From e17bce8a0487e2ad4ab0024f0c5490c33082c694 Mon Sep 17 00:00:00 2001 From: wangjiang Date: Fri, 1 Jul 2022 15:05:44 +0800 Subject: [PATCH] fix CVE-2019-19204 CVE-2019-19246 CVE-2019-16161 CVE-2019-16162 CVE-2019-16163 --- backport-CVE-2019-16161.patch | 31 +++++++++++++++++++ backport-CVE-2019-16162.patch | 41 +++++++++++++++++++++++++ backport-CVE-2019-16163.patch | 56 +++++++++++++++++++++++++++++++++++ backport-CVE-2019-19204.patch | 23 ++++++++++++++ backport-CVE-2019-19246.patch | 24 +++++++++++++++ ruby.spec | 10 ++++++- 6 files changed, 184 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2019-16161.patch create mode 100644 backport-CVE-2019-16162.patch create mode 100644 backport-CVE-2019-16163.patch create mode 100644 backport-CVE-2019-19204.patch create mode 100644 backport-CVE-2019-19246.patch diff --git a/backport-CVE-2019-16161.patch b/backport-CVE-2019-16161.patch new file mode 100644 index 0000000..aeed1aa --- /dev/null +++ b/backport-CVE-2019-16161.patch @@ -0,0 +1,31 @@ +From 00cc7e28a3ed54b3b512ef3b58ea737a57acf1f9 Mon Sep 17 00:00:00 2001 +From: "K.Takata" +Date: Mon, 29 Jul 2019 20:15:26 +0900 +Subject: [PATCH] Fix SEGV in onig_error_code_to_str() (Fix #132) + +When onig_new(ONIG_SYNTAX_PERL) fails with ONIGERR_INVALID_GROUP_NAME, +onig_error_code_to_str() crashes. +onig_scan_env_set_error_string() should have been used when returning +ONIGERR_INVALID_GROUP_NAME. +--- + regparse.c | 6 +++++- + testpy.py | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff -Naur a/regparse.c b/regparse.c +--- a/regparse.c 2020-08-06 14:39:34.822618517 -0400 ++++ b/regparse.c 2020-08-06 14:42:49.332618517 -0400 +@@ -3891,7 +3891,11 @@ + + if (c == 'R' || c == '0') { + PINC; /* skip 'R' / '0' */ +- if (!PPEEK_IS(')')) return ONIGERR_INVALID_GROUP_NAME; ++ if (!PPEEK_IS(')')) { ++ r = ONIGERR_INVALID_GROUP_NAME; ++ onig_scan_env_set_error_string(env, r, p - 1, p + 1); ++ return r; ++ } + PINC; /* skip ')' */ + name_end = name = p; + gnum = 0; + diff --git a/backport-CVE-2019-16162.patch b/backport-CVE-2019-16162.patch new file mode 100644 index 0000000..f63a6c8 --- /dev/null +++ b/backport-CVE-2019-16162.patch @@ -0,0 +1,41 @@ +From d4cf99d30bd5f6a8a4ababd0b9d7b06f3a479a24 Mon Sep 17 00:00:00 2001 +From: "K.Takata" +Date: Thu, 1 Aug 2019 21:27:51 +0900 +Subject: [PATCH] Fix out-of-bounds read in parse_char_class() (Close #139) + +/[\x{111111}]/ causes out-of-bounds read when encoding is a single byte +encoding. \x{111111} is an invalid codepoint for a single byte encoding. +Check if it is a valid codepoint. +--- + regenc.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff -Naur a/regenc.c b/regenc.c +--- a/regenc.c 2020-10-20 14:19:32.284000000 +0800 ++++ b/regenc.c 2020-10-20 14:22:55.412000000 +0800 +@@ -625,18 +625,23 @@ + } + + extern int +-onigenc_single_byte_code_to_mbclen(OnigCodePoint code ARG_UNUSED, OnigEncoding enc ARG_UNUSED) ++onigenc_single_byte_code_to_mbclen(OnigCodePoint code, OnigEncoding enc ARG_UNUSED) + { ++ if (code > 0xff) ++ return ONIGERR_INVALID_CODE_POINT_VALUE; + return 1; + } + + extern int + onigenc_single_byte_code_to_mbc(OnigCodePoint code, UChar *buf, OnigEncoding enc ARG_UNUSED) + { ++ if (code > 0xff) { + #ifdef RUBY +- if (code > 0xff) + rb_raise(rb_eRangeError, "%u out of char range", code); ++#else ++ return ONIGERR_INVALID_CODE_POINT_VALUE; + #endif ++ } + *buf = (UChar )(code & 0xff); + return 1; + } diff --git a/backport-CVE-2019-16163.patch b/backport-CVE-2019-16163.patch new file mode 100644 index 0000000..fce1c86 --- /dev/null +++ b/backport-CVE-2019-16163.patch @@ -0,0 +1,56 @@ +From 4097828d7cc87589864fecf452f2cd46c5f37180 Mon Sep 17 00:00:00 2001 +From: "K.Kosako" +Date: Mon, 29 Jul 2019 12:52:56 +0900 +Subject: [PATCH] fix #147: Stack Exhaustion Problem caused by some parsing + functions in regcomp.c making recursive calls to themselves. + +--- + regparse.