unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
blob f37cf0771a0fb4bbf4d269c7d0dc4676f41615f4 2175 bytes (raw)
name: gnu/packages/patches/ruby-1.8-CVE-2018-8778.patch 	 # note: path name is non-authoritative(*)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

 
Fix CVE-2018-8778:

https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8778
https://security-tracker.debian.org/tracker/CVE-2018-8778

Patch copied from snapshot.debian.org:

https://snapshot.debian.org/archive/debian-security/20180423T104456Z/pool/updates/main/r/ruby1.8/ruby1.8_1.8.7.358-7.1%2Bdeb7u6.debian.tar.gz

From 4cd92d7b13002161a3452a0fe278b877901a8859 Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 28 Mar 2018 14:38:39 +0000
Subject: [PATCH 4/4] merge revision(s) 62992:

	pack.c: fix underflow

	* pack.c (pack_unpack_internal): get rid of underflow.
	  https://hackerone.com/reports/298246

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@63019 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog              | 7 +++++++
 pack.c                 | 2 +-
 test/ruby/test_pack.rb | 3 +++
 version.h              | 2 +-
 4 files changed, 12 insertions(+), 2 deletions(-)

Index: ruby1.8/pack.c
===================================================================
--- ruby1.8.orig/pack.c
+++ ruby1.8/pack.c
@@ -13,6 +13,7 @@
 #include "ruby.h"
 #include <sys/types.h>
 #include <ctype.h>
+#include <errno.h>
 
 #define GCC_VERSION_SINCE(major, minor, patchlevel) \
   (defined(__GNUC__) && !defined(__INTEL_COMPILER) && \
@@ -1385,7 +1386,12 @@ pack_unpack(str, fmt)
 	    p++;
 	}
 	else if (ISDIGIT(*p)) {
+	    errno = 0;
 	    len = strtoul(p, (char**)&p, 10);
+	    if (len < 0 || errno) {
+		rb_raise(rb_eRangeError, "pack length too big");
+	    }
+
 	}
 	else {
 	    len = (type != '@');
Index: ruby1.8/test/ruby/test_pack.rb
===================================================================
--- ruby1.8.orig/test/ruby/test_pack.rb
+++ ruby1.8/test/ruby/test_pack.rb
@@ -306,4 +306,9 @@ class TestPack < Test::Unit::TestCase
     assert_equal(["10ef"], "\x10\xef".unpack("H4"))
     assert_equal(["10ef"], "\x10\xef".unpack("H5"))
   end
+
+  def test_pack_unpack_atmark
+    pos = (1 << [nil].pack("p").bytesize * 8) - 100 # -100
+    assert_raise(RangeError) {"0123456789".unpack("@#{pos}C10")}
+  end
 end

debug log:

solving f37cf0771 ...
found f37cf0771 in https://yhetil.org/guix-devel/875zwmzj1g.fsf@gmail.com/

applying [1/1] https://yhetil.org/guix-devel/875zwmzj1g.fsf@gmail.com/
diff --git a/gnu/packages/patches/ruby-1.8-CVE-2018-8778.patch b/gnu/packages/patches/ruby-1.8-CVE-2018-8778.patch
new file mode 100644
index 000000000..f37cf0771

1:44: trailing whitespace.
 
1:48: space before tab in indent.
 	    p++;
1:49: space before tab in indent.
 	}
1:50: space before tab in indent.
 	else if (ISDIGIT(*p)) {
1:52: space before tab in indent.
 	    len = strtoul(p, (char**)&p, 10);
Checking patch gnu/packages/patches/ruby-1.8-CVE-2018-8778.patch...
Applied patch gnu/packages/patches/ruby-1.8-CVE-2018-8778.patch cleanly.
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.

index at:
100644 f37cf0771a0fb4bbf4d269c7d0dc4676f41615f4	gnu/packages/patches/ruby-1.8-CVE-2018-8778.patch

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).