Merge branch 'master-2.2' into dist/2.2/trusty

Author: sorah

ChangeLog

@@ -1,3 +1,50 @@
+Thu Sep 14 20:44:26 2017  SHIBATA Hiroshi  <[email protected]>
+
+	* ext/json: bump to version 1.8.1.1. [Backport #13853]
+
+Thu Sep 14 20:39:39 2017  Kazuki Yamaguchi <[email protected]>
+
+	asn1: fix out-of-bounds read in decoding constructed objects
+
+	* OpenSSL::ASN1.{decode,decode_all,traverse}: have a bug of
+	  out-of-bounds read. int_ossl_asn1_decode0_cons() does not give the
+	  correct available length to ossl_asn1_decode() when decoding the
+	  inner components of a constructed object. This can cause
+	  out-of-bounds read if a crafted input given.
+
+	Reference: https://hackerone.com/reports/170316
+	https://github.com/ruby/openssl/commit/1648afef33c1d97fb203c82291b8a61269e85d3b
+
+Thu Sep 14 20:36:54 2017  Yusuke Endoh  <[email protected]>
+
+	lib/webrick/log.rb: sanitize any type of logs
+
+	It had failed to sanitize some type of exception messages.  Reported and
+	patched by Yusuke Endoh (mame) at https://hackerone.com/reports/223363
+
+Thu Sep 14 20:33:52 2017  Nobuyoshi Nakada  <[email protected]>
+
+	Fix space flag when Inf/NaN and width==3
+
+	* sprintf.c (rb_str_format): while "% 2f" and "% 4f" result in " Inf"
+	  and " Inf" respectively, "% 3f" results in "Inf" (no space).
+
+	Refactor "%f" % Inf/NaN
+
+	* sprintf.c (rb_str_format): as for non-finite float, calculate the
+	  exact needed size with the space flag.
+
+Sun Sep 10 10:10:05 2017  SHIBATA Hiroshi  <[email protected]>
+
+	* lib/rubygems: fix several vulnerabilities in RubyGems; bump to version
+	  2.4.5.3. [Backport #13842]
+
+Sat Sep  9 21:08:24 2017  SHIBATA Hiroshi  <[email protected]>
+
+	* ext/psych/yaml: update libyaml to 0.1.7.
+
+	* ext/psych/psych.gemspec: bump version to 2.0.8.1.
+
 Tue Mar 28 15:39:26 2017  Nobuyoshi Nakada  <[email protected]>
 
 	configure.in: syscall is deprecated on macOS

debian/changelog

@@ -1,3 +1,9 @@
+ruby2.2 (2.2.8-0nkmi1) unstable; urgency=medium
+
+  * new upstream version
+
+ -- Sorah Fukumori <[email protected]>  Thu, 14 Sep 2017 16:58:33 +0000
+
 ruby2.2 (2.2.7-0nkmi1~trusty) trusty; urgency=medium
 
   * new upstream version

ext/json/generator/generator.c

@@ -301,7 +301,7 @@ static char *fstrndup(const char *ptr, unsigned long len) {
   char *result;
   if (len <= 0) return NULL;
   result = ALLOC_N(char, len);
-  memccpy(result, ptr, 0, len);
+  memcpy(result, ptr, len);
   return result;
 }
 
@@ -1055,7 +1055,7 @@ static VALUE cState_indent_set(VALUE self, VALUE indent)
         }
     } else {
         if (state->indent) ruby_xfree(state->indent);
-        state->indent = strdup(RSTRING_PTR(indent));
+        state->indent = fstrndup(RSTRING_PTR(indent), len);
         state->indent_len = len;
     }
     return Qnil;
@@ -1093,7 +1093,7 @@ static VALUE cState_space_set(VALUE self, VALUE space)
         }
     } else {
         if (state->space) ruby_xfree(state->space);
-        state->space = strdup(RSTRING_PTR(space));
+        state->space = fstrndup(RSTRING_PTR(space), len);
         state->space_len = len;
     }
     return Qnil;
@@ -1129,7 +1129,7 @@ static VALUE cState_space_before_set(VALUE self, VALUE space_before)
         }
     } else {
         if (state->space_before) ruby_xfree(state->space_before);
-        state->space_before = strdup(RSTRING_PTR(space_before));
+        state->space_before = fstrndup(RSTRING_PTR(space_before), len);
         state->space_before_len = len;
     }
     return Qnil;
@@ -1166,7 +1166,7 @@ static VALUE cState_object_nl_set(VALUE self, VALUE object_nl)
         }
     } else {
         if (state->object_nl) ruby_xfree(state->object_nl);
-        state->object_nl = strdup(RSTRING_PTR(object_nl));
+        state->object_nl = fstrndup(RSTRING_PTR(object_nl), len);
         state->object_nl_len = len;
     }
     return Qnil;
@@ -1201,7 +1201,7 @@ static VALUE cState_array_nl_set(VALUE self, VALUE array_nl)
         }
     } else {
         if (state->array_nl) ruby_xfree(state->array_nl);
-        state->array_nl = strdup(RSTRING_PTR(array_nl));
+        state->array_nl = fstrndup(RSTRING_PTR(array_nl), len);
         state->array_nl_len = len;
     }
     return Qnil;

