[kirkstone,1/1] ruby: fix CVE-2024-27280

Message ID	20240621122527.2552863-1-yogita.urade@windriver.com
State	Accepted
Delegated to:	Steve Sakoman
Headers	show Return-Path: <Yogita.Urade@windriver.com> ip: 205.220.178.238, mailfrom: prvs=690294a050=yogita.urade@windriver.com) From: yurade <yogita.urade@windriver.com> To: <openembedded-core@lists.openembedded.org> Subject: [OE-core][kirkstone][PATCH 1/1] ruby: fix CVE-2024-27280 Date: Fri, 21 Jun 2024 12:25:27 +0000 Message-ID: <20240621122527.2552863-1-yogita.urade@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[kirkstone,1/1] ruby: fix CVE-2024-27280 \| expand [kirkstone,1/1] ruby: fix CVE-2024-27280

Message ID

20240621122527.2552863-1-yogita.urade@windriver.com

State

Accepted

Delegated to:

Steve Sakoman

Headers

From: yurade <yogita.urade@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: [OE-core][kirkstone][PATCH 1/1] ruby: fix CVE-2024-27280
Date: Fri, 21 Jun 2024 12:25:27 +0000
Message-ID: <20240621122527.2552863-1-yogita.urade@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[kirkstone,1/1] ruby: fix CVE-2024-27280 | expand

Commit Message

yurade June 21, 2024, 12:25 p.m. UTC

From: Yogita Urade <yogita.urade@windriver.com>

A buffer-overread issue was discovered in StringIO 3.0.1, as
distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through
3.1.4. The ungetbyte and ungetc methods on a StringIO can
read past the end of a string, and a subsequent call to
StringIO.gets may return the memory value. 3.0.3 is the main
fixed version; however, for Ruby 3.0 users, a fixed version
is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version
is stringio 3.0.1.2.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-27280

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../ruby/ruby/CVE-2024-27280.patch            | 87 +++++++++++++++++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch
new file mode 100644
index 0000000000..2595feb6e9
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch
@@ -0,0 +1,87 @@ 
+From a35268a3ac1b5f0058e5b7c1a041a7e86d9da067 Mon Sep 17 00:00:00 2001
+From: Nobuyoshi Nakada <nobu@ruby-lang.org>
+Date: Mon, 10 Jun 2024 11:46:53 +0000
+Subject: [PATCH] Fix expanding size at ungetc/ungetbyte
+
+CVE: CVE-2024-27280
+Upstream-Status: Backport [https://github.com/ruby/stringio/commit/a35268a3ac1b5f0058e5b7c1a041a7e86d9da067]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ ext/stringio/stringio.c        |  2 +-
+ test/stringio/test_stringio.rb | 25 +++++++++++++++++++++----
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
+index 8df07e8..b2e8632 100644
+--- a/ext/stringio/stringio.c
++++ b/ext/stringio/stringio.c
+@@ -984,7 +984,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl)
+     len = RSTRING_LEN(str);
+     rest = pos - len;
+     if (cl > pos) {
+-	long ex = (rest < 0 ? cl-pos : cl+rest);
++        long ex = cl - (rest < 0 ? pos : len);
+	rb_str_modify_expand(str, ex);
+	rb_str_set_len(str, len + ex);
+	s = RSTRING_PTR(str);
+diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
+index e0b4504..4853513 100644
+--- a/test/stringio/test_stringio.rb
++++ b/test/stringio/test_stringio.rb
+@@ -757,6 +757,15 @@ class TestStringIO < Test::Unit::TestCase
+     assert_equal("b""\0""a", s.string)
+   end
+
++  def test_ungetc_fill
++    count = 100
++    s = StringIO.new
++    s.print 'a' * count
++    s.ungetc('b' * (count * 5))
++    assert_equal((count * 5), s.string.size)
++    assert_match(/\Ab+\z/, s.string)
++  end
++
+   def test_ungetbyte_pos
+     b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
+     s = StringIO.new( b )
+@@ -782,6 +791,15 @@ class TestStringIO < Test::Unit::TestCase
+     assert_equal("b""\0""a", s.string)
+   end
+
++  def test_ungetbyte_fill
++    count = 100
++    s = StringIO.new
++    s.print 'a' * count
++    s.ungetbyte('b' * (count * 5))
++    assert_equal((count * 5), s.string.size)
++    assert_match(/\Ab+\z/, s.string)
++  end
++
+   def test_frozen
+     s = StringIO.new
+     s.freeze
+@@ -825,18 +843,17 @@ class TestStringIO < Test::Unit::TestCase
+   end
+
+   def test_overflow
+-    omit if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
++    return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
+     limit = RbConfig::LIMITS["INTPTR_MAX"] - 0x10
+     assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
+     begin;
+       limit = #{limit}
+       ary = []
+-      while true
++      begin
+         x = "a"*0x100000
+         break if [x].pack("p").unpack("i!")[0] < 0
+         ary << x
+-        omit if ary.size > 100
+-      end
++      end while ary.size <= 100
+       s = StringIO.new(x)
+       s.gets("xxx", limit)
+       assert_equal(0x100000, s.pos)
+--
+2.40.0
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index 4f7c9cb10b..63bb017839 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -34,6 +34,7 @@  SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://CVE-2023-36617_1.patch \
            file://CVE-2023-36617_2.patch \
            file://CVE-2024-27281.patch \
+           file://CVE-2024-27280.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"

[kirkstone,1/1] ruby: fix CVE-2024-27280

Commit Message

Patch