23005070 problem in UTILITY/RUBY s11u3-sru
authorRich Burridge <rich.burridge@oracle.com>
Mon, 18 Apr 2016 11:11:05 -0700
branchs11u3-sru
changeset 5796 270c46c77816
parent 5773 f9e4108442e5
child 5801 96db4259786b
23005070 problem in UTILITY/RUBY
components/ruby/ruby-21/patches/13-CVE-2015-7551.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/ruby/ruby-21/patches/13-CVE-2015-7551.patch	Mon Apr 18 11:11:05 2016 -0700
@@ -0,0 +1,112 @@
+Patches from upstream to fix CVE-2015-7551.
+
+See:
+
+  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7551
+
+for more details.
+
+Based on the ruby 2.1 commit at:
+
+  https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a
+
+--- ruby-2.1.6/ext/fiddle/handle.c.orig	2016-04-06 05:46:29.137190481 -0700
++++ ruby-2.1.6/ext/fiddle/handle.c	2016-04-06 06:15:33.342534009 -0700
[email protected]@ -1,6 +1,8 @@
+ #include <ruby.h>
+ #include <fiddle.h>
+ 
++#define SafeStringValueCStr(v) (rb_check_safe_obj(rb_string_value(&v)), StringValueCStr(v))
++
+ VALUE rb_cHandle;
+ 
+ struct dl_handle {
[email protected]@ -143,11 +145,11 @@
+ 	cflag = RTLD_LAZY | RTLD_GLOBAL;
+ 	break;
+       case 1:
+-	clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
++	clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib);
+ 	cflag = RTLD_LAZY | RTLD_GLOBAL;
+ 	break;
+       case 2:
+-	clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
++	clib = NIL_P(lib) ? NULL : SafeStringValueCStr(lib);
+ 	cflag = NUM2INT(flag);
+ 	break;
+       default:
[email protected]@ -263,7 +265,7 @@
+     return PTR2NUM(fiddle_handle);
+ }
+ 
+-static VALUE fiddle_handle_sym(void *handle, const char *symbol);
++static VALUE fiddle_handle_sym(void *handle, VALUE symbol);
+ 
+ /*
+  * Document-method: sym
[email protected]@ -282,7 +284,7 @@
+ 	rb_raise(rb_eFiddleError, "closed handle");
+     }
+ 
+-    return fiddle_handle_sym(fiddle_handle->ptr, StringValueCStr(sym));
++    return fiddle_handle_sym(fiddle_handle->ptr, sym);
+ }
+ 
+ #ifndef RTLD_NEXT
[email protected]@ -305,11 +307,11 @@
+ static VALUE
+ rb_fiddle_handle_s_sym(VALUE self, VALUE sym)
+ {
+-    return fiddle_handle_sym(RTLD_NEXT, StringValueCStr(sym));
++    return fiddle_handle_sym(RTLD_NEXT, sym);
+ }
+ 
+ static VALUE
+-fiddle_handle_sym(void *handle, const char *name)
++fiddle_handle_sym(void *handle, VALUE symbol)
+ {
+ #if defined(HAVE_DLERROR)
+     const char *err;
[email protected]@ -318,6 +320,7 @@
+ # define CHECK_DLERROR
+ #endif
+     void (*func)();
++    const char *name = SafeStringValueCStr(symbol);
+ 
+     rb_secure(2);
+ #ifdef HAVE_DLERROR
[email protected]@ -367,7 +370,7 @@
+     }
+ #endif
+     if( !func ){
+-	rb_raise(rb_eFiddleError, "unknown symbol \"%s\"", name);
++	rb_raise(rb_eFiddleError, "unknown symbol \"%"PRIsVALUE"\"", symbol);
+     }
+ 
+     return PTR2NUM(func);
+--- ruby-2.1.6/test/fiddle/test_handle.rb.orig	2016-04-06 05:48:53.672048772 -0700
++++ ruby-2.1.6/test/fiddle/test_handle.rb	2016-04-06 05:49:32.100668554 -0700
[email protected]@ -10,6 +10,23 @@
+ 
+     include Test::Unit::Assertions
+ 
++    def test_safe_handle_open
++      t = Thread.new do
++        $SAFE = 1
++        Fiddle::Handle.new(LIBC_SO.taint)
++      end
++      assert_raise(SecurityError) { t.value }
++    end
++
++    def test_safe_function_lookup
++      t = Thread.new do
++        h = Fiddle::Handle.new(LIBC_SO)
++        $SAFE = 1
++        h["qsort".taint]
++      end
++      assert_raise(SecurityError) { t.value }
++    end
++
+     def test_to_i
+       handle = Fiddle::Handle.new(LIBC_SO)
+       assert_kind_of Integer, handle.to_i