From 337aa3f8a11aa23501b515517a94e283a4f745d4 Mon Sep 17 00:00:00 2001 From: shixuantong Date: Sat, 8 Jul 2023 11:20:10 +0800 Subject: [PATCH] fix CVE-2023-36617 --- backport-CVE-2023-36617.patch | 106 ++++++++++++++++++++++++++++++++++ ruby.spec | 6 +- 2 files changed, 111 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-36617.patch diff --git a/backport-CVE-2023-36617.patch b/backport-CVE-2023-36617.patch new file mode 100644 index 0000000..25433c5 --- /dev/null +++ b/backport-CVE-2023-36617.patch @@ -0,0 +1,106 @@ +From 5fbc1d45f17e4bff7cc61a78a7d788aa32ff390a Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Thu, 29 Jun 2023 22:24:35 +0900 +Subject: [PATCH] CVE-2023-36617 for Ruby 3.1 (#7996) + +* Bump up v0.12.2 + +* Merge URI-0.10.3 for Bundler +--- + .../vendor/uri/lib/uri/rfc2396_parser.rb | 4 ++-- + .../vendor/uri/lib/uri/rfc3986_parser.rb | 2 +- + lib/uri/rfc2396_parser.rb | 4 ++-- + lib/uri/rfc3986_parser.rb | 2 +- + test/uri/test_parser.rb | 22 +++++++++++++++++++ + 5 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb +index e48e164..09ed407 100644 +--- a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb ++++ b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb +@@ -491,8 +491,8 @@ module Bundler::URI + ret = {} + + # for Bundler::URI::split +- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) +- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) + + # for Bundler::URI::extract + ret[:URI_REF] = Regexp.new(pattern[:URI_REF]) +diff --git a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb +index 2029cfd..e11f622 100644 +--- a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb ++++ b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb +@@ -95,7 +95,7 @@ module Bundler::URI + QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + OPAQUE: /\A(?:[^\/].*)?\z/, +- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/, ++ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/, + } + end + +diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb +index 76a8f99..00c66cf 100644 +--- a/lib/uri/rfc2396_parser.rb ++++ b/lib/uri/rfc2396_parser.rb +@@ -497,8 +497,8 @@ module URI + ret = {} + + # for URI::split +- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) +- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED) ++ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED) + + # for URI::extract + ret[:URI_REF] = Regexp.new(pattern[:URI_REF]) +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index 3c89311..cde3ea7 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -101,7 +101,7 @@ module URI + QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/, + OPAQUE: /\A(?:[^\/].*)?\z/, +- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/, ++ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/, + } + end + +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index 03de137..81c2210 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -63,4 +63,26 @@ class URI::TestParser < Test::Unit::TestCase + assert_equal("\u3042", p1.unescape('%e3%81%82'.force_encoding(Encoding::US_ASCII))) + assert_equal("\xe3\x83\x90\xe3\x83\x90", p1.unescape("\xe3\x83\x90%e3%83%90")) + end ++ ++ def test_rfc2822_parse_relative_uri ++ pre = ->(length) { ++ " " * length + "\0" ++ } ++ parser = URI::RFC2396_Parser.new ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri| ++ assert_raise(URI::InvalidURIError) do ++ parser.split(uri) ++ end ++ end ++ end ++ ++ def test_rfc3986_port_check ++ pre = ->(length) {"\t" * length + "a"} ++ uri = URI.parse("http://my.example.com") ++ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port| ++ assert_raise(URI::InvalidComponentError) do ++ uri.port = port ++ end ++ end ++ end + end +-- +2.27.0 + diff --git a/ruby.spec b/ruby.spec index ddcc48a..1464e14 100644 --- a/ruby.spec +++ b/ruby.spec @@ -30,7 +30,7 @@ Name: ruby Version: %{ruby_version} -Release: 135 +Release: 136 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/en/ @@ -92,6 +92,7 @@ Patch6011: backport-Make-io-console-size-as-optional-dependency.patch Patch6012: backport-CVE-2023-28755.patch Patch6013: backport-0001-CVE-2023-28756.patch Patch6014: backport-0002-CVE-2023-28756.patch +Patch6015: backport-CVE-2023-36617.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -874,6 +875,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %{gem_dir}/specifications/matrix-%{matrix_version}.gemspec %changelog +* Sat Jul 08 2023 shixuantong - 3.1.3-136 +- fix CVE-2023-36617 + * Fri Jun 02 2023 shixuantong - 3.1.3-135 - remove rubygem-power_assert