diff options
| author |   Joe Slater <jslater@windriver.com> | 2017-08-16 14:46:11 -0700 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-09-11 22:15:51 +0100 |
| commit | 7ba25f0d8d95ece5f5d56ace5b1e9c8c797efbc0 (patch) | |
| tree | fc533302b104e6a684f7f8ff0444b52fef958cfe | |
| parent | 450942db7f4638eba7ec262901fe1d7e1b1f6070 (diff) | |
| download | openembedded-core-contrib-7ba25f0d8d95ece5f5d56ace5b1e9c8c797efbc0.tar.gz | |
ruby: fix CVE-2017-9224
Use DATA_ENSURE(1) before access.
(From OE-Core rev: 9db907a0bd331c47c4882b82f9f1d2a7ef1f6d1f)
Signed-off-by: Joe Slater <jslater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixed up to get to apply
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9224.patch | 41 | ||||
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby_2.4.0.bb | 4 |
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9224.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9224.patch new file mode 100644 index 0000000000..848139b7e3 --- /dev/null +++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9224.patch @@ -0,0 +1,41 @@ +From 690313a061f7a4fa614ec5cc8368b4f2284e059b Mon Sep 17 00:00:00 2001 +From: "K.Kosako" <kosako@sofnec.co.jp> +Date: Tue, 23 May 2017 10:28:58 +0900 +Subject: [PATCH] fix #57 : DATA_ENSURE() check must be before data access + +--- + regexec.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- end of original header + +CVE: CVE-2017-9224 + +Context modified so that patch applies for version 2.4.1. + +Upstream-Status: Pending +Signed-off-by: Joe Slater <joe.slater@windriver.com> + + +diff --git a/regexec.c b/regexec.c +index 35fef11..d4e577d 100644 +--- a/regexec.c ++++ b/regexec.c +@@ -1473,14 +1473,9 @@ match_at(regex_t* reg, const UChar* str, const UChar* end, + NEXT; + + CASE(OP_EXACT1) MOP_IN(OP_EXACT1); +-#if 0 + DATA_ENSURE(1); + if (*p != *s) goto fail; + p++; s++; +-#endif +- if (*p != *s++) goto fail; +- DATA_ENSURE(0); +- p++; + MOP_OUT; + break; + +-- +1.7.9.5 + diff --git a/meta/recipes-devtools/ruby/ruby_2.4.0.bb b/meta/recipes-devtools/ruby/ruby_2.4.0.bb index 4d39c47630..47e521db84 100644 --- a/meta/recipes-devtools/ruby/ruby_2.4.0.bb +++ b/meta/recipes-devtools/ruby/ruby_2.4.0.bb @@ -1,5 +1,9 @@ require ruby.inc +SRC_URI += " \ + file://ruby-CVE-2017-9224.patch \ + " + SRC_URI[md5sum] = "7e9485dcdb86ff52662728de2003e625" SRC_URI[sha256sum] = "152fd0bd15a90b4a18213448f485d4b53e9f7662e1508190aa5b702446b29e3d" |