fix CVE-2019-19204 CVE-2019-19246 CVE-2019-16161 CVE-2019-16162 CVE-2019-16163

2022-07-01 15:05:44 +08:00 · 2022-07-01 15:05:44 +08:00 · e17bce8a04
commit e17bce8a04
parent 3faaa4272d
6 changed files with 184 additions and 1 deletions
--- a/backport-CVE-2019-16161.patch
+++ b/backport-CVE-2019-16161.patch
@ -0,0 +1,31 @@
 From 00cc7e28a3ed54b3b512ef3b58ea737a57acf1f9 Mon Sep 17 00:00:00 2001
 From: "K.Takata" <kentkt@csc.jp>
 Date: Mon, 29 Jul 2019 20:15:26 +0900
 Subject: [PATCH] Fix SEGV in onig_error_code_to_str() (Fix #132)
 When onig_new(ONIG_SYNTAX_PERL) fails with ONIGERR_INVALID_GROUP_NAME,
 onig_error_code_to_str() crashes.
 onig_scan_env_set_error_string() should have been used when returning
 ONIGERR_INVALID_GROUP_NAME.
 ---
 regparse.c | 6 +++++-
 testpy.py  | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)
 diff -Naur a/regparse.c b/regparse.c
 --- a/regparse.c	2020-08-06 14:39:34.822618517 -0400
 +++ b/regparse.c	2020-08-06 14:42:49.332618517 -0400
@@ -3891,7 +3891,11 @@
 	  if (c == 'R' || c == '0') {
 	    PINC;   /* skip 'R' / '0' */
 -	    if (!PPEEK_IS(')')) return ONIGERR_INVALID_GROUP_NAME;
 +	    if (!PPEEK_IS(')')) {
 +	      r = ONIGERR_INVALID_GROUP_NAME;
 +	      onig_scan_env_set_error_string(env, r, p - 1, p + 1);
 +	      return r;
 +	    }
 	    PINC;   /* skip ')' */
 	    name_end = name = p;
 	    gnum = 0;
--- a/backport-CVE-2019-16162.patch
+++ b/backport-CVE-2019-16162.patch
@ -0,0 +1,41 @@
 From d4cf99d30bd5f6a8a4ababd0b9d7b06f3a479a24 Mon Sep 17 00:00:00 2001
 From: "K.Takata" <kentkt@csc.jp>
 Date: Thu, 1 Aug 2019 21:27:51 +0900
 Subject: [PATCH] Fix out-of-bounds read in parse_char_class() (Close #139)
 /[\x{111111}]/ causes out-of-bounds read when encoding is a single byte
 encoding. \x{111111} is an invalid codepoint for a single byte encoding.
 Check if it is a valid codepoint.
 ---
 regenc.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
 diff -Naur a/regenc.c b/regenc.c
 --- a/regenc.c  2020-10-20 14:19:32.284000000 +0800
 +++ b/regenc.c  2020-10-20 14:22:55.412000000 +0800
@@ -625,18 +625,23 @@
 }
 extern int
 -onigenc_single_byte_code_to_mbclen(OnigCodePoint code ARG_UNUSED, OnigEncoding enc ARG_UNUSED)
 +onigenc_single_byte_code_to_mbclen(OnigCodePoint code, OnigEncoding enc ARG_UNUSED)
 {
 +  if (code > 0xff)
 +    return ONIGERR_INVALID_CODE_POINT_VALUE;
   return 1;
 }
 extern int
 onigenc_single_byte_code_to_mbc(OnigCodePoint code, UChar *buf, OnigEncoding enc ARG_UNUSED)
 {
 +  if (code > 0xff) {
 #ifdef RUBY
 -  if (code > 0xff)
     rb_raise(rb_eRangeError, "%u out of char range", code);
 +#else
 +    return ONIGERR_INVALID_CODE_POINT_VALUE;
 #endif
 +    }
   *buf = (UChar )(code & 0xff);
   return 1;
 }
--- a/backport-CVE-2019-16163.patch
+++ b/backport-CVE-2019-16163.patch
@ -0,0 +1,56 @@
 From 4097828d7cc87589864fecf452f2cd46c5f37180 Mon Sep 17 00:00:00 2001
 From: "K.Kosako" <kosako@sofnec.co.jp>
 Date: Mon, 29 Jul 2019 12:52:56 +0900
 Subject: [PATCH] fix #147: Stack Exhaustion Problem caused by some parsing
 functions in regcomp.c making recursive calls to themselves.
