[jruby] 01/01: Fix CVE-2018-1000074, CVE-2018-1000075, CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078

Markus Koschany apo at moszumanska.debian.org
Sun Apr 29 22:42:48 BST 2018


This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch jessie
in repository jruby.

commit 77b2be25836829422ff05dd98a23a4247bf89e8b
Author: Markus Koschany <apo at debian.org>
Date:   Sun Apr 29 23:41:40 2018 +0200

    Fix CVE-2018-1000074, CVE-2018-1000075, CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078
---
 debian/patches/CVE-2018-1000074.patch | 22 +++++++++
 debian/patches/CVE-2018-1000075.patch | 91 +++++++++++++++++++++++++++++++++++
 debian/patches/CVE-2018-1000076.patch | 87 +++++++++++++++++++++++++++++++++
 debian/patches/CVE-2018-1000077.patch | 67 ++++++++++++++++++++++++++
 debian/patches/CVE-2018-1000078.patch | 18 +++++++
 debian/patches/series                 |  5 ++
 6 files changed, 290 insertions(+)

diff --git a/debian/patches/CVE-2018-1000074.patch b/debian/patches/CVE-2018-1000074.patch
new file mode 100644
index 0000000..02f4926
--- /dev/null
+++ b/debian/patches/CVE-2018-1000074.patch
@@ -0,0 +1,22 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 17 Apr 2018 22:25:40 +0200
+Subject: CVE-2018-1000074
+
+Origin: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
+---
+ lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb b/lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb
+index e88734e..4bb8302 100644
+--- a/lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb
++++ b/lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb
+@@ -43,7 +43,7 @@ class Gem::Commands::OwnerCommand < Gem::Command
+     end
+ 
+     with_response response do |resp|
+-      owners = YAML.load resp.body
++      owners = Gem::SafeYAML.load resp.body
+ 
+       say "Owners for gem: #{name}"
+       owners.each do |owner|
diff --git a/debian/patches/CVE-2018-1000075.patch b/debian/patches/CVE-2018-1000075.patch
new file mode 100644
index 0000000..d6f4bd2
--- /dev/null
+++ b/debian/patches/CVE-2018-1000075.patch
@@ -0,0 +1,91 @@
+From 92e98bf8f810bd812f919120d4832df51bc25d83 Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins at segiddins.me>
+Date: Sun, 11 Feb 2018 22:00:03 -0800
+Subject: [PATCH] Strictly interpret octal fields in tar headers
+
+Any octal field that contains characters other that 0-7 will cause acn
+exception to be raised.
+
+This prevents a negative size from being set, which could cause an
+infinite loop.
+---
+ lib/rubygems/package/tar_header.rb           | 23 ++++++++++++++---------
+ test/rubygems/test_gem_package_tar_header.rb | 20 ++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 9 deletions(-)
+
+Index: jruby/lib/ruby/site_ruby/1.8/rubygems/package/tar_header.rb
+===================================================================
+--- jruby.orig/lib/ruby/site_ruby/1.8/rubygems/package/tar_header.rb
++++ jruby/lib/ruby/site_ruby/1.8/rubygems/package/tar_header.rb
+@@ -102,20 +102,20 @@ class Gem::Package::TarHeader
+     fields = header.unpack UNPACK_FORMAT
+ 
+     name     = fields.shift
+-    mode     = fields.shift.oct
+-    uid      = fields.shift.oct
+-    gid      = fields.shift.oct
+-    size     = fields.shift.oct
+-    mtime    = fields.shift.oct
+-    checksum = fields.shift.oct
++    mode     = strict_oct(fields.shift)
++    uid      = strict_oct(fields.shift)
++    gid      = strict_oct(fields.shift)
++    size     = strict_oct(fields.shift)
++    mtime    = strict_oct(fields.shift)
++    checksum = strict_oct(fields.shift)
+     typeflag = fields.shift
+     linkname = fields.shift
+     magic    = fields.shift
+-    version  = fields.shift.oct
++    version  = strict_oct(fields.shift)
+     uname    = fields.shift
+     gname    = fields.shift
+-    devmajor = fields.shift.oct
+-    devminor = fields.shift.oct
++    devmajor = strict_oct(fields.shift)
++    devminor = strict_oct(fields.shift)
+     prefix   = fields.shift
+ 
+     new :name     => name,
+@@ -158,6 +158,11 @@ class Gem::Package::TarHeader
+     #    :empty => empty
+   end
+ 
++  def self.strict_oct(str)
++    return str.oct if str =~ /\A[0-7]*\z/
++    raise ArgumentError, "#{str.inspect} is not an octal string"
++  end
++
+   ##
+   # Creates a new TarHeader using +vals+
+ 
+Index: jruby/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb
+===================================================================
+--- jruby.orig/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb
++++ jruby/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb
+@@ -132,5 +132,25 @@ group\000\000\000\000\000\000\000\000\00
+     assert_equal '012467', @tar_header.checksum
+   end
+ 
++  def test_from_bad_octal
++    test_cases = [
++      "00000006,44\000", # bogus character
++      "00000006789\000", # non-octal digit
++      "+0000001234\000", # positive sign
++      "-0000001000\000", # negative sign
++      "0x000123abc\000", # radix prefix
++    ]
++
++    test_cases.each do |val|
++      header_s = @tar_header.to_s
++      # overwrite the size field
++      header_s[124, 12] = val
++      io = TempIO.new header_s
++      assert_raises ArgumentError do
++        new_header = Gem::Package::TarHeader.from io
++      end
++    end
++  end
++
+ end
+ 
diff --git a/debian/patches/CVE-2018-1000076.patch b/debian/patches/CVE-2018-1000076.patch
