mirror of
https://git.yoctoproject.org/poky
synced 2026-03-10 09:19:41 +01:00
52f1435174
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-27280 (From OE-Core rev: 729310d17310dff955c51811ff3339fdbc017b95) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
88 lines
2.7 KiB
Diff
88 lines
2.7 KiB
Diff
From a35268a3ac1b5f0058e5b7c1a041a7e86d9da067 Mon Sep 17 00:00:00 2001
|
|
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
|
|
Date: Mon, 10 Jun 2024 11:46:53 +0000
|
|
Subject: [PATCH] Fix expanding size at ungetc/ungetbyte
|
|
|
|
CVE: CVE-2024-27280
|
|
Upstream-Status: Backport [https://github.com/ruby/stringio/commit/a35268a3ac1b5f0058e5b7c1a041a7e86d9da067]
|
|
|
|
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
|
|
---
|
|
ext/stringio/stringio.c | 2 +-
|
|
test/stringio/test_stringio.rb | 25 +++++++++++++++++++++----
|
|
2 files changed, 22 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
|
|
index 8df07e8..b2e8632 100644
|
|
--- a/ext/stringio/stringio.c
|
|
+++ b/ext/stringio/stringio.c
|
|
@@ -984,7 +984,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl)
|
|
len = RSTRING_LEN(str);
|
|
rest = pos - len;
|
|
if (cl > pos) {
|
|
- long ex = (rest < 0 ? cl-pos : cl+rest);
|
|
+ long ex = cl - (rest < 0 ? pos : len);
|
|
rb_str_modify_expand(str, ex);
|
|
rb_str_set_len(str, len + ex);
|
|
s = RSTRING_PTR(str);
|
|
diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
|
|
index e0b4504..4853513 100644
|
|
--- a/test/stringio/test_stringio.rb
|
|
+++ b/test/stringio/test_stringio.rb
|
|
@@ -757,6 +757,15 @@ class TestStringIO < Test::Unit::TestCase
|
|
assert_equal("b""\0""a", s.string)
|
|
end
|
|
|
|
+ def test_ungetc_fill
|
|
+ count = 100
|
|
+ s = StringIO.new
|
|
+ s.print 'a' * count
|
|
+ s.ungetc('b' * (count * 5))
|
|
+ assert_equal((count * 5), s.string.size)
|
|
+ assert_match(/\Ab+\z/, s.string)
|
|
+ end
|
|
+
|
|
def test_ungetbyte_pos
|
|
b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
|
|
s = StringIO.new( b )
|
|
@@ -782,6 +791,15 @@ class TestStringIO < Test::Unit::TestCase
|
|
assert_equal("b""\0""a", s.string)
|
|
end
|
|
|
|
+ def test_ungetbyte_fill
|
|
+ count = 100
|
|
+ s = StringIO.new
|
|
+ s.print 'a' * count
|
|
+ s.ungetbyte('b' * (count * 5))
|
|
+ assert_equal((count * 5), s.string.size)
|
|
+ assert_match(/\Ab+\z/, s.string)
|
|
+ end
|
|
+
|
|
def test_frozen
|
|
s = StringIO.new
|
|
s.freeze
|
|
@@ -825,18 +843,17 @@ class TestStringIO < Test::Unit::TestCase
|
|
end
|
|
|
|
def test_overflow
|
|
- omit if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
|
|
+ return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
|
|
limit = RbConfig::LIMITS["INTPTR_MAX"] - 0x10
|
|
assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
|
|
begin;
|
|
limit = #{limit}
|
|
ary = []
|
|
- while true
|
|
+ begin
|
|
x = "a"*0x100000
|
|
break if [x].pack("p").unpack("i!")[0] < 0
|
|
ary << x
|
|
- omit if ary.size > 100
|
|
- end
|
|
+ end while ary.size <= 100
|
|
s = StringIO.new(x)
|
|
s.gets("xxx", limit)
|
|
assert_equal(0x100000, s.pos)
|
|
--
|
|
2.40.0
|