++++++++++++
 ruby.spec                          |  9 ++-
 5 files changed, 285 insertions(+), 1 deletion(-)
 create mode 100644 backport-0001-CVE-2024-27281.patch
 create mode 100644 backport-0002-CVE-2024-27281.patch
 create mode 100644 backport-0003-CVE-2024-27281.patch
 create mode 100644 backport-CVE-2024-27280.patch

diff --git a/backport-0001-CVE-2024-27281.patch b/backport-0001-CVE-2024-27281.patch
new file mode 100644
index 0000000..b8cf582
--- /dev/null
+++ b/backport-0001-CVE-2024-27281.patch
@@ -0,0 +1,97 @@
+From 32ff6ba0bebd8ea26f569da5fd23be2937f6a644 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Tue, 20 Feb 2024 17:30:25 +0900
+Subject: [PATCH] Filter marshaled objects
+
+Reference:https://github.com/ruby/rdoc/commit/32ff6ba0bebd8ea26f569da5fd23be2937f6a644
+Conflict:NA
+---
+ lib/rdoc/store.rb | 45 ++++++++++++++++++++++++++-------------------
+ 1 file changed, 26 insertions(+), 19 deletions(-)
+
+diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb
+index 5ba671c..5b663d7 100644
+--- a/lib/rdoc/store.rb
++++ b/lib/rdoc/store.rb
+@@ -556,9 +556,7 @@ class RDoc::Store
+   def load_cache
+     #orig_enc = @encoding
+ 
+-    File.open cache_path, 'rb' do |io|
+-      @cache = Marshal.load io.read
+-    end
++    @cache = marshal_load(cache_path)
+ 
+     load_enc = @cache[:encoding]
+ 
+@@ -615,9 +613,7 @@ class RDoc::Store
+   def load_class_data klass_name
+     file = class_file klass_name
+ 
+-    File.open file, 'rb' do |io|
+-      Marshal.load io.read
+-    end
++    marshal_load(file)
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name)
+     error.set_backtrace e.backtrace
+@@ -630,14 +626,10 @@ class RDoc::Store
+   def load_method klass_name, method_name
+     file = method_file klass_name, method_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io.read
+-      obj.store = self
+-      obj.parent =
+-        find_class_or_module(klass_name) || load_class(klass_name) unless
+-          obj.parent
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name + method_name)
+     error.set_backtrace e.backtrace
+@@ -650,11 +642,9 @@ class RDoc::Store
+   def load_page page_name
+     file = page_file page_name
+ 
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io.read
+-      obj.store = self
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, page_name)
+     error.set_backtrace e.backtrace
+@@ -976,4 +966,21 @@ class RDoc::Store
+     @unique_modules
+   end
+ 
++  private
++  def marshal_load(file)
++    File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
++  end
++
++  MarshalFilter = proc do |obj|
++    case obj
++    when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
++    else
++      unless obj.class.name.start_with("RDoc::")
++        raise TypeError, "not permitted class: #{obj.class.name}"
++      end
++    end
++    obj
++  end
++  private_constant :MarshalFilter
++
+ end
+-- 
+2.33.0
+
+
diff --git a/backport-0002-CVE-2024-27281.patch b/backport-0002-CVE-2024-27281.patch
new file mode 100644
index 0000000..06bcfb9
--- /dev/null
+++ b/backport-0002-CVE-2024-27281.patch
@@ -0,0 +1,66 @@
+From 60a6d74ebdbb7d585e379526e5639932fdca2904 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Tue, 20 Feb 2024 17:59:57 +0900
+Subject: [PATCH] Use safe_load and safe_load_file for .rdoc_options
+
+Reference:https://github.com/ruby/rdoc/commit/60a6d74ebdbb7d585e379526e5639932fdca2904
+Conflict:NA
+---
+ lib/rdoc/rdoc.rb               | 5 +++--
+ test/rdoc/test_rdoc_options.rb | 6 +++---
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
+index 826451e..4da281b 100644
+--- a/lib/rdoc/rdoc.rb
++++ b/lib/rdoc/rdoc.rb
+@@ -162,11 +162,12 @@ class RDoc::RDoc
+     RDoc.load_yaml
+ 
+     begin
+-      options = YAML.load_file '.rdoc_options'
++      options = YAML.safe_load_file '.rdoc_options', permitted_classes: [RDoc::Options, Symbol]
+     rescue Psych::SyntaxError
++      raise RDoc::Error, "#{options_file} is not a valid rdoc options file"
+     end
+ 
+-    return RDoc::Options.new if options == false # Allow empty file.
++    return RDoc::Options.new unless options # Allow empty file.
+ 
+     raise RDoc::Error, "#{options_file} is not a valid rdoc options file" unless
+       RDoc::Options === options or Hash === options
+diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb
+index 8adeced..c28f64c 100644
+--- a/test/rdoc/test_rdoc_options.rb
++++ b/test/rdoc/test_rdoc_options.rb
+@@ -145,7 +145,7 @@ class TestRDocOptions < RDoc::TestCase
+ 
+     @options.encoding = Encoding::IBM437
+ 
+-    options = YAML.load YAML.dump @options
++    options = YAML.safe_load(YAML.dump(@options), permitted_classes: [RDoc::Options, Symbol])
+ 
+     assert_equal Encoding::IBM437, options.encoding
+   end
+@@ -161,7 +161,7 @@ rdoc_include:
+ - /etc
+     YAML
+ 
+-    options = YAML.load yaml
++    options = YAML.safe_load(yaml, permitted_classes: [RDoc::Options, Symbol])
+ 
+     assert_empty options.rdoc_include
+     assert_empty options.static_path
+@@ -764,7 +764,7 @@ rdoc_include:
+ 