ext/json/generator/generator.h

@@ -1,7 +1,6 @@
 #ifndef _GENERATOR_H_
 #define _GENERATOR_H_
 
-#include <string.h>
 #include <math.h>
 #include <ctype.h>
 

ext/json/lib/json/version.rb

@@ -1,6 +1,6 @@
 module JSON
   # JSON version
-  VERSION         = '1.8.1'
+  VERSION         = '1.8.1.1'
   VERSION_ARRAY   = VERSION.split(/\./).map { |x| x.to_i } # :nodoc:
   VERSION_MAJOR   = VERSION_ARRAY[0] # :nodoc:
   VERSION_MINOR   = VERSION_ARRAY[1] # :nodoc:

ext/openssl/ossl_asn1.c

@@ -871,19 +871,18 @@ int_ossl_asn1_decode0_cons(unsigned char **pp, long max_len, long length,
 {
     VALUE value, asn1data, ary;
     int infinite;
-    long off = *offset;
+    long available_len, off = *offset;
 
     infinite = (j == 0x21);
     ary = rb_ary_new();
 
-    while (length > 0 || infinite) {
+    available_len = infinite ? max_len : length;
+    while (available_len > 0) {
 	long inner_read = 0;
-	value = ossl_asn1_decode0(pp, max_len, &off, depth + 1, yield, &inner_read);
+	value = ossl_asn1_decode0(pp, available_len, &off, depth + 1, yield, &inner_read);
 	*num_read += inner_read;
-	max_len -= inner_read;
+	available_len -= inner_read;
 	rb_ary_push(ary, value);
-	if (length > 0)
-	    length -= inner_read;
 
 	if (infinite &&
 	    NUM2INT(ossl_asn1_get_tag(value)) == V_ASN1_EOC &&
@@ -974,7 +973,7 @@ ossl_asn1_decode0(unsigned char **pp, long length, long *offset, int depth,
     if(j & V_ASN1_CONSTRUCTED) {
 	*pp += hlen;
 	off += hlen;
-	asn1data = int_ossl_asn1_decode0_cons(pp, length, len, &off, depth, yield, j, tag, tag_class, &inner_read);
+	asn1data = int_ossl_asn1_decode0_cons(pp, length - hlen, len, &off, depth, yield, j, tag, tag_class, &inner_read);
 	inner_read += hlen;
     }
     else {

ext/psych/psych.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |s|
   s.name = "psych"
-  s.version = "2.0.8"
+  s.version = "2.0.8.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib"]

ext/psych/yaml/api.c

@@ -395,7 +395,7 @@ yaml_emitter_delete(yaml_emitter_t *emitter)
     }
     QUEUE_DEL(emitter, emitter->events);
     STACK_DEL(emitter, emitter->indents);
-    while (!STACK_EMPTY(emitter, emitter->tag_directives)) {
+    while (!STACK_EMPTY(empty, emitter->tag_directives)) {
         yaml_tag_directive_t tag_directive = POP(emitter, emitter->tag_directives);
         yaml_free(tag_directive.handle);
         yaml_free(tag_directive.prefix);
@@ -415,7 +415,7 @@ yaml_string_write_handler(void *data, unsigned char *buffer, size_t size)
 {
     yaml_emitter_t *emitter = data;
 
