From 707d60acc18e8207410c07579771345f5a214d87 Mon Sep 17 00:00:00 2001
From: zhangtao2020 <zhangtao221@huawei.com>
Date: Wed, 18 Mar 2020 17:31:31 +0800
Subject: [PATCH] fix CVE-2019-16163  CVE-2019-16255 CVE-2019-19204 
 CVE-2019-19246

---
 CVE-2019-16163.patch | 56 +++++++++++++++++++++++++++++++++++++++++
 CVE-2019-16255.patch | 60 ++++++++++++++++++++++++++++++++++++++++++++
 CVE-2019-19204.patch | 23 +++++++++++++++++
 CVE-2019-19246.patch | 24 ++++++++++++++++++
 ruby.spec            | 13 +++++++++-
 5 files changed, 175 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-16163.patch
 create mode 100644 CVE-2019-16255.patch
 create mode 100644 CVE-2019-19204.patch
 create mode 100644 CVE-2019-19246.patch

diff --git a/CVE-2019-16163.patch b/CVE-2019-16163.patch
new file mode 100644
index 0000000..c93d459
--- /dev/null
+++ b/CVE-2019-16163.patch
@@ -0,0 +1,56 @@
+From 4097828d7cc87589864fecf452f2cd46c5f37180 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Mon, 29 Jul 2019 12:52:56 +0900
+Subject: [PATCH] fix #147: Stack Exhaustion Problem caused by some parsing
+ functions in regcomp.c making recursive calls to themselves.
+
+---
+ regparse.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/regparse.c b/regparse.c
+index f7177db..c07fccd 100644
+--- a/regparse.c
++++ b/regparse.c
+@@ -4568,6 +4568,7 @@ parse_char_class(Node** np, Node** asc_np, OnigToken* tok, UChar** src, UChar* e
+   env->parse_depth++;
+   if (env->parse_depth > ParseDepthLimit)
+     return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
++
+   prev_cc = asc_prev_cc = (CClassNode* )NULL;
+   r = fetch_token_in_cc(tok, src, end, env);
+   if (r == TK_CHAR && tok->u.c == '^' && tok->escaped == 0) {
+@@ -6514,14 +6515,18 @@ static int
+ parse_exp(Node** np, OnigToken* tok, int term,
+ 	  UChar** src, UChar* end, ScanEnv* env)
+ {
+-  int r, len, group = 0;
++  int r, len, group;
+   Node* qn;
+   Node** targetp;
++  unsigned int parse_depth;
+ 
++  group = 0;
+   *np = NULL;
+   if (tok->type == (enum TokenSyms )term)
+     goto end_of_token;
+ 
++  parse_depth = env->parse_depth;
++
+   switch (tok->type) {
+   case TK_ALT:
+   case TK_EOT:
+@@ -6832,6 +6837,10 @@ parse_exp(Node** np, OnigToken* tok, int term,
+       if (is_invalid_quantifier_target(*targetp))
+ 	return ONIGERR_TARGET_OF_REPEAT_OPERATOR_INVALID;
+ 
++      parse_depth++;
++      if (parse_depth > ParseDepthLimit)
++        return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
++
+       qn = node_new_quantifier(tok->u.repeat.lower, tok->u.repeat.upper,
+ 			       (r == TK_INTERVAL ? 1 : 0));
+       CHECK_NULL_RETURN_MEMERR(qn);
+-- 
+1.8.3.1
+
diff --git a/CVE-2019-16255.patch b/CVE-2019-16255.patch
new file mode 100644
index 0000000..a4fc20a
--- /dev/null
+++ b/CVE-2019-16255.patch
@@ -0,0 +1,60 @@
+From 3af01ae1101e0b8815ae5a106be64b0e82a58640 Mon Sep 17 00:00:00 2001
+From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Tue, 1 Oct 2019 11:01:53 +0000
+Subject: [PATCH] lib/shell/command-processor.rb (Shell#[]): prevent unknown
+ command
+
+`FileTest.send(command, ...)` allows to call not only FileTest-related
+methods but also any method that belongs to Kernel, Object, etc.
+patched by <mame@ruby-lang.org>
+
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67814 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+---
+ lib/shell/command-processor.rb       |  3 +++
+ test/shell/test_command_processor.rb | 18 ++++++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/lib/shell/command-processor.rb b/lib/shell/command-processor.rb
+index b52cb0043f75..08ea5c874c12 100644
+--- a/lib/shell/command-processor.rb
++++ b/lib/shell/command-processor.rb
+@@ -180,6 +180,9 @@ def test(command, file1, file2=nil)
+             top_level_test(command, file1)
+           end
+         else
++          unless FileTest.methods(false).include?(command.to_sym)
