From 0a21f35a3432370ab26cb94b51024edb3d37fbdf Mon Sep 17 00:00:00 2001 From: sxt1001 Date: Tue, 11 Apr 2023 11:25:50 +0800 Subject: [PATCH] fix CVE-2023-28755 CVE-2023-28756 (cherry picked from commit a011562aeb90e070502a2e6a677c9fa105395897) --- backport-0001-CVE-2023-28755.patch | 35 +++++++++++++++++++ backport-0001-CVE-2023-28756.patch | 33 ++++++++++++++++++ backport-0002-CVE-2023-28755.patch | 28 +++++++++++++++ backport-0002-CVE-2023-28756.patch | 28 +++++++++++++++ backport-0003-CVE-2023-28756.patch | 26 ++++++++++++++ backport-Fix-splitting-relative-URI.patch | 42 +++++++++++++++++++++++ ruby.spec | 11 +++++- 7 files changed, 202 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2023-28755.patch create mode 100644 backport-0001-CVE-2023-28756.patch create mode 100644 backport-0002-CVE-2023-28755.patch create mode 100644 backport-0002-CVE-2023-28756.patch create mode 100644 backport-0003-CVE-2023-28756.patch create mode 100644 backport-Fix-splitting-relative-URI.patch diff --git a/backport-0001-CVE-2023-28755.patch b/backport-0001-CVE-2023-28755.patch new file mode 100644 index 0000000..80e35d9 --- /dev/null +++ b/backport-0001-CVE-2023-28755.patch @@ -0,0 +1,35 @@ +From c92e40e871b8bc076ee039c428f8d176125265f9 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Mon, 10 Jan 2022 01:12:57 +0900 +Subject: [PATCH 2/5] Test for quadratic backtracking on invalid URI + +https://hackerone.com/reports/1444501 +--- + test/uri/test_common.rb | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/test/uri/test_common.rb b/test/uri/test_common.rb +index 1afa35f..2b877c1 100644 +--- a/test/uri/test_common.rb ++++ b/test/uri/test_common.rb +@@ -56,6 +56,17 @@ class TestCommon < Test::Unit::TestCase + assert_raise(NoMethodError) { Object.new.URI("http://www.ruby-lang.org/") } + end + ++ def test_parse_timeout ++ pre = ->(n) { ++ 'https://example.com/dir/' + 'a' * (n * 100) + '/##.jpg' ++ } ++ assert_linear_performance((1..10).map {|i| i * 100}, pre: pre) do |uri| ++ assert_raise(URI::InvalidURIError) do ++ URI.parse(uri) ++ end ++ end ++ end ++ + def test_encode_www_form_component + assert_equal("%00+%21%22%23%24%25%26%27%28%29*%2B%2C-.%2F09%3A%3B%3C%3D%3E%3F%40" \ + "AZ%5B%5C%5D%5E_%60az%7B%7C%7D%7E", +-- +2.33.0 + diff --git a/backport-0001-CVE-2023-28756.patch b/backport-0001-CVE-2023-28756.patch new file mode 100644 index 0000000..b69c1cd --- /dev/null +++ b/backport-0001-CVE-2023-28756.patch @@ -0,0 +1,33 @@ +From f994e267519215d51fa762e3114f1019dd8e2722 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 24 Mar 2023 17:11:36 +0900 +Subject: [PATCH 1/5] Test for quadratic backtracking on invalid time + +https://hackerone.com/reports/1485501 +--- + test/test_time.rb | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/test/test_time.rb b/test/test_time.rb +index ca20788..4f11048 100644 +--- a/test/test_time.rb ++++ b/test/test_time.rb +@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc: + assert_equal(true, t.utc?) + end + ++ def test_rfc2822_nonlinear ++ pre = ->(n) {"0 Feb 00 00 :00" + " " * n} ++ assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s| ++ assert_raise(ArgumentError) do ++ Time.rfc2822(s) ++ end ++ end ++ end ++ + def test_encode_rfc2822 + t = Time.utc(1) + assert_equal("Mon, 01 Jan 0001 00:00:00 -0000", t.rfc2822) +-- +2.33.0 + diff --git a/backport-0002-CVE-2023-28755.patch b/backport-0002-CVE-2023-28755.patch new file mode 100644 index 0000000..ed65086 --- /dev/null +++ b/backport-0002-CVE-2023-28755.patch @@ -0,0 +1,28 @@ +From d8b9a843d04b2410f21a59e68c50d5553eedccf6 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Mon, 10 Jan 2022 01:12:57 +0900 +Subject: [PATCH 3/5] Fix quadratic backtracking on invalid URI + +https://hackerone.com/reports/1444501 +--- + lib/uri/rfc3986_parser.