aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoe Slater <jslater@windriver.com>2017-08-16 14:46:11 -0700
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-09-11 22:13:15 +0100
commit1fdb28d834b48536caf499334bfbc418eeca97af (patch)
treefc533302b104e6a684f7f8ff0444b52fef958cfe
parentca566f66433c6ce9469807c40a1f56f6edf2c305 (diff)
downloadopenembedded-core-1fdb28d834b48536caf499334bfbc418eeca97af.zip
openembedded-core-1fdb28d834b48536caf499334bfbc418eeca97af.tar.gz
openembedded-core-1fdb28d834b48536caf499334bfbc418eeca97af.tar.bz2
ruby: fix CVE-2017-9224
Use DATA_ENSURE(1) before access. (From OE-Core rev: 9db907a0bd331c47c4882b82f9f1d2a7ef1f6d1f) Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Fixed up to get to apply Signed-off-by: Armin Kuster <akuster808@gmail.com>
-rw-r--r--meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9224.patch41
-rw-r--r--meta/recipes-devtools/ruby/ruby_2.4.0.bb4
2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9224.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9224.patch
new file mode 100644
index 0000000..848139b
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9224.patch
@@ -0,0 +1,41 @@
+From 690313a061f7a4fa614ec5cc8368b4f2284e059b Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Tue, 23 May 2017 10:28:58 +0900
+Subject: [PATCH] fix #57 : DATA_ENSURE() check must be before data access
+
+---
+ regexec.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- end of original header
+
+CVE: CVE-2017-9224
+
+Context modified so that patch applies for version 2.4.1.
+
+Upstream-Status: Pending
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+
+
+diff --git a/regexec.c b/regexec.c
+index 35fef11..d4e577d 100644
+--- a/regexec.c
++++ b/regexec.c
+@@ -1473,14 +1473,9 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
+ NEXT;
+
+ CASE(OP_EXACT1) MOP_IN(OP_EXACT1);
+-#if 0
+ DATA_ENSURE(1);
+ if (*p != *s) goto fail;
+ p++; s++;
+-#endif
+- if (*p != *s++) goto fail;
+- DATA_ENSURE(0);
+- p++;
+ MOP_OUT;
+ break;
+
+--
+1.7.9.5
+
diff --git a/meta/recipes-devtools/ruby/ruby_2.4.0.bb b/meta/recipes-devtools/ruby/ruby_2.4.0.bb
index 4d39c47..47e521d 100644
--- a/meta/recipes-devtools/ruby/ruby_2.4.0.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.4.0.bb
@@ -1,5 +1,9 @@
require ruby.inc
+SRC_URI += " \
+ file://ruby-CVE-2017-9224.patch \
+ "
+
SRC_URI[md5sum] = "7e9485dcdb86ff52662728de2003e625"
SRC_URI[sha256sum] = "152fd0bd15a90b4a18213448f485d4b53e9f7662e1508190aa5b702446b29e3d"