1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
| | Fix CVE-2018-8778:
https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778
https://security-tracker.debian.org/tracker/CVE-2018-8778
Patch copied from snapshot.debian.org:
https://snapshot.debian.org/archive/debian-security/20180423T104456Z/pool/updates/main/r/ruby1.8/ruby1.8_1.8.7.358-7.1%2Bdeb7u6.debian.tar.gz
From 4cd92d7b13002161a3452a0fe278b877901a8859 Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 28 Mar 2018 14:38:39 +0000
Subject: [PATCH 4/4] merge revision(s) 62992:
pack.c: fix underflow
* pack.c (pack_unpack_internal): get rid of underflow.
https://hackerone.com/reports/298246
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@63019 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
ChangeLog | 7 +++++++
pack.c | 2 +-
test/ruby/test_pack.rb | 3 +++
version.h | 2 +-
4 files changed, 12 insertions(+), 2 deletions(-)
Index: ruby1.8/pack.c
===================================================================
--- ruby1.8.orig/pack.c
+++ ruby1.8/pack.c
@@ -13,6 +13,7 @@
#include "ruby.h"
#include <sys/types.h>
#include <ctype.h>
+#include <errno.h>
#define GCC_VERSION_SINCE(major, minor, patchlevel) \
(defined(__GNUC__) && !defined(__INTEL_COMPILER) && \
@@ -1385,7 +1386,12 @@ pack_unpack(str, fmt)
p++;
}
else if (ISDIGIT(*p)) {
+ errno = 0;
len = strtoul(p, (char**)&p, 10);
+ if (len < 0 || errno) {
+ rb_raise(rb_eRangeError, "pack length too big");
+ }
+
}
else {
len = (type != '@');
Index: ruby1.8/test/ruby/test_pack.rb
===================================================================
--- ruby1.8.orig/test/ruby/test_pack.rb
+++ ruby1.8/test/ruby/test_pack.rb
@@ -306,4 +306,9 @@ class TestPack < Test::Unit::TestCase
assert_equal(["10ef"], "\x10\xef".unpack("H4"))
assert_equal(["10ef"], "\x10\xef".unpack("H5"))
end
+
+ def test_pack_unpack_atmark
+ pos = (1 << [nil].pack("p").bytesize * 8) - 100 # -100
+ assert_raise(RangeError) {"0123456789".unpack("@#{pos}C10")}
+ end
end
|