Bug#991093: unblock: mruby/2.1.2-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#991093: unblock: mruby/2.1.2-3
From: Nobuhiro Iwamatsu <iwamatsu@debian.org>
Date: Wed, 14 Jul 2021 08:52:17 +0900
Message-id: <[🔎] 162622033714.382858.11499779301608380083.reportbug@xps13>
Reply-to: Nobuhiro Iwamatsu <iwamatsu@debian.org>, 991093@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mruby

[ Reason ]
This fixes the use-after-free issue. (CVE-2020-36401)

[ Impact ]
It will be attacked by exploiting the use-after-free vulnerability.

[ Tests ]
No automated tests for this issue, but no regression releated
to backported patches were reported to upstream.

[ Risks ]
This package is a leaf package. No other package depends on this.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock mruby/2.1.2-3

Best regards,
  Nobuhiro

diff -Nru mruby-2.1.2/debian/changelog mruby-2.1.2/debian/changelog
--- mruby-2.1.2/debian/changelog	2020-12-27 14:14:43.000000000 +0900
+++ mruby-2.1.2/debian/changelog	2021-07-12 16:23:01.000000000 +0900
@@ -1,3 +1,11 @@
+mruby (2.1.2-3) unstable; urgency=medium
+
+  * Fix CVE-2020-36401.
+    Fixed the use-after-free problem. Add d/patches/Fix-CVE-2020-36401.patch.
+    This patch is included 9cdf439db5 and 97319697c8 from upstream.
+
+ -- Nobuhiro Iwamatsu <iwamatsu@debian.org>  Mon, 12 Jul 2021 16:23:01 +0900
+
 mruby (2.1.2-2) unstable; urgency=medium
 
   * Add d/upstream/metadata.
diff -Nru mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch
--- mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch	1970-01-01 09:00:00.000000000 +0900
+++ mruby-2.1.2/debian/patches/Fix-CVE-2020-36401.patch	2021-07-12 16:23:01.000000000 +0900
@@ -0,0 +1,71 @@
+Description: Fix the use-after-free problem
+Author: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
+Origin: upstream, https://github.com/mruby/mruby/commit/9cdf439db52b66447b4e37c61179d54fad6c8f33
+  https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990540
+Last-Update: 2021-07-12
+
+From 9cdf439db52b66447b4e37c61179d54fad6c8f33 Mon Sep 17 00:00:00 2001
+From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
+Date: Tue, 23 Jun 2020 13:19:10 +0900
+Subject: [PATCH] Free the original pointer if `realloc` failed.
+
+The POSIX `realloc` keep the original pointer untouched, so it can
+easily leads to memory leakage. `mrb_realloc()` should handle those
+bookkeeping, while `mrb_realloc_simple()` keeps the original `realloc`
+behavior.
+---
+ src/gc.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/src/gc.c b/src/gc.c
+index 03c561d35..6c83911d5 100644
+--- a/src/gc.c
++++ b/src/gc.c
+@@ -225,14 +225,9 @@ mrb_realloc(mrb_state *mrb, void *p, size_t len)
+   p2 = mrb_realloc_simple(mrb, p, len);
+   if (len == 0) return p2;
+   if (p2 == NULL) {
+-    if (mrb->gc.out_of_memory) {
+-      mrb_raise_nomemory(mrb);
+-      /* mrb_panic(mrb); */
+-    }
+-    else {
+-      mrb->gc.out_of_memory = TRUE;
+-      mrb_raise_nomemory(mrb);
+-    }
++    mrb_free(mrb, p);
++    mrb->gc.out_of_memory = TRUE;
++    mrb_raise_nomemory(mrb);
+   }
+   else {
+     mrb->gc.out_of_memory = FALSE;
+-- 
+2.32.0
+
+From 97319697c8f9f6ff27b32589947e1918e3015503 Mon Sep 17 00:00:00 2001
+From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
+Date: Thu, 2 Jul 2020 10:41:03 +0900
+Subject: [PATCH] Cancel 9cdf439
+
+Should not free the pointer in `realloc` since it can cause
+use-after-free problem.
+---
+ src/gc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/gc.c b/src/gc.c
+index 6c83911d5..e1892080f 100644
+--- a/src/gc.c
++++ b/src/gc.c
+@@ -225,7 +225,6 @@ mrb_realloc(mrb_state *mrb, void *p, size_t len)
+   p2 = mrb_realloc_simple(mrb, p, len);
+   if (len == 0) return p2;
+   if (p2 == NULL) {
+-    mrb_free(mrb, p);
+     mrb->gc.out_of_memory = TRUE;
+     mrb_raise_nomemory(mrb);
+   }
+-- 
+2.32.0
+
diff -Nru mruby-2.1.2/debian/patches/series mruby-2.1.2/debian/patches/series
--- mruby-2.1.2/debian/patches/series	2020-12-27 14:14:43.000000000 +0900
+++ mruby-2.1.2/debian/patches/series	2021-07-12 16:23:01.000000000 +0900
@@ -1,3 +1,4 @@
 Change-optimize-O2-on-build-system-of-Debian.patch
 add_fpic_amd64.patch
 Skip-mruby-tty-test-in-io.patch
+Fix-CVE-2020-36401.patch

Reply to:

Follow-Ups:
- Bug#991093: marked as done (unblock: mruby/2.1.2-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: dhelp uploaded to unstable
Next by Date: Bug#991094: unblock: foxtrotgps/1.2.2+bzr330-1: imagemagick FTBFS, gpsd API usage fix
Previous by thread: Processed: dhelp uploaded to unstable
Next by thread: Bug#991093: marked as done (unblock: mruby/2.1.2-3)
Index(es):
- Date
- Thread