From 0cea76d0f1085bf06770b50bd1405f839520dcfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Wed, 6 Sep 2017 14:29:40 +0200 Subject: [PATCH] Fix arbitrary heap exposure during a JSON.generate call (rhbz#1487552). --- ...exposure-during-a-JSON.generate-call.patch | 93 +++++++++++++++++++ ruby.spec | 8 +- 2 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch diff --git a/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch b/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch new file mode 100644 index 0000000..7c9034d --- /dev/null +++ b/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch @@ -0,0 +1,93 @@ +diff --git ext/json/generator/generator.c ext/json/generator/generator.c +index a135e28348..2cdca5685f 100644 +--- ext/json/generator/generator.c ++++ ext/json/generator/generator.c +@@ -301,7 +301,7 @@ static char *fstrndup(const char *ptr, unsigned long len) { + char *result; + if (len <= 0) return NULL; + result = ALLOC_N(char, len); +- memccpy(result, ptr, 0, len); ++ memcpy(result, ptr, len); + return result; + } + +@@ -1055,7 +1055,7 @@ static VALUE cState_indent_set(VALUE self, VALUE indent) + } + } else { + if (state->indent) ruby_xfree(state->indent); +- state->indent = strdup(RSTRING_PTR(indent)); ++ state->indent = fstrndup(RSTRING_PTR(indent), len); + state->indent_len = len; + } + return Qnil; +@@ -1093,7 +1093,7 @@ static VALUE cState_space_set(VALUE self, VALUE space) + } + } else { + if (state->space) ruby_xfree(state->space); +- state->space = strdup(RSTRING_PTR(space)); ++ state->space = fstrndup(RSTRING_PTR(space), len); + state->space_len = len; + } + return Qnil; +@@ -1129,7 +1129,7 @@ static VALUE cState_space_before_set(VALUE self, VALUE space_before) + } + } else { + if (state->space_before) ruby_xfree(state->space_before); +- state->space_before = strdup(RSTRING_PTR(space_before)); ++ state->space_before = fstrndup(RSTRING_PTR(space_before), len); + state->space_before_len = len; + } + return Qnil; +@@ -1166,7 +1166,7 @@ static VALUE cState_object_nl_set(VALUE self, VALUE object_nl) + } + } else { + if (state->object_nl) ruby_xfree(state->object_nl); +- state->object_nl = strdup(RSTRING_PTR(object_nl)); ++ state->object_nl = fstrndup(RSTRING_PTR(object_nl), len); + state->object_nl_len = len; + } + return Qnil; +@@ -1201,7 +1201,7 @@ static VALUE cState_array_nl_set(VALUE self, VALUE array_nl) + } + } else { + if (state->array_nl) ruby_xfree(state->array_nl); +- state->array_nl = strdup(RSTRING_PTR(array_nl)); ++ state->array_nl = fstrndup(RSTRING_PTR(array_nl), len); + state->array_nl_len = len; + } + return Qnil; +diff --git ext/json/generator/generator.h ext/json/generator/generator.h +index 298c0a4965..6bbf817b7d 100644 +--- ext/json/generator/generator.h ++++ ext/json/generator/generator.h +@@ -1,7 +1,6 @@ + #ifndef _GENERATOR_H_ + #define _GENERATOR_H_ + +-#include + #include + #include + +diff --git ext/json/lib/json/version.rb ext/json/lib/json/version.rb +index b5748334b9..cd7ddf8777 100644 +--- ext/json/lib/json/version.rb ++++ ext/json/lib/json/version.rb +@@ -1,7 +1,7 @@ + # frozen_string_literal: false + module JSON + # JSON version +- VERSION = '1.8.3' ++ VERSION = '1.8.3.1' + VERSION_ARRAY = VERSION.split(/\./).map { |x| x.to_i } # :nodoc: + VERSION_MAJOR = VERSION_ARRAY[0] # :nodoc: + VERSION_MINOR = VERSION_ARRAY[1] # :nodoc: +--- ext/json/json.gemspec ++++ ext/json/json.gemspec +@@ -1,6 +1,6 @@ + Gem::Specification.new do |s| + s.name = "json" +- s.version = "1.8.3" ++ s.version = "1.8.3.1" + s.summary = "This json is bundled with Ruby" + s.executables = [] + s.files = ["json.rb", "json/add/bigdecimal.rb", "json/add/complex.rb", "json/add/core.rb", "json/add/date.rb", "json/add/date_time.rb", "json/add/exception.rb", "json/add/ostruct.rb", "json/add/range.rb", "json/add/rational.rb", "json/add/regexp.rb", "json/add/struct.rb", "json/add/symbol.rb", "json/add/time.rb", "json/common.rb", "json/ext.rb", "json/ext/generator.bundle", "json/ext/parser.bundle", "json/generic_object.rb", "json/version.rb"] diff --git a/ruby.spec b/ruby.spec index 28780ed..d3725f6 100644 --- a/ruby.spec +++ b/ruby.spec @@ -39,7 +39,7 @@ %global bigdecimal_version 1.2.8 %global did_you_mean_version 1.0.0 %global io_console_version 0.4.5 -%global json_version 1.8.3 +%global json_version 1.8.3.1 %global minitest_version 5.8.5 %global power_assert_version 0.2.6 %global psych_version 2.1.0 @@ -144,6 +144,10 @@ Patch11: ruby-2.4.0-SMTP-injection-fix.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1487591 # https://bugs.ruby-lang.org/issues/13842 Patch12: ruby-2.3.4-Fix-RubyGems-CVEs.patch +# Fix arbitrary heap exposure during a JSON.generate call (CVE-2017-14064). +# https://bugzilla.redhat.com/show_bug.cgi?id=1487553 +# https://bugs.ruby-lang.org/issues/13853 +Patch13: ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch # Do not freeze strings in generated .gemspec. This causes regressions # and FTBFS in Fedora packages. This is revert of: # https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae @@ -500,6 +504,7 @@ rm -rf ext/fiddle/libffi* %patch10 -p1 %patch11 -p1 %patch12 +%patch13 %patch100 -p1 # Provide an example of usage of the tapset: @@ -996,6 +1001,7 @@ make check TESTS="-v $DISABLE_TESTS" - Fix a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files (rhbz#1487587). - Fix DNS request hijacking vulnerability (rhbz#1487589). +- Fix arbitrary heap exposure during a JSON.generate call (rhbz#1487552). * Tue Aug 08 2017 Vít Ondruch - 2.3.4-63 - Update to Ruby 2.3.4.