From: "André Draszik" <git@andred.net>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH v3 1/4] ruby: drop long-merged CVE patches
Date: Tue, 1 Oct 2019 10:54:49 +0100 [thread overview]
Message-ID: <20191001095452.37335-2-git@andred.net> (raw)
In-Reply-To: <20191001095452.37335-1-git@andred.net>
From: André Draszik <andre.draszik@jci.com>
The CVE patches here address the original problem in
a different way to how upstream solved it, and are
superfluous.
Ruby updated to Onigmo v6.1.3+669ac999761 before its
v2.5.0 release, and both CVEs were fixed before Onigmo
v6.1.3:
https://github.com/k-takata/Onigmo/releases/tag/Onigmo-6.1.3
https://github.com/k-takata/Onigmo/commits/Onigmo-6.1.3
https://github.com/k-takata/Onigmo/commit/40945546578004bf40e6f884834bcad4054c70f7
https://github.com/k-takata/Onigmo/commit/783b7ef491e1422e4be7407ccc3e4305e5013507
Because the issues were fixed differently here and
in Ruby (Onigmo), patch never complained about
duplicatation during recipe updates.
Signed-off-by: André Draszik <andre.draszik@jci.com>
---
.../ruby/ruby/ruby-CVE-2017-9226.patch | 32 -----------------
.../ruby/ruby/ruby-CVE-2017-9228.patch | 34 -------------------
meta/recipes-devtools/ruby/ruby_2.5.5.bb | 2 --
3 files changed, 68 deletions(-)
delete mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
delete mode 100644 meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
deleted file mode 100644
index 89437bba74..0000000000
--- a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9226.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From b4bf968ad52afe14e60a2dc8a95d3555c543353a Mon Sep 17 00:00:00 2001
-From: "K.Kosako" <kosako@sofnec.co.jp>
-Date: Thu, 18 May 2017 17:05:27 +0900
-Subject: [PATCH] fix #55 : check too big code point value for single byte
- value in next_state_val()
-
----
- regparse.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- end of original header
-
-CVE: CVE-2017-9226
-
-Add check for octal number bigger than 255.
-
-Upstream-Status: Pending
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
-
-
---- ruby-2.4.1.orig/regparse.c
-+++ ruby-2.4.1/regparse.c
-@@ -4450,6 +4450,9 @@ next_state_val(CClassNode* cc, CClassNod
- switch (*state) {
- case CCS_VALUE:
- if (*type == CCV_SB) {
-+ if (*from > 0xff)
-+ return ONIGERR_INVALID_CODE_POINT_VALUE;
-+
- BITSET_SET_BIT_CHKDUP(cc->bs, (int )(*from));
- if (IS_NOT_NULL(asc_cc))
- BITSET_SET_BIT(asc_cc->bs, (int )(*from));
diff --git a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch b/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
deleted file mode 100644
index d8bfba486c..0000000000
--- a/meta/recipes-devtools/ruby/ruby/ruby-CVE-2017-9228.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 3b63d12038c8d8fc278e81c942fa9bec7c704c8b Mon Sep 17 00:00:00 2001
-From: "K.Kosako" <kosako@sofnec.co.jp>
-Date: Wed, 24 May 2017 13:43:25 +0900
-Subject: [PATCH] fix #60 : invalid state(CCS_VALUE) in parse_char_class()
-
----
- regparse.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
---- end of original header
-
-CVE: CVE-2017-9228
-
-Upstream-Status: Inappropriate [not author]
-Signed-off-by: Joe Slater <joe.slater@windriver.com>
-
-diff --git a/regparse.c b/regparse.c
-index 69875fa..1988747 100644
---- a/regparse.c
-+++ b/regparse.c
-@@ -4081,7 +4081,9 @@ next_state_class(CClassNode* cc, OnigCodePoint* vs, enum CCVALTYPE* type,
- }
- }
-
-- *state = CCS_VALUE;
-+ if (*state != CCS_START)
-+ *state = CCS_VALUE;
-+
- *type = CCV_CLASS;
- return 0;
- }
---
-1.7.9.5
-
diff --git a/meta/recipes-devtools/ruby/ruby_2.5.5.bb b/meta/recipes-devtools/ruby/ruby_2.5.5.bb
index 8ad59a7657..4082b02f14 100644
--- a/meta/recipes-devtools/ruby/ruby_2.5.5.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.5.5.bb
@@ -1,8 +1,6 @@
require ruby.inc
SRC_URI += " \
- file://ruby-CVE-2017-9226.patch \
- file://ruby-CVE-2017-9228.patch \
file://run-ptest \
"
--
2.23.0.rc1
next prev parent reply other threads:[~2019-10-01 9:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-01 9:54 [PATCH v3 0/4] ruby recipe updates André Draszik
2019-10-01 9:54 ` André Draszik [this message]
2019-10-01 9:54 ` [PATCH v3 2/4] ruby: configure mis-detects isnan/isinf on musl André Draszik
2019-10-01 9:54 ` [PATCH v3 3/4] ruby: fix non-IPv6 support André Draszik
2019-10-01 9:54 ` [PATCH v3 4/4] ruby: update to v2.6.4 André Draszik
2019-10-01 14:29 ` [PATCH] ruby: some ptest fixes André Draszik
2019-10-01 11:55 ` [PATCH v3 0/4] ruby recipe updates Ross Burton
2019-10-01 15:02 ` ✗ patchtest: failure for ruby recipe updates (rev2) Patchwork
2019-10-01 15:24 ` André Draszik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001095452.37335-2-git@andred.net \
--to=git@andred.net \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.