Bug#991093: unblock: mruby/2.1.2-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package mruby
[ Reason ]
This fixes the use-after-free issue. (CVE-2020-36401)
[ Impact ]
It will be attacked by exploiting the use-after-free vulnerability.
[ Tests ]
No automated tests for this issue, but no regression releated
to backported patches were reported to upstream.
[ Risks ]
This package is a leaf package. No other package depends on this.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock mruby/2.1.2-3
Best regards,
Nobuhiro
diff -Nru mruby-2.1.2/debian/changelog mruby-2.1.2/debian/changelog
--- mruby-2.1.2/debian/changelog 2020-12-27 14:14:43.000000000 +0900
+++ mruby-2.1.2/debian/changelog 2021-07-12 16:23:01.000000000 +0900
@@ -1,3 +1,11 @@
+mruby (2.1.2-3) unstable; urgency=medium
+
+ * Fix CVE-2020-36401.
+ Fixed the use-after-free problem. Add d/patches/Fix-CVE-2020-36401.patch.
+ This patch is included 9cdf439db5 and 97319697c8 from upstream.
+
+ -- Nobuhiro Iwamatsu <iwamatsu@debian.org> Mon, 12 Jul 2021 16:23:01 +0900
+
mruby (2.1.2-2) unstable; urgency=medium
* Add d/upstream/metadata.
diff -Nru mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch
--- mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch 1970-01-01 09:00:00.000000000 +0900
+++ mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch 2021-07-12 16:23:01.000000000 +0900
@@ -0,0 +1,71 @@
+Description: Fix the use-after-free problem
+Author: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
+Origin: upstream, https://github.com/mruby/mruby/commit/9cdf439db52b66447b4e37c61179d54fad6c8f33
+ https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990540
+Last-Update: 2021-07-12
+
+From 9cdf439db52b66447b4e37c61179d54fad6c8f33 Mon Sep 17 00:00:00 2001
+From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
+Date: Tue, 23 Jun 2020 13:19:10 +0900
+Subject: [PATCH] Free the original pointer if `realloc` failed.
+
+The POSIX `realloc` keep the original pointer untouched, so it can
+easily leads to memory leakage. `mrb_realloc()` should handle those
+bookkeeping, while `mrb_realloc_simple()` keeps the original `realloc`
+behavior.
+---
+ src/gc.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/src/gc.c b/src/gc.c
+index 03c561d35..6c83911d5 100644
+--- a/src/gc.c
++++ b/src/gc.c
+@@ -225,14 +225,9 @@ mrb_realloc(mrb_state *mrb, void *p, size_t len)
+ p2 = mrb_realloc_simple(mrb, p, len);
+ if (len == 0) return p2;
+ if (p2 == NULL) {
+- if (mrb->gc.out_of_memory) {
+- mrb_raise_nomemory(mrb);
+- /* mrb_panic(mrb); */
+- }
+- else {
+- mrb->gc.out_of_memory = TRUE;
+- mrb_raise_nomemory(mrb);
+- }
++ mrb_free(mrb, p);
++ mrb->gc.out_of_memory = TRUE;
++ mrb_raise_nomemory(mrb);
+ }
+ else {
+ mrb->gc.out_of_memory = FALSE;
+--
+2.32.0
+
+From 97319697c8f9f6ff27b32589947e1918e3015503 Mon Sep 17 00:00:00 2001
+From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
+Date: Thu, 2 Jul 2020 10:41:03 +0900
+Subject: [PATCH] Cancel 9cdf439
+
+Should not free the pointer in `realloc` since it can cause
+use-after-free problem.
+---
+ src/gc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/gc.c b/src/gc.c
+index 6c83911d5..e1892080f 100644
+--- a/src/gc.c
++++ b/src/gc.c
+@@ -225,7 +225,6 @@ mrb_realloc(mrb_state *mrb, void *p, size_t len)
+ p2 = mrb_realloc_simple(mrb, p, len);
+ if (len == 0) return p2;
+ if (p2 == NULL) {
+- mrb_free(mrb, p);
+ mrb->gc.out_of_memory = TRUE;
+ mrb_raise_nomemory(mrb);
+ }
+--
+2.32.0
+
diff -Nru mruby-2.1.2/debian/patches/series mruby-2.1.2/debian/patches/series
--- mruby-2.1.2/debian/patches/series 2020-12-27 14:14:43.000000000 +0900
+++ mruby-2.1.2/debian/patches/series 2021-07-12 16:23:01.000000000 +0900
@@ -1,3 +1,4 @@
Change-optimize-O2-on-build-system-of-Debian.patch
add_fpic_amd64.patch
Skip-mruby-tty-test-in-io.patch
+Fix-CVE-2020-36401.patch
Reply to: