!81 fix CVE-2019-19204 CVE-2019-19246 CVE-2019-16161 CVE-2019-16162 CVE-2019-16163

From: @wangjiang37 Reviewed-by: @ruebb Signed-off-by: @ruebb
2022-07-06 02:01:14 +00:00 · 2022-07-06 02:01:14 +00:00 · e53eb21176
commit e53eb21176
parent 3faaa4272d e17bce8a04
6 changed files with 184 additions and 1 deletions
--- a/backport-CVE-2019-16161.patch
+++ b/backport-CVE-2019-16161.patch
@ -0,0 +1,31 @@
+From 00cc7e28a3ed54b3b512ef3b58ea737a57acf1f9 Mon Sep 17 00:00:00 2001
+From: "K.Takata" <kentkt@csc.jp>
+Date: Mon, 29 Jul 2019 20:15:26 +0900
+Subject: [PATCH] Fix SEGV in onig_error_code_to_str() (Fix #132)
+ 
+When onig_new(ONIG_SYNTAX_PERL) fails with ONIGERR_INVALID_GROUP_NAME,
+onig_error_code_to_str() crashes.
+onig_scan_env_set_error_string() should have been used when returning
+ONIGERR_INVALID_GROUP_NAME.
+---
+ regparse.c | 6 +++++-
+ testpy.py  | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+ 
+diff -Naur a/regparse.c b/regparse.c
+--- a/regparse.c	2020-08-06 14:39:34.822618517 -0400
+++ b/regparse.c	2020-08-06 14:42:49.332618517 -0400
+@@ -3891,7 +3891,11 @@
+ 
+ 	  if (c == 'R' || c == '0') {
+ 	    PINC;   /* skip 'R' / '0' */
+-	    if (!PPEEK_IS(')')) return ONIGERR_INVALID_GROUP_NAME;
+	    if (!PPEEK_IS(')')) {
+	      r = ONIGERR_INVALID_GROUP_NAME;
+	      onig_scan_env_set_error_string(env, r, p - 1, p + 1);
+	      return r;
+	    }
+ 	    PINC;   /* skip ')' */
+ 	    name_end = name = p;
+ 	    gnum = 0;
+ 
--- a/backport-CVE-2019-16162.patch
+++ b/backport-CVE-2019-16162.patch
@ -0,0 +1,41 @@
+From d4cf99d30bd5f6a8a4ababd0b9d7b06f3a479a24 Mon Sep 17 00:00:00 2001
+From: "K.Takata" <kentkt@csc.jp>
+Date: Thu, 1 Aug 2019 21:27:51 +0900
+Subject: [PATCH] Fix out-of-bounds read in parse_char_class() (Close #139)
+ 
+/[\x{111111}]/ causes out-of-bounds read when encoding is a single byte
+encoding. \x{111111} is an invalid codepoint for a single byte encoding.
+Check if it is a valid codepoint.
+---
+ regenc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+ 
+diff -Naur a/regenc.c b/regenc.c
+--- a/regenc.c  2020-10-20 14:19:32.284000000 +0800
+++ b/regenc.c  2020-10-20 14:22:55.412000000 +0800
+@@ -625,18 +625,23 @@
+ }
+ 
+ extern int
+-onigenc_single_byte_code_to_mbclen(OnigCodePoint code ARG_UNUSED, OnigEncoding enc ARG_UNUSED)
+onigenc_single_byte_code_to_mbclen(OnigCodePoint code, OnigEncoding enc ARG_UNUSED)
+ {
+  if (code > 0xff)
+    return ONIGERR_INVALID_CODE_POINT_VALUE;
+   return 1;
+ }
+ 
+ extern int
+ onigenc_single_byte_code_to_mbc(OnigCodePoint code, UChar *buf, OnigEncoding enc ARG_UNUSED)
+ {
+  if (code > 0xff) {
+ #ifdef RUBY
+-  if (code > 0xff)
+     rb_raise(rb_eRangeError, "%u out of char range", code);
+#else
+    return ONIGERR_INVALID_CODE_POINT_VALUE;
+ #endif
+    }
+   *buf = (UChar )(code & 0xff);
+   return 1;
+ }
--- a/backport-CVE-2019-16163.patch
+++ b/backport-CVE-2019-16163.patch
@ -0,0 +1,56 @@
+From 4097828d7cc87589864fecf452f2cd46c5f37180 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Mon, 29 Jul 2019 12:52:56 +0900
+Subject: [PATCH] fix #147: Stack Exhaustion Problem caused by some parsing
+ functions in regcomp.c making recursive calls to themselves.
+
+---
+ regparse.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+ 
+diff --git a/regparse.c b/regparse.c
+index f7177db..c07fccd 100644
+--- a/regparse.c
+++ b/regparse.c
+@@ -4568,6 +4568,7 @@ parse_char_class(Node** np, Node** asc_np, OnigToken* tok, UChar** src, UChar* e
+   env->parse_depth++;
+   if (env->parse_depth > ParseDepthLimit)
+     return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
+
+   prev_cc = asc_prev_cc = (CClassNode* )NULL;
