diff --git a/SPECS/ruby/CVE-2026-27820.patch b/SPECS/ruby/CVE-2026-27820.patch new file mode 100644 index 00000000000..461a3794f84 --- /dev/null +++ b/SPECS/ruby/CVE-2026-27820.patch @@ -0,0 +1,60 @@ +From d5c7a178c764c7cad373e56b9177fcabb8c5b5f8 Mon Sep 17 00:00:00 2001 +From: Nobuyoshi Nakada +Date: Wed, 26 Nov 2025 22:30:27 +0900 +Subject: [PATCH] Fix buffer overflow at ungetc + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/ruby/zlib/commit/6cc139d87c498e60bcf38bc9e4f2ac0f2faa0eb1.patch +--- + ext/zlib/zlib.c | 4 +--- + test/zlib/test_zlib.rb | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c +index 3db4d25..6c83428 100644 +--- a/ext/zlib/zlib.c ++++ b/ext/zlib/zlib.c +@@ -851,9 +851,7 @@ zstream_buffer_ungets(struct zstream *z, const Bytef *b, unsigned long len) + char *bufptr; + long filled; + +- if (NIL_P(z->buf) || (long)rb_str_capacity(z->buf) <= ZSTREAM_BUF_FILLED(z)) { +- zstream_expand_buffer_into(z, len); +- } ++ zstream_expand_buffer_into(z, len); + + RSTRING_GETMEM(z->buf, bufptr, filled); + memmove(bufptr + len, bufptr, filled); +diff --git a/test/zlib/test_zlib.rb b/test/zlib/test_zlib.rb +index 502ccce..0609eff 100644 +--- a/test/zlib/test_zlib.rb ++++ b/test/zlib/test_zlib.rb +@@ -876,6 +876,25 @@ if defined? Zlib + assert_equal(-1, r.pos, "[ruby-core:81488][Bug #13616]") + end + ++ def test_ungetc_buffer_underflow ++ initial_bufsize = 1024 ++ payload = "A" * initial_bufsize ++ gzip_io = StringIO.new ++ Zlib::GzipWriter.wrap(gzip_io) { |gz| gz.write(payload) } ++ compressed = gzip_io.string ++ ++ reader = Zlib::GzipReader.new(StringIO.new(compressed)) ++ reader.read(1) ++ overflow_bytes = "B" * (initial_bufsize) ++ reader.ungetc(overflow_bytes) ++ data = reader.read(overflow_bytes.bytesize) ++ assert_equal overflow_bytes.bytesize, data.bytesize, data ++ assert_empty data.delete("B"), data ++ data = reader.read() ++ assert_equal initial_bufsize - 1, data.bytesize, data ++ assert_empty data.delete("A"), data ++ end ++ + def test_open + Tempfile.create("test_zlib_gzip_reader_open") {|t| + t.close +-- +2.45.4 + diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec index f7f9261d42b..cf961233759 100644 --- a/SPECS/ruby/ruby.spec +++ b/SPECS/ruby/ruby.spec @@ -87,7 +87,7 @@ Name: ruby # provides should be versioned according to the ruby version. # More info: https://stdgems.org/ Version: %{ruby_version} -Release: 7%{?dist} +Release: 8%{?dist} License: (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD Vendor: Microsoft Corporation Distribution: Azure Linux @@ -113,6 +113,7 @@ Patch6: CVE-2025-27221.patch Patch7: CVE-2025-6442.patch Patch8: CVE-2025-24294.patch Patch9: CVE-2025-61594.patch +Patch10: CVE-2026-27820.patch BuildRequires: openssl-devel # Pkgconfig(yaml-0.1) is needed to build the 'psych' gem. BuildRequires: pkgconfig(yaml-0.1) @@ -417,6 +418,9 @@ sudo -u test make test TESTS="-v" %{_rpmconfigdir}/rubygems.con %changelog +* Sat Apr 25 2026 Azure Linux Security Servicing Account - 3.3.5-8 +- Patch for CVE-2026-27820 + * Mon Jan 05 2026 Azure Linux Security Servicing Account - 3.3.5-7 - Patch for CVE-2025-61594