+       assert File.exist? '.rdoc_options'
+ 
+-      assert_equal @options, YAML.load(File.read('.rdoc_options'))
++      assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), permitted_classes: [RDoc::Options, Symbol])
+     end
+   end
+ 
+-- 
+2.33.0
+
+
diff --git a/backport-0003-CVE-2024-27281.patch b/backport-0003-CVE-2024-27281.patch
new file mode 100644
index 0000000..bb65e5a
--- /dev/null
+++ b/backport-0003-CVE-2024-27281.patch
@@ -0,0 +1,28 @@
+From a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Thu, 21 Mar 2024 13:18:13 +0900
+Subject: [PATCH] Fix NoMethodError for start_with
+
+Reference:https://github.com/ruby/rdoc/commit/a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e
+Conflict:NA
+---
+ lib/rdoc/store.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb
+index 5b663d7..c793e49 100644
+--- a/lib/rdoc/store.rb
++++ b/lib/rdoc/store.rb
+@@ -975,7 +975,7 @@ class RDoc::Store
+     case obj
+     when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
+     else
+-      unless obj.class.name.start_with("RDoc::")
++      unless obj.class.name.start_with?("RDoc::")
+         raise TypeError, "not permitted class: #{obj.class.name}"
+       end
+     end
+-- 
+2.33.0
+
+
diff --git a/backport-CVE-2024-27280.patch b/backport-CVE-2024-27280.patch
new file mode 100644
index 0000000..2bcaecf
--- /dev/null
+++ b/backport-CVE-2024-27280.patch
@@ -0,0 +1,86 @@
+From a35268a3ac1b5f0058e5b7c1a041a7e86d9da067 Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Tue, 16 Nov 2021 17:39:32 +0900
+Subject: [PATCH] Fix expanding size at ungetc/ungetbyte
+
+Reference:https://github.com/ruby/stringio/commit/a35268a3ac1b5f0058e5b7c1a041a7e86d9da067
+Conflict:NA
+---
+ ext/stringio/stringio.c        |  2 +-
+ test/stringio/test_stringio.rb | 25 +++++++++++++++++++++----
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
+index 8df07e8..d1e0473 100644
+--- a/ext/stringio/stringio.c
++++ b/ext/stringio/stringio.c
+@@ -984,7 +984,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl)
+     len = RSTRING_LEN(str);
+     rest = pos - len;
+     if (cl > pos) {
+-	long ex = (rest < 0 ? cl-pos : cl+rest);
++	long ex = cl - (rest < 0 ? pos : len);
+ 	rb_str_modify_expand(str, ex);
+ 	rb_str_set_len(str, len + ex);
+ 	s = RSTRING_PTR(str);
+diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
+index e0b4504..144a9f4 100644
+--- a/test/stringio/test_stringio.rb
++++ b/test/stringio/test_stringio.rb
+@@ -757,6 +757,15 @@ class TestStringIO < Test::Unit::TestCase
+     assert_equal("b""\0""a", s.string)
+   end
+ 
++  def test_ungetc_fill
++    count = 100
++    s = StringIO.new
++    s.print 'a' * count
++    s.ungetc('b' * (count * 5))
++    assert_equal((count * 5), s.string.size)
++    assert_match(/\Ab+\z/, s.string)
++  end
++
+   def test_ungetbyte_pos
+     b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
+     s = StringIO.new( b )
+@@ -782,6 +791,15 @@ class TestStringIO < Test::Unit::TestCase
+     assert_equal("b""\0""a", s.string)
+   end
+ 
++  def test_ungetbyte_fill
++    count = 100
++    s = StringIO.new
++    s.print 'a' * count
++    s.ungetbyte('b' * (count * 5))
++    assert_equal((count * 5), s.string.size)
++    assert_match(/\Ab+\z/, s.string)
++  end
++
+   def test_frozen
+     s = StringIO.new
+     s.freeze
+@@ -825,18 +843,17 @@ class TestStringIO < Test::Unit::TestCase
+   end
+ 
+   def test_overflow
+-    omit if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
++    return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
+     limit = RbConfig::LIMITS["INTPTR_MAX"] - 0x10
+     assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
+     begin;
+       limit = #{limit}
+       ary = []
+-      while true
++      begin
+         x = "a"*0x100000
+         break if [x].pack("p").unpack("i!")[0] < 0
+         ary << x
+-        omit if ary.size > 100
+-      end
++      end while ary.size <= 100
+       s = StringIO.new(x)
+       s.gets("xxx", limit)
+       assert_equal(0x100000, s.pos)
+-- 
+2.27.0
+
diff --git a/ruby.spec b/ruby.spec
index 3c7656d..1df4137 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -33,7 +33,7 @@
 
 Name:      ruby
 Version:   %{ruby_version}
-Release:   131
+Release:   132
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@@ -188,6 +188,10 @@ Patch6016: backport-0001-CVE-2023-28756.patch
 Patch6017: backport-0002-CVE-2023-28756.patch
 Patch6018: backport-0003-CVE-2023-28756.patch
 Patch6019: backport-CVE-2023-36617.patch
+Patch6020: backport-CVE-2024-27280.patch
+Patch6021: backport-0001-CVE-2024-27281.patch
+Patch6022: backport-0002-CVE-2024-27281.patch
+Patch6023: backport-0003-CVE-2024-27281.patch
 
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@@ -1186,6 +1190,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed
 
 %changelog
+* Tue Mar 26 2024 shixuantong <shixuantong1@huawei.com> - 3.0.3-132
+- fix CVE-2024-27280 and CVE-2024-27281
+
 * Sat Jul 08 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-131
 - fix CVE-2023-36617
 
-- 
Gitee