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index 75fd5b1..145d845 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -3,8 +3,8 @@ module URI + class RFC3986_Parser # :nodoc: + # URI defined in RFC3986 + # this regexp is modified not to host is not empty string +- RFC3986_URI = /\A(?(?[A-Za-z][+\-.0-9A-Za-z]*):(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?\g(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ +- RFC3986_relative_ref = /\A(?(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?(?(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ ++ RFC3986_URI = /\A(?(?[A-Za-z][+\-.0-9A-Za-z]*+):(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?\d*+))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g)*+)?)|(?\g(?:\/\g)*+)|(?))(?:\?(?[^#]*+))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ ++ RFC3986_relative_ref = /\A(?(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*+)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h++\.[!$&-.0-;=A-Z_a-z~]++))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])++))?(?::(?\d*+))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*+))*+)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])++)(?:\/\g)*+)?)|(?(?(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])++)(?:\/\g)*+)|(?))(?:\?(?[^#]*+))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*+))?)\z/ + attr_reader :regexp + + def initialize +-- +2.33.0 + diff --git a/backport-0002-CVE-2023-28756.patch b/backport-0002-CVE-2023-28756.patch new file mode 100644 index 0000000..09418cf --- /dev/null +++ b/backport-0002-CVE-2023-28756.patch @@ -0,0 +1,28 @@ +From 3765d119ca03db067f9cd292752389983e2821eb Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Tue, 29 Nov 2022 16:22:15 +0900 +Subject: [PATCH 2/5] Fix quadratic backtracking on invalid time + +https://hackerone.com/reports/1485501 +--- + lib/time.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/time.rb b/lib/time.rb +index 625c2c8..ac17410 100644 +--- a/lib/time.rb ++++ b/lib/time.rb +@@ -506,8 +506,8 @@ class Time + (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+ + (\d{2,})\s+ + (\d{2})\s* +- :\s*(\d{2})\s* +- (?::\s*(\d{2}))?\s+ ++ :\s*(\d{2}) ++ (?:\s*:\s*(\d{2}))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +-- +2.33.0 + diff --git a/backport-0003-CVE-2023-28756.patch b/backport-0003-CVE-2023-28756.patch new file mode 100644 index 0000000..80dfff9 --- /dev/null +++ b/backport-0003-CVE-2023-28756.patch @@ -0,0 +1,26 @@ +From a8acce46ffa334b1edd3767b52bc5ece1664171d Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Fri, 30 Dec 2022 14:32:05 +0900 +Subject: [PATCH 3/5] Make RFC2822 regexp linear + +https://hackerone.com/reports/1485501 +--- + lib/time.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/time.rb b/lib/time.rb +index ac17410..8af482c 100644 +--- a/lib/time.rb ++++ b/lib/time.rb +@@ -507,7 +507,7 @@ class Time + (\d{2,})\s+ + (\d{2})\s* + :\s*(\d{2}) +- (?:\s*:\s*(\d{2}))?\s+ ++ (?:\s*:\s*(\d\d))?\s+ + ([+-]\d{4}| + UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date + # Since RFC 2822 permit comments, the regexp has no right anchor. +-- +2.33.0 + diff --git a/backport-Fix-splitting-relative-URI.patch b/backport-Fix-splitting-relative-URI.patch new file mode 100644 index 0000000..ce483f1 --- /dev/null +++ b/backport-Fix-splitting-relative-URI.patch @@ -0,0 +1,42 @@ +From cff9d743242f7c50e8e5cf350a8c3e60bb00f1dc Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Fri, 24 Mar 2023 18:53:18 +0900 +Subject: [PATCH 1/5] Fix splitting relative URI + +--- + lib/uri/rfc3986_parser.rb | 2 +- + test/uri/test_parser.rb | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/uri/rfc3986_parser.rb b/lib/uri/rfc3986_parser.rb +index 49a594c..75fd5b1 100644 +--- a/lib/uri/rfc3986_parser.rb ++++ b/lib/uri/rfc3986_parser.rb +@@ -4,7 +4,7 @@ module URI + # URI defined in RFC3986 + # this regexp is modified not to host is not empty string + RFC3986_URI = /\A(?