-    if (emitter->output.string.size + *emitter->output.string.size_written
+    if (emitter->output.string.size - *emitter->output.string.size_written
             < size) {
         memcpy(emitter->output.string.buffer
                 + *emitter->output.string.size_written,
@@ -822,7 +822,6 @@ yaml_scalar_event_initialize(yaml_event_t *event,
     yaml_char_t *anchor_copy = NULL;
     yaml_char_t *tag_copy = NULL;
     yaml_char_t *value_copy = NULL;
-    size_t value_length;
 
     assert(event);      /* Non-NULL event object is expected. */
     assert(value);      /* Non-NULL anchor is expected. */
@@ -840,19 +839,16 @@ yaml_scalar_event_initialize(yaml_event_t *event,
     }
 
     if (length < 0) {
-        value_length = strlen((char *)value);
-    }
-    else {
-        value_length = (size_t)length;
+        length = strlen((char *)value);
     }
 
-    if (!yaml_check_utf8(value, value_length)) goto error;
-    value_copy = yaml_malloc(value_length+1);
+    if (!yaml_check_utf8(value, length)) goto error;
+    value_copy = yaml_malloc(length+1);
     if (!value_copy) goto error;
-    memcpy(value_copy, value, value_length);
-    value_copy[value_length] = '\0';
+    memcpy(value_copy, value, length);
+    value_copy[length] = '\0';
 
-    SCALAR_EVENT_INIT(*event, anchor_copy, tag_copy, value_copy, value_length,
+    SCALAR_EVENT_INIT(*event, anchor_copy, tag_copy, value_copy, length,
             plain_implicit, quoted_implicit, style, mark, mark);
 
     return 1;
@@ -1206,8 +1202,6 @@ yaml_document_add_scalar(yaml_document_t *document,
     yaml_char_t *tag_copy = NULL;
     yaml_char_t *value_copy = NULL;
     yaml_node_t node;
-    size_t value_length;
-    ptrdiff_t ret;
 
     assert(document);   /* Non-NULL document object is expected. */
     assert(value);      /* Non-NULL value is expected. */
@@ -1221,26 +1215,19 @@ yaml_document_add_scalar(yaml_document_t *document,
     if (!tag_copy) goto error;
 
     if (length < 0) {
-        value_length = strlen((char *)value);
-    }
-    else {
-        value_length = (size_t)length;
+        length = strlen((char *)value);
     }
 
-    if (!yaml_check_utf8(value, value_length)) goto error;
-    value_copy = yaml_malloc(value_length+1);
+    if (!yaml_check_utf8(value, length)) goto error;
+    value_copy = yaml_malloc(length+1);
     if (!value_copy) goto error;
-    memcpy(value_copy, value, value_length);
-    value_copy[value_length] = '\0';
+    memcpy(value_copy, value, length);
+    value_copy[length] = '\0';
 
-    SCALAR_NODE_INIT(node, tag_copy, value_copy, value_length, style, mark, mark);
+    SCALAR_NODE_INIT(node, tag_copy, value_copy, length, style, mark, mark);
     if (!PUSH(&context, document->nodes, node)) goto error;
 
-    ret = document->nodes.top - document->nodes.start;
-#if PTRDIFF_MAX > INT_MAX
-    if (ret > INT_MAX) goto error;
-#endif
-    return (int)ret;
+    return document->nodes.top - document->nodes.start;
 
 error:
     yaml_free(tag_copy);
@@ -1268,7 +1255,6 @@ yaml_document_add_sequence(yaml_document_t *document,
         yaml_node_item_t *top;
     } items = { NULL, NULL, NULL };
     yaml_node_t node;
-    ptrdiff_t ret;
 
     assert(document);   /* Non-NULL document object is expected. */
 
@@ -1286,11 +1272,7 @@ yaml_document_add_sequence(yaml_document_t *document,
             style, mark, mark);
     if (!PUSH(&context, document->nodes, node)) goto error;
 
-    ret = document->nodes.top - document->nodes.start;
-#if PTRDIFF_MAX > INT_MAX
-    if (ret > INT_MAX) goto error;
-#endif
-    return (int)ret;
+    return document->nodes.top - document->nodes.start;
 
 error:
     STACK_DEL(&context, items);
@@ -1318,7 +1300,6 @@ yaml_document_add_mapping(yaml_document_t *document,
         yaml_node_pair_t *top;
     } pairs = { NULL, NULL, NULL };
     yaml_node_t node;
-    ptrdiff_t ret;
 
     assert(document);   /* Non-NULL document object is expected. */
 
@@ -1336,11 +1317,7 @@ yaml_document_add_mapping(yaml_document_t *document,
             style, mark, mark);
     if (!PUSH(&context, document->nodes, node)) goto error;
 
