Mercurial Mercurial > upstream > oracle > userland-gate / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/ruby/rubygems-patches/01-CVE-2013-4287-4363.patch
author April Chin <april.chin@oracle.com>
Tue, 26 Nov 2013 14:09:46 -0800
branchs11u1-sru
changeset 2834 d69aa373f992
permissions -rw-r--r--
17650524 problem in UTILITY/RUBY
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2834
d69aa373f992 17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff changeset 
     1
 
Fix for the following two CVE issues:
d69aa373f992 17650524 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff changeset 
     2
 












d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     3


CVE-2013-4287 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     4


Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     5


lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     6


2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     7


2.0.0p247, allows remote attackers to cause a denial of service (CPU 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     8


consumption) via a crafted gem version that triggers a large amount of 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     9


backtracking in a regular expression. 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    10














d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    11


CVE-2013-4363 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    12


Algorithmic complexity vulnerability in 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    13


Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    14


before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    15


2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    16


cause a denial of service (CPU consumption) via a crafted gem version that 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    17


triggers a large amount of backtracking in a regular expression. NOTE: this 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    18


issue is due to an incomplete fix for CVE-2013-4287. 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    19














d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    20


The fixes come from













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    21


http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4287_txt.html 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    22


and 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    23


http://rubygems.rubyforge.org/rubygems-update/CVE-2013-4363_txt.html 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    24














d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    25


--- rubygems-1.3.5-orig//lib/rubygems/version.rb	Mon Jun 22 15:54:36 2009













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    26


+++ rubygems-1.3.5/lib/rubygems/version.rb	Thu Oct 24 16:02:38 2013













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    27


@@ -69,12 +69,12 @@













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    28


 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    29


   include Comparable













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    30


 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    31


-  VERSION_PATTERN = '[0-9]+(\.[0-9a-z]+)*'













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    32


+  VERSION_PATTERN = '[0-9]+(?>\.[0-9a-z]+)*'













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    33


 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    34


   attr_reader :version













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    35


 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    36


   def self.correct?(version)













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    37


-    pattern = /\A\s*(#{VERSION_PATTERN})*\s*\z/













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    38


+    pattern = /\A\s*(#{VERSION_PATTERN})?\s*\z/













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    39


 













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    40


     version.is_a? Integer or













d69aa373f992
17650524 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    41


       version =~ pattern or















upstream/oracle/userland-gate