(?[A-Za-z][+\-.0-9A-Za-z]*):(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:)?\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?\g(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ +- RFC3986_relative_ref = /\A(?(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+)\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?(?(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ ++ RFC3986_relative_ref = /\A(?(?\/\/(?(?:(?(?:%\h\h|[!$&-.0-;=A-Z_a-z~])*)@)?(?(?\[(?:(?(?:\h{1,4}:){6}(?\h{1,4}:\h{1,4}|(?(?[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]|\d)\.\g\.\g\.\g))|::(?:\h{1,4}:){5}\g|\h{1,4}?::(?:\h{1,4}:){4}\g|(?:(?:\h{1,4}:){,1}\h{1,4})?::(?:\h{1,4}:){3}\g|(?:(?:\h{1,4}:){,2}\h{1,4})?::(?:\h{1,4}:){2}\g|(?:(?:\h{1,4}:){,3}\h{1,4})?::\h{1,4}:\g|(?:(?:\h{1,4}:){,4}\h{1,4})?::\g|(?:(?:\h{1,4}:){,5}\h{1,4})?::\h{1,4}|(?:(?:\h{1,4}:){,6}\h{1,4})?::)|(?v\h+\.[!$&-.0-;=A-Z_a-z~]+))\])|\g|(?(?:%\h\h|[!$&-.0-9;=A-Z_a-z~])+))?(?::(?\d*))?)(?(?:\/(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])*))*)|(?\/(?:(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~])+)(?:\/\g)*)?)|(?(?(?:%\h\h|[!$&-.0-9;=@-Z_a-z~])+)(?:\/\g)*)|(?))(?:\?(?[^#]*))?(?:\#(?(?:%\h\h|[!$&-.0-;=@-Z_a-z~\/?])*))?)\z/ + attr_reader :regexp + + def initialize +diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb +index b13a26c..37e7107 100644 +--- a/test/uri/test_parser.rb ++++ b/test/uri/test_parser.rb +@@ -58,4 +58,11 @@ class URI::TestParser < Test::Unit::TestCase + assert_equal("\u3042", p1.unescape('%e3%81%82'.force_encoding(Encoding::US_ASCII))) + assert_equal("\xe3\x83\x90\xe3\x83\x90", p1.unescape("\xe3\x83\x90%e3%83%90")) + end ++ ++ def test_split ++ assert_equal(["http", nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("http://example.com")) ++ assert_equal(["http", nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("http://[0::0]")) ++ assert_equal([nil, nil, "example.com", nil, nil, "", nil, nil, nil], URI.split("//example.com")) ++ assert_equal([nil, nil, "[0::0]", nil, nil, "", nil, nil, nil], URI.split("//[0::0]")) ++ end + end +-- +2.33.0 + diff --git a/ruby.spec b/ruby.spec index d1e9424..275cfe7 100644 --- a/ruby.spec +++ b/ruby.spec @@ -33,7 +33,7 @@ Name: ruby Version: %{ruby_version} -Release: 128 +Release: 129 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/en/ @@ -181,6 +181,12 @@ Patch6009: backport-0002-CVE-2021-33621.patch Patch6010: backport-Relax-domain-label-restrictions.patch Patch6011: backport-Fix-test_cgi_cookie_new_with_domain-to-pass-on-older.patch Patch6012: backport-Loosen-the-domain-regex-to-accept-.-29.patch +Patch6013: backport-Fix-splitting-relative-URI.patch +Patch6014: backport-0001-CVE-2023-28755.patch +Patch6015: backport-0002-CVE-2023-28755.patch +Patch6016: backport-0001-CVE-2023-28756.patch +Patch6017: backport-0002-CVE-2023-28756.patch +Patch6018: backport-0003-CVE-2023-28756.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -1193,6 +1199,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed %changelog +* Tue Apr 11 2023 shixuantong - 3.0.3-129 +- fix CVE-2023-28755 CVE-2023-28756 + * Thu Jan 05 2023 shixuantong - 3.0.3-128 - fix CVE-2021-33621