diff options
Diffstat (limited to 'meta/recipes-devtools/ruby/ruby/CVE-2017-14033.patch')
| -rw-r--r-- | meta/recipes-devtools/ruby/ruby/CVE-2017-14033.patch | 89 |
1 files changed, 0 insertions, 89 deletions
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2017-14033.patch b/meta/recipes-devtools/ruby/ruby/CVE-2017-14033.patch deleted file mode 100644 index cbcd18c788..0000000000 --- a/meta/recipes-devtools/ruby/ruby/CVE-2017-14033.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 1648afef33c1d97fb203c82291b8a61269e85d3b Mon Sep 17 00:00:00 2001 -From: Kazuki Yamaguchi <k@rhe.jp> -Date: Mon, 19 Sep 2016 15:38:44 +0900 -Subject: [PATCH] asn1: fix out-of-bounds read in decoding constructed objects - -OpenSSL::ASN1.{decode,decode_all,traverse} have a bug of out-of-bounds -read. int_ossl_asn1_decode0_cons() does not give the correct available -length to ossl_asn1_decode() when decoding the inner components of a -constructed object. This can cause out-of-bounds read if a crafted input -given. - -Reference: https://hackerone.com/reports/170316 - -Upstream-Status: Backport -CVE: CVE-2017-14033 - -Signed-off-by: Rajkumar Veer<rveer@mvista.com> ---- - ext/openssl/ossl_asn1.c | 13 ++++++------- - test/test_asn1.rb | 23 +++++++++++++++++++++++ - 2 files changed, 29 insertions(+), 7 deletions(-) ---- a/ext/openssl/ossl_asn1.c -+++ b/ext/openssl/ossl_asn1.c -@@ -871,19 +871,18 @@ - { - VALUE value, asn1data, ary; - int infinite; -- long off = *offset; -+ long available_len, off = *offset; - - infinite = (j == 0x21); - ary = rb_ary_new(); - -- while (length > 0 || infinite) { -+ available_len = infinite ? max_len : length; -+ while (available_len > 0 ) { - long inner_read = 0; -- value = ossl_asn1_decode0(pp, max_len, &off, depth + 1, yield, &inner_read); -+ value = ossl_asn1_decode0(pp, available_len, &off, depth + 1, yield, &inner_read); - *num_read += inner_read; -- max_len -= inner_read; -+ available_len -= inner_read; - rb_ary_push(ary, value); -- if (length > 0) -- length -= inner_read; - - if (infinite && - NUM2INT(ossl_asn1_get_tag(value)) == V_ASN1_EOC && -@@ -974,7 +973,7 @@ - if(j & V_ASN1_CONSTRUCTED) { - *pp += hlen; - off += hlen; -- asn1data = int_ossl_asn1_decode0_cons(pp, length, len, &off, depth, yield, j, tag, tag_class, &inner_read); -+ asn1data = int_ossl_asn1_decode0_cons(pp, length - hlen, len, &off, depth, yield, j, tag, tag_class, &inner_read); - inner_read += hlen; - } - else { ---- a/test/openssl/test_asn1.rb -+++ b/test/openssl/test_asn1.rb -@@ -595,6 +595,29 @@ - assert_equal(false, asn1.value[3].infinite_length) - end - -+ def test_decode_constructed_overread -+ test = %w{ 31 06 31 02 30 02 05 00 } -+ # ^ <- invalid -+ raw = [test.join].pack("H*") -+ ret = [] -+ assert_raise(OpenSSL::ASN1::ASN1Error) { -+ OpenSSL::ASN1.traverse(raw) { |x| ret << x } -+ } -+ assert_equal 2, ret.size -+ assert_equal 17, ret[0][6] -+ assert_equal 17, ret[1][6] -+ -+ test = %w{ 31 80 30 03 00 00 } -+ # ^ <- invalid -+ raw = [test.join].pack("H*") -+ ret = [] -+ assert_raise(OpenSSL::ASN1::ASN1Error) { -+ OpenSSL::ASN1.traverse(raw) { |x| ret << x } -+ } -+ assert_equal 1, ret.size -+ assert_equal 17, ret[0][6] -+ end -+ - private - - def assert_universal(tag, asn1) |