+   r = fetch_token_in_cc(tok, src, end, env);
+   if (r == TK_CHAR && tok->u.c == '^' && tok->escaped == 0) {
+@@ -6514,14 +6515,18 @@ static int
+ parse_exp(Node** np, OnigToken* tok, int term,
+ 	  UChar** src, UChar* end, ScanEnv* env)
+ {
+-  int r, len, group = 0;
+  int r, len, group;
+   Node* qn;
+   Node** targetp;
+  unsigned int parse_depth;
+ 
+  group = 0;
+   *np = NULL;
+   if (tok->type == (enum TokenSyms )term)
+     goto end_of_token;
+ 
+  parse_depth = env->parse_depth;
+
+   switch (tok->type) {
+   case TK_ALT:
+   case TK_EOT:
+@@ -6832,6 +6837,10 @@ parse_exp(Node** np, OnigToken* tok, int term,
+       if (is_invalid_quantifier_target(*targetp))
+ 	return ONIGERR_TARGET_OF_REPEAT_OPERATOR_INVALID;
+ 
+      parse_depth++;
+      if (parse_depth > ParseDepthLimit)
+        return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
+
+       qn = node_new_quantifier(tok->u.repeat.lower, tok->u.repeat.upper,
+ 			       (r == TK_INTERVAL ? 1 : 0));
+       CHECK_NULL_RETURN_MEMERR(qn);
+-- 
+1.8.3.1
+ 
--- a/backport-CVE-2019-19204.patch
+++ b/backport-CVE-2019-19204.patch
@ -0,0 +1,23 @@
+From 6eb4aca6a7f2f60f473580576d86686ed6a6ebec Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Wed, 6 Nov 2019 17:32:29 +0900
+Subject: [PATCH] fix #162: heap-buffer-overflow in fetch_interval_quantifier
+ due to double PFETCH
+
+---
+ regparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+ 
+diff --git a/regparse.c b/regparse.c
+index 324c414..70c36d5 100644
+--- a/regparse.c
+++ b/regparse.c
+@@ -4178,7 +4178,7 @@ fetch_interval_quantifier(UChar** src, UChar* end, PToken* tok, ScanEnv* env)
+   if (PEND) goto invalid;
+   PFETCH(c);
+   if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_BRACE_INTERVAL)) {
+-    if (c != MC_ESC(env->syntax)) goto invalid;
+    if (c != MC_ESC(env->syntax) || PEND) goto invalid;
+     if (PEND) goto invalid;
+     PFETCH(c);
+   }
--- a/backport-CVE-2019-19246.patch
+++ b/backport-CVE-2019-19246.patch
@ -0,0 +1,24 @@
+From d3e402928b6eb3327f8f7d59a9edfa622fec557b Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Tue, 13 Aug 2019 13:37:30 +0900
+Subject: [PATCH] fix heap-buffer-overflow
+
+---
+ regexec.c | 1 +
+ 1 file changed, 1 insertion(+)
+ 
+diff --git a/regexec.c b/regexec.c
+index 4582c35..8a17ee7 100644
+--- a/regexec.c
+++ b/regexec.c
+@@ -3255,6 +3255,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag,
+     lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf);
+     q = lowbuf;
+     while (lowlen > 0) {
+      if (t >= tend)    return 0;
+       if (*t++ != *q++)	return 0;
+       lowlen--;
+     }
+-- 
+1.8.3.1
+ 
--- a/ruby.spec
+++ b/ruby.spec
@ -33,7 +33,7 @@

 Name:      ruby
 Version:   %{ruby_version}
-Release:   123
+Release:   124
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@ -171,6 +171,11 @@ Patch53: ruby-3.1.0-SSL_read-EOF-handling.patch
 Patch6000: backport-Add-tests-for-template-stylesheets-option.patch
 Patch6001: backport-CVE-2022-28738.patch
 Patch6002: backport-CVE-2022-28739.patch
+Patch6003: backport-CVE-2019-19204.patch
+Patch6004: backport-CVE-2019-19246.patch
+Patch6005: backport-CVE-2019-16161.patch
+Patch6006: backport-CVE-2019-16162.patch
+Patch6007: backport-CVE-2019-16163.patch

 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@ -1183,6 +1188,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed

 %changelog
+* Fri Jul 01 2022 wangjiang <wangjiang37@h-partners.com> - 3.0.3-124
+- fix CVE-2019-19204 CVE-2019-19246 CVE-2019-16161 CVE-2019-16162 CVE-2019-16163
+
 * Sun May 29 2022 ExtinctFire <shenyining_00@126.com> - 3.0.3-123
 - fix CVE-2022-28738 CVE-2022-28739