fix CVE-2023-36617

2023-07-08 11:36:42 +08:00 · 2023-07-08 11:36:42 +08:00 · 4be3377293
commit 4be3377293
parent a6c81a2e1c
2 changed files with 111 additions and 1 deletions
--- a/backport-CVE-2023-36617.patch
+++ b/backport-CVE-2023-36617.patch
@ -0,0 +1,106 @@
+From 616926b55e306a0704254a7ddfd6e9834d06c7f2 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Thu, 29 Jun 2023 22:25:17 +0900
+Subject: [PATCH] CVE-2023-36617 for Ruby 3.0 (#7997)
+
+* Merge URI-0.10.3
+
+* Merge URI-0.10.0.3 for Bundler
+---
+ .../vendor/uri/lib/uri/rfc2396_parser.rb      |  4 ++--
+ .../vendor/uri/lib/uri/rfc3986_parser.rb      |  2 +-
+ lib/uri/rfc2396_parser.rb                     |  4 ++--
+ lib/uri/rfc3986_parser.rb                     |  2 +-
+ test/uri/test_parser.rb                       | 22 +++++++++++++++++++
+ 5 files changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
+index a0d62ed..7634e16 100644
+--- a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
+++ b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
+@@ -504,8 +504,8 @@ module Bundler::URI
+       ret = {}
+ 
+       # for Bundler::URI::split
+-      ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+-      ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+      ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+      ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ 
+       # for Bundler::URI::extract
+       ret[:URI_REF]     = Regexp.new(pattern[:URI_REF])
+diff --git a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+index 07ef439..34093df 100644
+--- a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+++ b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+@@ -106,7 +106,7 @@ module Bundler::URI
+         QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         OPAQUE: /\A(?:[^\/].*)?\z/,
+-        PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
+        PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
+       }
+     end
+ 
+diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb
+index c719aa0..253c54b 100644
+--- a/lib/uri/rfc2396_parser.rb
+++ b/lib/uri/rfc2396_parser.rb
+@@ -491,8 +491,8 @@ module URI
+       ret = {}
+ 
+       # for URI::split
+-      ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+-      ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+      ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+      ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ 
+       # for URI::extract
+       ret[:URI_REF]     = Regexp.new(pattern[:URI_REF])
+diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb
+index 145d845..5a9e44e 100644
+--- a/lib/uri/rfc3986_parser.rb
+++ b/lib/uri/rfc3986_parser.rb
+@@ -95,7 +95,7 @@ module URI
+         QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
+         OPAQUE: /\A(?:[^\/].*)?\z/,
+-        PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
+        PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
+       }
+     end
+ 
+diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb
+index 37e7107..e2f50cf 100644
+--- a/test/uri/test_parser.rb
+++ b/test/uri/test_parser.rb
+@@ -65,4 +65,26 @@ class URI::TestParser < Test::Unit::TestCase
+     assert_equal([nil, nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("//example.com"))
+     assert_equal([nil, nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("//[0::0]"))
+   end
+
+  def test_rfc2822_parse_relative_uri
+    pre = ->(length) {
+      " " * length + "\0"
+    }
+    parser = URI::RFC2396_Parser.new
+    assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri|
+      assert_raise(URI::InvalidURIError) do
+        parser.split(uri)
+      end
+    end
+  end
+
+  def test_rfc3986_port_check
+    pre = ->(length) {"\t" * length + "a"}
+    uri = URI.parse("http://my.example.com")
+    assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port|
+      assert_raise(URI::InvalidComponentError) do
+        uri.port = port
+      end
+    end
+  end
+ end
+-- 
+2.27.0
+
--- a/ruby.spec
+++ b/ruby.spec
@ -33,7 +33,7 @@

 Name:      ruby
 Version:   %{ruby_version}
-Release:   130
+Release:   131
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@ -187,6 +187,7 @@ Patch6015: backport-0002-CVE-2023-28755.patch
 Patch6016: backport-0001-CVE-2023-28756.patch
 Patch6017: backport-0002-CVE-2023-28756.patch
 Patch6018: backport-0003-CVE-2023-28756.patch
+Patch6019: backport-CVE-2023-36617.patch

 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@ -1185,6 +1186,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed

 %changelog
+* Sat Jul 08 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-131
+- fix CVE-2023-36617
+
 * Fri Jun 02 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-130
 - remove rubygem-power_assert