ruby: Security fix for CVE-2017-14064

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1

Signed-off-by: Rajkumar Veer <rveer@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2017-14064.patch b/meta/recipes-devtools/ruby/ruby/CVE-2017-14064.patch
new file mode 100644 (file)
index 0000000..073d214
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2017-14064.patch
@@ -0,0 +1,79 @@
+From 8f782fd8e181d9cfe9387ded43a5ca9692266b85 Mon Sep 17 00:00:00 2001
+From: Florian Frank <flori@ping.de>
+Date: Thu, 2 Mar 2017 12:12:33 +0100
+Subject: [PATCH] Fix arbitrary heap exposure problem
+
+Upstream-Status: Backport
+CVE: CVE-2017-14064
+
+Signed-off-by: Rajkumar Veer<rveer@mvista.com>
+---
+ ext/json/ext/generator/generator.c | 12 ++++++------
+ ext/json/ext/generator/generator.h |  1 -
+ 2 files changed, 6 insertions(+), 7 deletions(-)
+--- a/ext/json/generator/generator.c
++++ b/ext/json/generator/generator.c
+@@ -301,7 +301,7 @@
+   char *result;
+   if (len <= 0) return NULL;
+   result = ALLOC_N(char, len);
+-  memccpy(result, ptr, 0, len);
++  memcpy(result, ptr, len);
+   return result;
+ }
+ 
+@@ -1055,7 +1055,7 @@
+         }
+     } else {
+         if (state->indent) ruby_xfree(state->indent);
+-        state->indent = strdup(RSTRING_PTR(indent));
++        state->indent = fstrndup(RSTRING_PTR(indent), len);
+         state->indent_len = len;
+     }
+     return Qnil;
+@@ -1093,7 +1093,7 @@
+         }
+     } else {
+         if (state->space) ruby_xfree(state->space);
+-        state->space = strdup(RSTRING_PTR(space));
++        state->space = fstrndup(RSTRING_PTR(space), len);
+         state->space_len = len;
+     }
+     return Qnil;
+@@ -1129,7 +1129,7 @@
+         }
+     } else {
+         if (state->space_before) ruby_xfree(state->space_before);
+-        state->space_before = strdup(RSTRING_PTR(space_before));
++        state->space_before = fstrndup(RSTRING_PTR(space_before), len);
+         state->space_before_len = len;
+     }
+     return Qnil;
+@@ -1166,7 +1166,7 @@
+         }
+     } else {
+         if (state->object_nl) ruby_xfree(state->object_nl);
+-        state->object_nl = strdup(RSTRING_PTR(object_nl));
++        state->object_nl = fstrndup(RSTRING_PTR(object_nl), len);
+         state->object_nl_len = len;
+     }
+     return Qnil;
+@@ -1201,7 +1201,7 @@
+         }
+     } else {
+         if (state->array_nl) ruby_xfree(state->array_nl);
+-        state->array_nl = strdup(RSTRING_PTR(array_nl));
++        state->array_nl = fstrndup(RSTRING_PTR(array_nl), len); 
+         state->array_nl_len = len;
+     }
+     return Qnil;
+--- a/ext/json/generator/generator.h
++++ b/ext/json/generator/generator.h
+@@ -1,7 +1,6 @@
+ #ifndef _GENERATOR_H_
+ #define _GENERATOR_H_
+ 
+-#include <string.h>
+ #include <math.h>
+ #include <ctype.h>
+ 

diff --git a/meta/recipes-devtools/ruby/ruby_2.2.5.bb b/meta/recipes-devtools/ruby/ruby_2.2.5.bb
index 08308057b96d8a5d9a5753f9f9295b4220f01e8d..750ddc690f8ed148f52f1c5a77ef7b246c38b289 100644 (file)
--- a/meta/recipes-devtools/ruby/ruby_2.2.5.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.2.5.bb
@@ -10,6 +10,7 @@ SRC_URI += "file://prevent-gc.patch \
             file://CVE-2017-9226.patch \
             file://CVE-2017-9229.patch \
             file://CVE-2017-14033.patch \
+            file://CVE-2017-14064.patch \
 "
 
 # it's unknown to configure script, but then passed to extconf.rb