packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!127 fix CVE-2023-36617

Browse Source 
From: @tong_1001 
Reviewed-by: @openeuler-basic 
Signed-off-by: @openeuler-basic
This commit is contained in:
openeuler-ci-bot 2023-07-08 06:16:54 +00:00 committed by Gitee
commit 8f8bef3d11
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 111 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
backport-CVE-2023-36617.patch Normal file
View File

@ -0,0 +1,106 @@
From 616926b55e306a0704254a7ddfd6e9834d06c7f2 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Thu, 29 Jun 2023 22:25:17 +0900
Subject: [PATCH] CVE-2023-36617 for Ruby 3.0 (#7997)
* Merge URI-0.10.3
* Merge URI-0.10.0.3 for Bundler
---
.../vendor/uri/lib/uri/rfc2396_parser.rb | 4 ++--
.../vendor/uri/lib/uri/rfc3986_parser.rb | 2 +-
lib/uri/rfc2396_parser.rb | 4 ++--
lib/uri/rfc3986_parser.rb | 2 +-
test/uri/test_parser.rb | 22 +++++++++++++++++++
5 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
index a0d62ed..7634e16 100644
--- a/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
+++ b/lib/bundler/vendor/uri/lib/uri/rfc2396_parser.rb
@@ -504,8 +504,8 @@ module Bundler::URI
ret = {}
# for Bundler::URI::split
- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
# for Bundler::URI::extract
ret[:URI_REF] = Regexp.new(pattern[:URI_REF])
diff --git a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
index 07ef439..34093df 100644
--- a/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
+++ b/lib/bundler/vendor/uri/lib/uri/rfc3986_parser.rb
@@ -106,7 +106,7 @@ module Bundler::URI
QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
OPAQUE: /\A(?:[^\/].*)?\z/,
- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
+ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
}
end
diff --git a/lib/uri/rfc2396_parser.rb b/lib/uri/rfc2396_parser.rb
index c719aa0..253c54b 100644
--- a/lib/uri/rfc2396_parser.rb
+++ b/lib/uri/rfc2396_parser.rb
@@ -491,8 +491,8 @@ module URI
ret = {}
# for URI::split
- ret[:ABS_URI] = Regexp.new('\A\s*' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
- ret[:REL_URI] = Regexp.new('\A\s*' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:ABS_URI] = Regexp.new('\A\s*+' + pattern[:X_ABS_URI] + '\s*\z', Regexp::EXTENDED)
+ ret[:REL_URI] = Regexp.new('\A\s*+' + pattern[:X_REL_URI] + '\s*\z', Regexp::EXTENDED)
# for URI::extract
ret[:URI_REF] = Regexp.new(pattern[:URI_REF])
diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb
index 145d845..5a9e44e 100644
--- a/lib/uri/rfc3986_parser.rb
+++ b/lib/uri/rfc3986_parser.rb
@@ -95,7 +95,7 @@ module URI
QUERY: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
FRAGMENT: /\A(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*\z/,
OPAQUE: /\A(?:[^\/].*)?\z/,
- PORT: /\A[\x09\x0a\x0c\x0d ]*\d*[\x09\x0a\x0c\x0d ]*\z/,
+ PORT: /\A[\x09\x0a\x0c\x0d ]*+\d*[\x09\x0a\x0c\x0d ]*\z/,
}
end
diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb
index 37e7107..e2f50cf 100644
--- a/test/uri/test_parser.rb
+++ b/test/uri/test_parser.rb
@@ -65,4 +65,26 @@ class URI::TestParser < Test::Unit::TestCase
assert_equal([nil, nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("//example.com"))
assert_equal([nil, nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("//[0::0]"))
end
+
+ def test_rfc2822_parse_relative_uri
+ pre = ->(length) {
+ " " * length + "\0"
+ }
+ parser = URI::RFC2396_Parser.new
+ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |uri|
+ assert_raise(URI::InvalidURIError) do
+ parser.split(uri)
+ end
+ end
+ end
+
+ def test_rfc3986_port_check
+ pre = ->(length) {"\t" * length + "a"}
+ uri = URI.parse("http://my.example.com")
+ assert_linear_performance((1..5).map {|i| 10**i}, pre: pre) do |port|
+ assert_raise(URI::InvalidComponentError) do
+ uri.port = port
+ end
+ end
+ end
end
--
2.27.0

6
ruby.spec
View File

@ -33,7 +33,7 @@
Name: ruby Name: ruby
Version: %{ruby_version} Version: %{ruby_version}
Release: 130 Release: 131
Summary: Object-oriented scripting language interpreter Summary: Object-oriented scripting language interpreter
License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
URL: https://www.ruby-lang.org/en/ URL: https://www.ruby-lang.org/en/
@ -187,6 +187,7 @@ Patch6015: backport-0002-CVE-2023-28755.patch
Patch6016: backport-0001-CVE-2023-28756.patch Patch6016: backport-0001-CVE-2023-28756.patch
Patch6017: backport-0002-CVE-2023-28756.patch Patch6017: backport-0002-CVE-2023-28756.patch
Patch6018: backport-0003-CVE-2023-28756.patch Patch6018: backport-0003-CVE-2023-28756.patch
Patch6019: backport-CVE-2023-36617.patch
Provides: %{name}-libs = %{version}-%{release} Provides: %{name}-libs = %{version}-%{release}
Obsoletes: %{name}-libs < %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release}
@ -1185,6 +1186,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
%doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed
%changelog %changelog
* Sat Jul 08 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-131
- fix CVE-2023-36617
* Fri Jun 02 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-130 * Fri Jun 02 2023 shixuantong <shixuantong1@huawei.com> - 3.0.3-130
- remove rubygem-power_assert - remove rubygem-power_assert