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/regparse.c b/regparse.c +index f7177db..c07fccd 100644 +--- a/regparse.c ++++ b/regparse.c +@@ -4568,6 +4568,7 @@ parse_char_class(Node** np, Node** asc_np, OnigToken* tok, UChar** src, UChar* e + env->parse_depth++; + if (env->parse_depth > ParseDepthLimit) + return ONIGERR_PARSE_DEPTH_LIMIT_OVER; ++ + prev_cc = asc_prev_cc = (CClassNode* )NULL; + r = fetch_token_in_cc(tok, src, end, env); + if (r == TK_CHAR && tok->u.c == '^' && tok->escaped == 0) { +@@ -6514,14 +6515,18 @@ static int + parse_exp(Node** np, OnigToken* tok, int term, + UChar** src, UChar* end, ScanEnv* env) + { +- int r, len, group = 0; ++ int r, len, group; + Node* qn; + Node** targetp; ++ unsigned int parse_depth; + ++ group = 0; + *np = NULL; + if (tok->type == (enum TokenSyms )term) + goto end_of_token; + ++ parse_depth = env->parse_depth; ++ + switch (tok->type) { + case TK_ALT: + case TK_EOT: +@@ -6832,6 +6837,10 @@ parse_exp(Node** np, OnigToken* tok, int term, + if (is_invalid_quantifier_target(*targetp)) + return ONIGERR_TARGET_OF_REPEAT_OPERATOR_INVALID; + ++ parse_depth++; ++ if (parse_depth > ParseDepthLimit) ++ return ONIGERR_PARSE_DEPTH_LIMIT_OVER; ++ + qn = node_new_quantifier(tok->u.repeat.lower, tok->u.repeat.upper, + (r == TK_INTERVAL ? 1 : 0)); + CHECK_NULL_RETURN_MEMERR(qn); +-- +1.8.3.1 + diff --git a/backport-CVE-2019-19204.patch b/backport-CVE-2019-19204.patch new file mode 100644 index 0000000..97f9cad --- /dev/null +++ b/backport-CVE-2019-19204.patch @@ -0,0 +1,23 @@ +From 6eb4aca6a7f2f60f473580576d86686ed6a6ebec Mon Sep 17 00:00:00 2001 +From: "K.Kosako" +Date: Wed, 6 Nov 2019 17:32:29 +0900 +Subject: [PATCH] fix #162: heap-buffer-overflow in fetch_interval_quantifier + due to double PFETCH + +--- + regparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/regparse.c b/regparse.c +index 324c414..70c36d5 100644 +--- a/regparse.c ++++ b/regparse.c +@@ -4178,7 +4178,7 @@ fetch_interval_quantifier(UChar** src, UChar* end, PToken* tok, ScanEnv* env) + if (PEND) goto invalid; + PFETCH(c); + if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_BRACE_INTERVAL)) { +- if (c != MC_ESC(env->syntax)) goto invalid; ++ if (c != MC_ESC(env->syntax) || PEND) goto invalid; + if (PEND) goto invalid; + PFETCH(c); + } diff --git a/backport-CVE-2019-19246.patch b/backport-CVE-2019-19246.patch new file mode 100644 index 0000000..b2e49f7 --- /dev/null +++ b/backport-CVE-2019-19246.patch @@ -0,0 +1,24 @@ +From d3e402928b6eb3327f8f7d59a9edfa622fec557b Mon Sep 17 00:00:00 2001 +From: "K.Kosako" +Date: Tue, 13 Aug 2019 13:37:30 +0900 +Subject: [PATCH] fix heap-buffer-overflow + +--- + regexec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/regexec.c b/regexec.c +index 4582c35..8a17ee7 100644 +--- a/regexec.c ++++ b/regexec.c +@@ -3255,6 +3255,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag, + lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf); + q = lowbuf; + while (lowlen > 0) { ++ if (t >= tend) return 0; + if (*t++ != *q++) return 0; + lowlen--; + } +-- +1.8.3.1 + diff --git a/ruby.spec b/ruby.spec index 7635926..8682ea5 100644 --- a/ruby.spec +++ b/ruby.spec @@ -33,7 +33,7 @@ Name: ruby Version: %{ruby_version} -Release: 123 +Release: 124 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/en/ @@ -171,6 +171,11 @@ Patch53: ruby-3.1.0-SSL_read-EOF-handling.patch Patch6000: backport-Add-tests-for-template-stylesheets-option.patch Patch6001: backport-CVE-2022-28738.patch Patch6002: backport-CVE-2022-28739.patch +Patch6003: backport-CVE-2019-19204.patch +Patch6004: backport-CVE-2019-19246.patch +Patch6005: backport-CVE-2019-16161.patch +Patch6006: backport-CVE-2019-16162.patch +Patch6007: backport-CVE-2019-16163.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -1183,6 +1188,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed %changelog +* Fri Jul 01 2022 wangjiang - 3.0.3-124 +- fix CVE-2019-19204 CVE-2019-19246 CVE-2019-16161 CVE-2019-16162 CVE-2019-16163 + * Sun May 29 2022 ExtinctFire - 3.0.3-123 - fix CVE-2022-28738 CVE-2022-28739 -- Gitee