-    ret = document->nodes.top - document->nodes.start;
-#if PTRDIFF_MAX > INT_MAX
-    if (ret > INT_MAX) goto error;
-#endif
-    return (int)ret;
+    return document->nodes.top - document->nodes.start;
 
 error:
     STACK_DEL(&context, pairs);

ext/psych/yaml/config.h

@@ -1,10 +1,10 @@
 #define PACKAGE_NAME "yaml"
 #define PACKAGE_TARNAME "yaml"
-#define PACKAGE_VERSION "0.1.6"
-#define PACKAGE_STRING "yaml 0.1.6"
-#define PACKAGE_BUGREPORT "http://pyyaml.org/newticket?component libyaml"
-#define PACKAGE_URL ""
+#define PACKAGE_VERSION "0.1.7"
+#define PACKAGE_STRING "yaml 0.1.7"
+#define PACKAGE_BUGREPORT "https://github.com/yaml/libyaml/issues"
+#define PACKAGE_URL "https://github.com/yaml/libyaml"
 #define YAML_VERSION_MAJOR 0
 #define YAML_VERSION_MINOR 1
-#define YAML_VERSION_PATCH 6
-#define YAML_VERSION_STRING "0.1.6"
+#define YAML_VERSION_PATCH 7
+#define YAML_VERSION_STRING "0.1.7"

ext/psych/yaml/emitter.c

@@ -53,7 +53,7 @@
 #define WRITE_BREAK(emitter,string)                                             \
     (FLUSH(emitter)                                                             \
      && (CHECK(string,'\n') ?                                                   \
-         ((void)PUT_BREAK(emitter),                                             \
+         (PUT_BREAK(emitter),                                                   \
           string.pointer ++,                                                    \
           1) :                                                                  \
          (COPY(emitter->buffer,string),                                         \
@@ -221,7 +221,7 @@ yaml_emitter_write_indent(yaml_emitter_t *emitter);
 
 static int
 yaml_emitter_write_indicator(yaml_emitter_t *emitter,
-        const char *indicator, int need_whitespace,
+        char *indicator, int need_whitespace,
         int is_whitespace, int is_indention);
 
 static int
@@ -1493,7 +1493,7 @@ yaml_emitter_analyze_scalar(yaml_emitter_t *emitter,
     int break_space = 0;
     int space_break = 0;
 
-    int preceeded_by_whitespace = 0;
+    int preceded_by_whitespace = 0;
     int followed_by_whitespace = 0;
     int previous_space = 0;
     int previous_break = 0;
@@ -1524,7 +1524,7 @@ yaml_emitter_analyze_scalar(yaml_emitter_t *emitter,
         flow_indicators = 1;
     }
 
-    preceeded_by_whitespace = 1;
+    preceded_by_whitespace = 1;
     followed_by_whitespace = IS_BLANKZ_AT(string, WIDTH(string));
 
     while (string.pointer != string.end)
@@ -1570,7 +1570,7 @@ yaml_emitter_analyze_scalar(yaml_emitter_t *emitter,
                 }
             }
 
-            if (CHECK(string, '#') && preceeded_by_whitespace) {
+            if (CHECK(string, '#') && preceded_by_whitespace) {
                 flow_indicators = 1;
                 block_indicators = 1;
             }
@@ -1619,7 +1619,7 @@ yaml_emitter_analyze_scalar(yaml_emitter_t *emitter,
             previous_break = 0;
         }
 
-        preceeded_by_whitespace = IS_BLANKZ(string);
+        preceded_by_whitespace = IS_BLANKZ(string);
         MOVE(string);
         if (string.pointer != string.end) {
             followed_by_whitespace = IS_BLANKZ_AT(string, WIDTH(string));
@@ -1784,7 +1784,7 @@ yaml_emitter_write_indent(yaml_emitter_t *emitter)
 
 static int
 yaml_emitter_write_indicator(yaml_emitter_t *emitter,
-        const char *indicator, int need_whitespace,
+        char *indicator, int need_whitespace,
         int is_whitespace, int is_indention)
 {
     size_t indicator_length;
@@ -2178,7 +2178,7 @@ yaml_emitter_write_block_scalar_hints(yaml_emitter_t *emitter,
         yaml_string_t string)
 {
     char indent_hint[2];
-    const char *chomp_hint = NULL;
+    char *chomp_hint = NULL;
 
     if (IS_SPACE(string) || IS_BREAK(string))
     {