Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mruby [ Reason ] This fixes the use-after-free issue. (CVE-2020-36401) [ Impact ] It will be attacked by exploiting the use-after-free vulnerability. [ Tests ] No automated tests for this issue, but no regression releated to backported patches were reported to upstream. [ Risks ] This package is a leaf package. No other package depends on this. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock mruby/2.1.2-3 Best regards, Nobuhiro
diff -Nru mruby-2.1.2/debian/changelog mruby-2.1.2/debian/changelog --- mruby-2.1.2/debian/changelog 2020-12-27 14:14:43.000000000 +0900 +++ mruby-2.1.2/debian/changelog 2021-07-12 16:23:01.000000000 +0900 @@ -1,3 +1,11 @@ +mruby (2.1.2-3) unstable; urgency=medium + + * Fix CVE-2020-36401. + Fixed the use-after-free problem. Add d/patches/Fix-CVE-2020-36401.patch. + This patch is included 9cdf439db5 and 97319697c8 from upstream. + + -- Nobuhiro Iwamatsu <iwama...@debian.org> Mon, 12 Jul 2021 16:23:01 +0900 + mruby (2.1.2-2) unstable; urgency=medium * Add d/upstream/metadata. diff -Nru mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch --- mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch 1970-01-01 09:00:00.000000000 +0900 +++ mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch 2021-07-12 16:23:01.000000000 +0900 @@ -0,0 +1,71 @@ +Description: Fix the use-after-free problem +Author: "Yukihiro \"Matz\" Matsumoto" <m...@ruby.or.jp> +Origin: upstream, https://github.com/mruby/mruby/commit/9cdf439db52b66447b4e37c61179d54fad6c8f33 + https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990540 +Last-Update: 2021-07-12 + +From 9cdf439db52b66447b4e37c61179d54fad6c8f33 Mon Sep 17 00:00:00 2001 +From: "Yukihiro \"Matz\" Matsumoto" <m...@ruby.or.jp> +Date: Tue, 23 Jun 2020 13:19:10 +0900 +Subject: [PATCH] Free the original pointer if `realloc` failed. + +The POSIX `realloc` keep the original pointer untouched, so it can +easily leads to memory leakage. `mrb_realloc()` should handle those +bookkeeping, while `mrb_realloc_simple()` keeps the original `realloc` +behavior. +--- + src/gc.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +diff --git a/src/gc.c b/src/gc.c +index 03c561d35..6c83911d5 100644 +--- a/src/gc.c ++++ b/src/gc.c +@@ -225,14 +225,9 @@ mrb_realloc(mrb_state *mrb, void *p, size_t len) + p2 = mrb_realloc_simple(mrb, p, len); + if (len == 0) return p2; + if (p2 == NULL) { +- if (mrb->gc.out_of_memory) { +- mrb_raise_nomemory(mrb); +- /* mrb_panic(mrb); */ +- } +- else { +- mrb->gc.out_of_memory = TRUE; +- mrb_raise_nomemory(mrb); +- } ++ mrb_free(mrb, p); ++ mrb->gc.out_of_memory = TRUE; ++ mrb_raise_nomemory(mrb); + } + else { + mrb->gc.out_of_memory = FALSE; +-- +2.32.0 + +From 97319697c8f9f6ff27b32589947e1918e3015503 Mon Sep 17 00:00:00 2001 +From: "Yukihiro \"Matz\" Matsumoto" <m...@ruby.or.jp> +Date: Thu, 2 Jul 2020 10:41:03 +0900 +Subject: [PATCH] Cancel 9cdf439 + +Should not free the pointer in `realloc` since it can cause +use-after-free problem. +--- + src/gc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/gc.c b/src/gc.c +index 6c83911d5..e1892080f 100644 +--- a/src/gc.c ++++ b/src/gc.c +@@ -225,7 +225,6 @@ mrb_realloc(mrb_state *mrb, void *p, size_t len) + p2 = mrb_realloc_simple(mrb, p, len); + if (len == 0) return p2; + if (p2 == NULL) { +- mrb_free(mrb, p); + mrb->gc.out_of_memory = TRUE; + mrb_raise_nomemory(mrb); + } +-- +2.32.0 + diff -Nru mruby-2.1.2/debian/patches/series mruby-2.1.2/debian/patches/series --- mruby-2.1.2/debian/patches/series 2020-12-27 14:14:43.000000000 +0900 +++ mruby-2.1.2/debian/patches/series 2021-07-12 16:23:01.000000000 +0900 @@ -1,3 +1,4 @@ Change-optimize-O2-on-build-system-of-Debian.patch add_fpic_amd64.patch Skip-mruby-tty-test-in-io.patch +Fix-CVE-2020-36401.patch