 ---
 regparse.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
 diff --git a/regparse.c b/regparse.c
 index f7177db..c07fccd 100644
 --- a/regparse.c
 +++ b/regparse.c
@@ -4568,6 +4568,7 @@ parse_char_class(Node** np, Node** asc_np, OnigToken* tok, UChar** src, UChar* e
   env->parse_depth++;
   if (env->parse_depth > ParseDepthLimit)
     return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
 +
   prev_cc = asc_prev_cc = (CClassNode* )NULL;
   r = fetch_token_in_cc(tok, src, end, env);
   if (r == TK_CHAR && tok->u.c == '^' && tok->escaped == 0) {
@@ -6514,14 +6515,18 @@ static int
 parse_exp(Node** np, OnigToken* tok, int term,
 	  UChar** src, UChar* end, ScanEnv* env)
 {
 -  int r, len, group = 0;
 +  int r, len, group;
   Node* qn;
   Node** targetp;
 +  unsigned int parse_depth;
 +  group = 0;
   *np = NULL;
   if (tok->type == (enum TokenSyms )term)
     goto end_of_token;
 +  parse_depth = env->parse_depth;
 +
   switch (tok->type) {
   case TK_ALT:
   case TK_EOT:
@@ -6832,6 +6837,10 @@ parse_exp(Node** np, OnigToken* tok, int term,
       if (is_invalid_quantifier_target(*targetp))
 	return ONIGERR_TARGET_OF_REPEAT_OPERATOR_INVALID;
 +      parse_depth++;
 +      if (parse_depth > ParseDepthLimit)
 +        return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
 +
       qn = node_new_quantifier(tok->u.repeat.lower, tok->u.repeat.upper,
 			       (r == TK_INTERVAL ? 1 : 0));
       CHECK_NULL_RETURN_MEMERR(qn);
 -- 
 1.8.3.1
--- a/backport-CVE-2019-19204.patch
+++ b/backport-CVE-2019-19204.patch
@ -0,0 +1,23 @@
 From 6eb4aca6a7f2f60f473580576d86686ed6a6ebec Mon Sep 17 00:00:00 2001
 From: "K.Kosako" <kosako@sofnec.co.jp>
 Date: Wed, 6 Nov 2019 17:32:29 +0900
 Subject: [PATCH] fix #162: heap-buffer-overflow in fetch_interval_quantifier
 due to double PFETCH
 ---
 regparse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/regparse.c b/regparse.c
 index 324c414..70c36d5 100644
 --- a/regparse.c
 +++ b/regparse.c
@@ -4178,7 +4178,7 @@ fetch_interval_quantifier(UChar** src, UChar* end, PToken* tok, ScanEnv* env)
   if (PEND) goto invalid;
   PFETCH(c);
   if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_BRACE_INTERVAL)) {
 -    if (c != MC_ESC(env->syntax)) goto invalid;
 +    if (c != MC_ESC(env->syntax) || PEND) goto invalid;
     if (PEND) goto invalid;
     PFETCH(c);
   }
--- a/backport-CVE-2019-19246.patch
+++ b/backport-CVE-2019-19246.patch
@ -0,0 +1,24 @@
 From d3e402928b6eb3327f8f7d59a9edfa622fec557b Mon Sep 17 00:00:00 2001
 From: "K.Kosako" <kosako@sofnec.co.jp>
 Date: Tue, 13 Aug 2019 13:37:30 +0900
 Subject: [PATCH] fix heap-buffer-overflow
 ---
 regexec.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/regexec.c b/regexec.c
 index 4582c35..8a17ee7 100644
 --- a/regexec.c
 +++ b/regexec.c
@@ -3255,6 +3255,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag,
     lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf);
     q = lowbuf;
     while (lowlen > 0) {
 +      if (t >= tend)    return 0;
       if (*t++ != *q++)	return 0;
       lowlen--;
     }
 -- 
 1.8.3.1
--- a/ruby.spec
+++ b/ruby.spec
@ -33,7 +33,7 @@
 Name:      ruby
 Version:   %{ruby_version}
-Release:   123
+Release:   124
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@ -171,6 +171,11 @@ Patch53: ruby-3.1.0-SSL_read-EOF-handling.patch
 Patch6000: backport-Add-tests-for-template-stylesheets-option.patch
 Patch6001: backport-CVE-2022-28738.patch
 Patch6002: backport-CVE-2022-28739.patch
 Patch6003: backport-CVE-2019-19204.patch
 Patch6004: backport-CVE-2019-19246.patch
 Patch6005: backport-CVE-2019-16161.patch
 Patch6006: backport-CVE-2019-16162.patch
 Patch6007: backport-CVE-2019-16163.patch
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@ -1183,6 +1188,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed
 %changelog
 * Fri Jul 01 2022 wangjiang <wangjiang37@h-partners.com> - 3.0.3-124
 - fix CVE-2019-19204 CVE-2019-19246 CVE-2019-16161 CVE-2019-16162 CVE-2019-16163
 * Sun May 29 2022 ExtinctFire <shenyining_00@126.com> - 3.0.3-123
 - fix CVE-2022-28738 CVE-2022-28739