104 lines
3.2 KiB
Diff
104 lines
3.2 KiB
Diff
|
From 24dc9891be7e97ca351c58bce00c488f5ba7b398 Mon Sep 17 00:00:00 2001
|
||
|
|
From: shenyining <shenyining@huawei.com>
|
||
|
|
Date: Thu, 21 Mar 2019 20:11:44 +0800
|
||
|
|
Subject: [PATCH] fix CVE-2018-16396
|
||
|
|
patch url:
|
||
|
|
https://github.com/ruby/ruby/commit/4989bad4387ee2e9a7309d51840bc0705a248460
|
||
|
|
CVE:
|
||
|
|
https://nvd.nist.gov/vuln/detail/CVE-2018-16396
|
||
|
|
https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
|
||
|
|
|
||
|
|
Signed-off-by: shenyining <shenyining@huawei.com>
|
||
|
|
---
|
||
|
|
pack.c | 7 +++++++
|
||
|
|
test/ruby/test_pack.rb | 16 ++++++++++++++++
|
||
|
|
2 files changed, 23 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/pack.c b/pack.c
|
||
|
|
index 11d26bd..50f3dce 100644
|
||
|
|
--- a/pack.c
|
||
|
|
+++ b/pack.c
|
||
|
|
@@ -749,6 +749,7 @@ pack_pack(int argc, VALUE *argv, VALUE ary)
|
||
|
|
StringValue(from);
|
||
|
|
ptr = RSTRING_PTR(from);
|
||
|
|
plen = RSTRING_LEN(from);
|
||
|
|
+ OBJ_INFECT(res, from);
|
||
|
|
|
||
|
|
if (len == 0 && type == 'm') {
|
||
|
|
encodes(res, ptr, plen, type, 0);
|
||
|
|
@@ -776,6 +777,7 @@ pack_pack(int argc, VALUE *argv, VALUE ary)
|
||
|
|
|
||
|
|
case 'M': /* quoted-printable encoded string */
|
||
|
|
from = rb_obj_as_string(NEXTFROM);
|
||
|
|
+ OBJ_INFECT(res, from);
|
||
|
|
if (len <= 1)
|
||
|
|
len = 72;
|
||
|
|
qpencode(res, from, len);
|
||
|
|
@@ -801,6 +803,7 @@ pack_pack(int argc, VALUE *argv, VALUE ary)
|
||
|
|
}
|
||
|
|
else {
|
||
|
|
t = StringValuePtr(from);
|
||
|
|
+ OBJ_INFECT(res, from);
|
||
|
|
rb_obj_taint(from);
|
||
|
|
}
|
||
|
|
if (!associates) {
|
||
|
|
@@ -1184,6 +1187,7 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode)
|
||
|
|
len = (send - s) * 8;
|
||
|
|
bits = 0;
|
||
|
|
bitstr = rb_usascii_str_new(0, len);
|
||
|
|
+ OBJ_INFECT(bitstr, str);
|
||
|
|
t = RSTRING_PTR(bitstr);
|
||
|
|
for (i=0; i<len; i++) {
|
||
|
|
if (i & 7) bits >>= 1;
|
||
|
|
@@ -1205,6 +1209,7 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode)
|
||
|
|
len = (send - s) * 8;
|
||
|
|
bits = 0;
|
||
|
|
bitstr = rb_usascii_str_new(0, len);
|
||
|
|
+ OBJ_INFECT(bitstr, str);
|
||
|
|
t = RSTRING_PTR(bitstr);
|
||
|
|
for (i=0; i<len; i++) {
|
||
|
|
if (i & 7) bits <<= 1;
|
||
|
|
@@ -1226,6 +1231,7 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode)
|
||
|
|
len = (send - s) * 2;
|
||
|
|
bits = 0;
|
||
|
|
bitstr = rb_usascii_str_new(0, len);
|
||
|
|
+ OBJ_INFECT(bitstr, str);
|
||
|
|
t = RSTRING_PTR(bitstr);
|
||
|
|
for (i=0; i<len; i++) {
|
||
|
|
if (i & 1)
|
||
|
|
@@ -1249,6 +1255,7 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode)
|
||
|
|
len = (send - s) * 2;
|
||
|
|
bits = 0;
|
||
|
|
bitstr = rb_usascii_str_new(0, len);
|
||
|
|
+ OBJ_INFECT(bitstr, str);
|
||
|
|
t = RSTRING_PTR(bitstr);
|
||
|
|
for (i=0; i<len; i++) {
|
||
|
|
if (i & 1)
|
||
|
|
diff --git a/test/ruby/test_pack.rb b/test/ruby/test_pack.rb
|
||
|
|
index a872bf3..aec4189 100644
|
||
|
|
--- a/test/ruby/test_pack.rb
|
||
|
|
+++ b/test/ruby/test_pack.rb
|
||
|
|
@@ -860,4 +860,20 @@ EXPECTED
|
||
|
|
assert_equal "hogefuga", "aG9nZWZ1Z2E=".unpack1("m")
|
||
|
|
assert_equal "01000001", "A".unpack1("B*")
|
||
|
|
end
|
||
|
|
+
|
||
|
|
+ def test_pack_infection
|
||
|
|
+ tainted_array_string = ["123456"]
|
||
|
|
+ tainted_array_string.first.taint
|
||
|
|
+ ['a', 'A', 'Z', 'B', 'b', 'H', 'h', 'u', 'M', 'm', 'P', 'p'].each do |f|
|
||
|
|
+ assert_predicate(tainted_array_string.pack(f), :tainted?)
|
||
|
|
+ end
|
||
|
|
+ end
|
||
|
|
+
|
||
|
|
+ def test_unpack_infection
|
||
|
|
+ tainted_string = "123456"
|
||
|
|
+ tainted_string.taint
|
||
|
|
+ ['a', 'A', 'Z', 'B', 'b', 'H', 'h', 'u', 'M', 'm'].each do |f|
|
||
|
|
+ assert_predicate(tainted_string.unpack(f).first, :tainted?)
|
||
|
|
+ end
|
||
|
|
+ end
|
||
|
|
end
|
||
|
|
--
|
||
|
|
1.8.3.1
|