Fix arbitrary heap exposure during a JSON.generate call (rhbz#1487552).

2017-09-06 14:29:40 +02:00 · 2017-09-06 14:29:40 +02:00 · 0cea76d0f1
commit 0cea76d0f1
parent 5c005b98ca
2 changed files with 100 additions and 1 deletions
--- a/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch
+++ b/ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch
@ -0,0 +1,93 @@
+diff --git ext/json/generator/generator.c ext/json/generator/generator.c
+index a135e28348..2cdca5685f 100644
+--- ext/json/generator/generator.c
+++ ext/json/generator/generator.c
+@@ -301,7 +301,7 @@ static char *fstrndup(const char *ptr, unsigned long len) {
+   char *result;
+   if (len <= 0) return NULL;
+   result = ALLOC_N(char, len);
+-  memccpy(result, ptr, 0, len);
+  memcpy(result, ptr, len);
+   return result;
+ }
+ 
+@@ -1055,7 +1055,7 @@ static VALUE cState_indent_set(VALUE self, VALUE indent)
+         }
+     } else {
+         if (state->indent) ruby_xfree(state->indent);
+-        state->indent = strdup(RSTRING_PTR(indent));
+        state->indent = fstrndup(RSTRING_PTR(indent), len);
+         state->indent_len = len;
+     }
+     return Qnil;
+@@ -1093,7 +1093,7 @@ static VALUE cState_space_set(VALUE self, VALUE space)
+         }
+     } else {
+         if (state->space) ruby_xfree(state->space);
+-        state->space = strdup(RSTRING_PTR(space));
+        state->space = fstrndup(RSTRING_PTR(space), len);
+         state->space_len = len;
+     }
+     return Qnil;
+@@ -1129,7 +1129,7 @@ static VALUE cState_space_before_set(VALUE self, VALUE space_before)
+         }
+     } else {
+         if (state->space_before) ruby_xfree(state->space_before);
+-        state->space_before = strdup(RSTRING_PTR(space_before));
+        state->space_before = fstrndup(RSTRING_PTR(space_before), len);
+         state->space_before_len = len;
+     }
+     return Qnil;
+@@ -1166,7 +1166,7 @@ static VALUE cState_object_nl_set(VALUE self, VALUE object_nl)
+         }
+     } else {
+         if (state->object_nl) ruby_xfree(state->object_nl);
+-        state->object_nl = strdup(RSTRING_PTR(object_nl));
+        state->object_nl = fstrndup(RSTRING_PTR(object_nl), len);
+         state->object_nl_len = len;
+     }
+     return Qnil;
+@@ -1201,7 +1201,7 @@ static VALUE cState_array_nl_set(VALUE self, VALUE array_nl)
+         }
+     } else {
+         if (state->array_nl) ruby_xfree(state->array_nl);
+-        state->array_nl = strdup(RSTRING_PTR(array_nl));
+        state->array_nl = fstrndup(RSTRING_PTR(array_nl), len);
+         state->array_nl_len = len;
+     }
+     return Qnil;
+diff --git ext/json/generator/generator.h ext/json/generator/generator.h
+index 298c0a4965..6bbf817b7d 100644
+--- ext/json/generator/generator.h
+++ ext/json/generator/generator.h
+@@ -1,7 +1,6 @@
+ #ifndef _GENERATOR_H_
+ #define _GENERATOR_H_
+ 
+-#include <string.h>
+ #include <math.h>
+ #include <ctype.h>
+ 
+diff --git ext/json/lib/json/version.rb ext/json/lib/json/version.rb
+index b5748334b9..cd7ddf8777 100644
+--- ext/json/lib/json/version.rb
+++ ext/json/lib/json/version.rb
+@@ -1,7 +1,7 @@
+ # frozen_string_literal: false
+ module JSON
+   # JSON version
+-  VERSION         = '1.8.3'
+  VERSION         = '1.8.3.1'
+   VERSION_ARRAY   = VERSION.split(/\./).map { |x| x.to_i } # :nodoc:
+   VERSION_MAJOR   = VERSION_ARRAY[0] # :nodoc:
+   VERSION_MINOR   = VERSION_ARRAY[1] # :nodoc:
+--- ext/json/json.gemspec
+++ ext/json/json.gemspec
+@@ -1,6 +1,6 @@
+ Gem::Specification.new do |s|
+   s.name = "json"
+-  s.version = "1.8.3"
+  s.version = "1.8.3.1"
+   s.summary = "This json is bundled with Ruby"
+   s.executables = []
+   s.files = ["json.rb", "json/add/bigdecimal.rb", "json/add/complex.rb", "json/add/core.rb", "json/add/date.rb", "json/add/date_time.rb", "json/add/exception.rb", "json/add/ostruct.rb", "json/add/range.rb", "json/add/rational.rb", "json/add/regexp.rb", "json/add/struct.rb", "json/add/symbol.rb", "json/add/time.rb", "json/common.rb", "json/ext.rb", "json/ext/generator.bundle", "json/ext/parser.bundle", "json/generic_object.rb", "json/version.rb"]
--- a/ruby.spec
+++ b/ruby.spec
@ -39,7 +39,7 @@
 %global bigdecimal_version 1.2.8
 %global did_you_mean_version 1.0.0
 %global io_console_version 0.4.5
-%global json_version 1.8.3
+%global json_version 1.8.3.1
 %global minitest_version 5.8.5
 %global power_assert_version 0.2.6
 %global psych_version 2.1.0
@ -144,6 +144,10 @@ Patch11: ruby-2.4.0-SMTP-injection-fix.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1487591
 # https://bugs.ruby-lang.org/issues/13842
 Patch12: ruby-2.3.4-Fix-RubyGems-CVEs.patch
+# Fix arbitrary heap exposure during a JSON.generate call (CVE-2017-14064).
+# https://bugzilla.redhat.com/show_bug.cgi?id=1487553
+# https://bugs.ruby-lang.org/issues/13853
+Patch13: ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch
 # Do not freeze strings in generated .gemspec. This causes regressions
 # and FTBFS in Fedora packages. This is revert of:
 # https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae
@ -500,6 +504,7 @@ rm -rf ext/fiddle/libffi*
 %patch10 -p1
 %patch11 -p1
 %patch12
+%patch13
 %patch100 -p1

 # Provide an example of usage of the tapset:
@ -996,6 +1001,7 @@ make check TESTS="-v $DISABLE_TESTS"
 - Fix a vulnerability in the gem installer that allowed a malicious gem
  to overwrite arbitrary files (rhbz#1487587).
 - Fix DNS request hijacking vulnerability (rhbz#1487589).
+- Fix arbitrary heap exposure during a JSON.generate call (rhbz#1487552).

 * Tue Aug 08 2017 Vít Ondruch <vondruch@redhat.com> - 2.3.4-63
 - Update to Ruby 2.3.4.