++            raise "unsupported command: #{ command }"
++          end
+           if file2
+             FileTest.send(command, file1, file2)
+           else
+diff --git a/test/shell/test_command_processor.rb b/test/shell/test_command_processor.rb
+index 06b5ecc1d9b4..51e14b5a6954 100644
+--- a/test/shell/test_command_processor.rb
++++ b/test/shell/test_command_processor.rb
+@@ -67,6 +67,24 @@ def test_system_directory
+     Dir.rmdir(path)
+   end
+ 
++  def test_test
++    name = "foo#{exeext}"
++    path = File.join(@tmpdir, name)
++    open(path, "w", 0644) {}
++
++    assert_equal(true, @shell[?e, path])
++    assert_equal(true, @shell[:e, path])
++    assert_equal(true, @shell["e", path])
++    assert_equal(true, @shell[:exist?, path])
++    assert_equal(true, @shell["exist?", path])
++    assert_raise_with_message(RuntimeError, /unsupported command/) do
++      assert_equal(true, @shell[:instance_eval, path])
++    end
++  ensure
++    Process.waitall
++    File.unlink(path)
++  end
++
+   def test_option_type
+     name = 'foo.cmd'
+     path = File.join(@tmpdir, name)
diff --git a/CVE-2019-19204.patch b/CVE-2019-19204.patch
new file mode 100644
index 0000000..a9fec42
--- /dev/null
+++ b/CVE-2019-19204.patch
@@ -0,0 +1,23 @@
+From 6eb4aca6a7f2f60f473580576d86686ed6a6ebec Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Wed, 6 Nov 2019 17:32:29 +0900
+Subject: [PATCH] fix #162: heap-buffer-overflow in fetch_interval_quantifier
+ due to double PFETCH
+
+---
+ regparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/regparse.c b/regparse.c
+index 324c414..70c36d5 100644
+--- a/regparse.c
++++ b/regparse.c
+@@ -4178,7 +4178,7 @@ fetch_interval_quantifier(UChar** src, UChar* end, PToken* tok, ScanEnv* env)
+   if (PEND) goto invalid;
+   PFETCH(c);
+   if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_BRACE_INTERVAL)) {
+-    if (c != MC_ESC(env->syntax)) goto invalid;
++    if (c != MC_ESC(env->syntax) || PEND) goto invalid;
+     if (PEND) goto invalid;
+     PFETCH(c);
+   }
diff --git a/CVE-2019-19246.patch b/CVE-2019-19246.patch
new file mode 100644
index 0000000..3c14ac9
--- /dev/null
+++ b/CVE-2019-19246.patch
@@ -0,0 +1,24 @@
+From d3e402928b6eb3327f8f7d59a9edfa622fec557b Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Tue, 13 Aug 2019 13:37:30 +0900
+Subject: [PATCH] fix heap-buffer-overflow
+
+---
+ regexec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/regexec.c b/regexec.c
+index 4582c35..8a17ee7 100644
+--- a/regexec.c
++++ b/regexec.c
+@@ -3255,6 +3255,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag,
+     lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf);
+     q = lowbuf;
+     while (lowlen > 0) {
++      if (t >= tend)    return 0;
+       if (*t++ != *q++)	return 0;
+       lowlen--;
+     }
+-- 
+1.8.3.1
+
diff --git a/ruby.spec b/ruby.spec
index 0a0fb61..89dd52d 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -1,6 +1,6 @@
 Name:      ruby
 Version:   2.5.1
-Release:   103
+Release:   104
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       http://ruby-lang.org/
@@ -46,6 +46,11 @@ Patch6003: CVE-2019-8322-8323-8324-8325.patch
 Patch6004: CVE-2019-15845.patch
 Patch6005: CVE-2019-16201.patch
 Patch6006: CVE-2019-16254.patch
+Patch6007: CVE-2019-16255.patch 
+Patch6008: CVE-2019-19204.patch
+Patch6009: CVE-2019-19246.patch
+Patch6010: CVE-2019-16163.patch
+
 
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@@ -583,6 +588,12 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.*
 
 %changelog
+* Mon Feb 03 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.5.1-104
+- Type:cves
+- ID:CVE-2019-16163 CVE-2019-19204 CVE-2019-16255 CVE-2019-19246
+- SUG:N/A
+- DESC:fix CVE-2019-16163CVE-2019-19204CVE-2019-16255CVE-2019-19246
+
 * Mon Feb 03 2020 Yiru Wang <wangyiru1@huawei.com> - 2.5.1-103
 - Type:cves
 - ID:CVE-2019-16254