# HG changeset patch # User April Chin # Date 1387576315 28800 # Node ID 7d980597e3341412f112f9ddc4a5e2d7dec0cf7d # Parent ce50bf80797e782118bd131e807635de9ac7cc63 17884834 problem in UTILITY/RUBY 17905257 problem in UTILITY/RUBY diff -r ce50bf80797e -r 7d980597e334 components/ruby/Makefile --- a/components/ruby/Makefile Fri Dec 20 13:47:38 2013 -0800 +++ b/components/ruby/Makefile Fri Dec 20 13:51:55 2013 -0800 @@ -77,9 +77,9 @@ # Rubygems has patches, but it does not use configure nor make. COMPONENT_PREP_ACTION = (cd $(@D) ; autoconf); \ $(RM) -r $(SOURCE_DIR_1); \ - $(UNPACK) $(UNPACK_ARGS) $(USERLAND_ARCHIVES)$(COMPONENT_ARCHIVE_1) \ + $(UNPACK) $(UNPACK_ARGS) $(USERLAND_ARCHIVES)$(COMPONENT_ARCHIVE_1); \ $(foreach patch,$(PATCHES_1), \ - $(GPATCH) -d $(SOURCE_DIR_1) $(GPATCH_FLAGS) < $(patch)) + $(GPATCH) -d $(SOURCE_DIR_1) $(GPATCH_FLAGS) < $(patch); ) # These modifications of ruby.1 must occur after ruby # is installed, not before. Although there are some other patches diff -r ce50bf80797e -r 7d980597e334 components/ruby/patches/10-CVE-2013-4164.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/ruby/patches/10-CVE-2013-4164.patch Fri Dec 20 13:51:55 2013 -0800 @@ -0,0 +1,67 @@ +This ruby 1.8.7 patch was derived from the ruby 1.9.3 fix for: + +https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ + +as seen here: +http://bugs.ruby-lang.org/projects/ruby-trunk/repository/diff/util.c?rev=43780&rev_to=41757 + +CVE-2013-4164 + +Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 +before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision +43780 allows context-dependent attackers to cause a denial of service +(segmentation fault) and possibly execute arbitrary code via a string +that is converted to a floating point value, as demonstrated using (1) +the to_f method or (2) JSON.parse. + +--- ruby-1.8.7-p374-orig/util.c 2010-11-21 23:21:34.000000000 -0800 ++++ ruby-1.8.7-p374/util.c 2013-12-02 16:58:32.995038000 -0800 +@@ -892,6 +892,11 @@ + #else + #define MALLOC malloc + #endif ++#ifdef FREE ++extern void FREE(void*); ++#else ++#define FREE free ++#endif + + #ifndef Omit_Private_Memory + #ifndef PRIVATE_MEM +@@ -1176,7 +1181,7 @@ + #endif + + ACQUIRE_DTOA_LOCK(0); +- if ((rv = freelist[k]) != 0) { ++ if (k <= Kmax && (rv = freelist[k]) != 0) { + freelist[k] = rv->next; + } + else { +@@ -1186,7 +1191,7 @@ + #else + len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) + /sizeof(double); +- if (pmem_next - private_mem + len <= PRIVATE_mem) { ++ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { + rv = (Bigint*)pmem_next; + pmem_next += len; + } +@@ -1205,6 +1210,10 @@ + Bfree(Bigint *v) + { + if (v) { ++ if (v->k > Kmax) { ++ FREE(v); ++ return; ++ } + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; +@@ -2200,6 +2209,7 @@ + for (; c >= '0' && c <= '9'; c = *++s) { + have_dig: + nz++; ++ if (nf > DBL_DIG * 4) continue; + if (c -= '0') { + nf += nz; + for (i = 1; i < nz; i++)