new file mode 100644
index 0000000..327da1a
--- /dev/null
+++ b/debian/patches/CVE-2018-1000076.patch
@@ -0,0 +1,87 @@
+From f5042b879259b1f1ce95a0c5082622c646376693 Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins at segiddins.me>
+Date: Sun, 11 Feb 2018 20:47:37 -0800
+Subject: [PATCH] Raise a security error when there are duplicate files in a
+ package
+
+This is a rudimentary fix for an issue where RubyGems would allow a
+mis-signed gem to be installed, as the tarball would contain multiple
+gem signatures.
+
+Nothing should give us a tarball with multiple entries, so we'll just
+disallow that.
+---
+ lib/rubygems/package.rb            |  4 ++++
+ lib/rubygems/package/tar_writer.rb |  2 ++
+ test/rubygems/test_gem_package.rb  | 34 +++++++++++++++++++++++++++++++++-
+ 3 files changed, 39 insertions(+), 1 deletion(-)
+
+Index: jruby/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb
+===================================================================
+--- jruby.orig/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb
++++ jruby/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb
+@@ -53,6 +53,33 @@ class TestGemPackageTarOutput < TarTestC
+     gz.close if gz
+   end
+ 
++  def test_verify_duplicate_file
++    FileUtils.mkdir_p 'lib'
++    FileUtils.touch 'lib/code.rb'
++
++    build = Gem::Package.new @gem
++    build.spec = @spec
++    build.setup_signer
++    open @gem, 'wb' do |gem_io|
++      Gem::Package::TarWriter.new gem_io do |gem|
++        build.add_metadata gem
++        build.add_contents gem
++
++        gem.add_file_simple 'a.sig', 0444, 0
++        gem.add_file_simple 'a.sig', 0444, 0
++      end
++    end
++
++    package = Gem::Package.new @gem
++
++    e = assert_raises Gem::Security::Exception do
++      package.verify
++    end
++
++    assert_equal 'duplicate files in the package: ("a.sig")', e.message
++  end
++
++
+   if defined? OpenSSL then
+     def test_self_open_signed
+       signer = Gem::Security::Signer.new @private_key, [@public_cert]
+Index: jruby/lib/ruby/site_ruby/1.8/rubygems/package/tar_input.rb
+===================================================================
+--- jruby.orig/lib/ruby/site_ruby/1.8/rubygems/package/tar_input.rb
++++ jruby/lib/ruby/site_ruby/1.8/rubygems/package/tar_input.rb
+@@ -24,12 +24,15 @@ class Gem::Package::TarInput
+   def initialize(io, security_policy = nil)
+     @io = io
+     @tarreader = Gem::Package::TarReader.new @io
++    @files     = []
+     has_meta = false
+ 
+     data_sig, meta_sig, data_dgst, meta_dgst = nil, nil, nil, nil
+     dgst_algo = security_policy ? Gem::Security::OPT[:dgst_algo] : nil
+ 
+     @tarreader.each do |entry|
++      file_name = entry.full_name
++      @files << file_name
+       case entry.full_name
+       when "metadata"
+         @metadata = load_gemspec entry.read
+@@ -109,6 +112,10 @@ class Gem::Package::TarInput
+     @fileops = Gem::FileOperations.new
+ 
+     raise Gem::Package::FormatError, "No metadata found!" unless has_meta
++
++    if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
++      raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
++    end
+   end
+ 
+   def close
diff --git a/debian/patches/CVE-2018-1000077.patch b/debian/patches/CVE-2018-1000077.patch
new file mode 100644
index 0000000..b31059e
--- /dev/null
+++ b/debian/patches/CVE-2018-1000077.patch
@@ -0,0 +1,67 @@
+From feadefc2d351dcb95d6492f5ad17ebca546eb964 Mon Sep 17 00:00:00 2001
+From: Jonathan Claudius <jclaudius at mozilla.com>
+Date: Fri, 2 Feb 2018 00:09:29 -0500
+Subject: [PATCH] Enforce URL validation on spec homepage attribute
+
+---
+ lib/rubygems/specification.rb           | 15 +++++++++++----
+ test/rubygems/test_gem_specification.rb | 13 +++++++++++++
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+Index: jruby/lib/ruby/site_ruby/1.8/rubygems/specification.rb
+===================================================================
+--- jruby.orig/lib/ruby/site_ruby/1.8/rubygems/specification.rb
++++ jruby/lib/ruby/site_ruby/1.8/rubygems/specification.rb
+@@ -7,6 +7,7 @@
+ require 'rubygems/version'
+ require 'rubygems/requirement'
+ require 'rubygems/platform'
++require 'uri'
+ 
+ # :stopdoc:
+ class Date; end # for ruby_code if date.rb wasn't required
+@@ -891,10 +892,16 @@ class Gem::Specification
+             '"FIXME" or "TODO" is not a summary'
+     end
+ 
+-    if homepage and not homepage.empty? and
+-       homepage !~ /\A[a-z][a-z\d+.-]*:/i then
+-      raise Gem::InvalidSpecificationException,
+-            "\"#{homepage}\" is not a URI"
++    # Make sure a homepage is valid HTTP/HTTPS URI
++    if homepage and not homepage.empty?
++      begin
++        homepage_uri = URI.parse(homepage)
++        unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
++          raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI"
++        end
++      rescue URI::InvalidURIError
++        raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI"
++      end
+     end
+ 
+     # Warnings
+Index: jruby/test/externals/ruby1.9/rubygems/test_gem_specification.rb
+===================================================================
+--- jruby.orig/test/externals/ruby1.9/rubygems/test_gem_specification.rb
++++ jruby/test/externals/ruby1.9/rubygems/test_gem_specification.rb
+@@ -1134,6 +1134,19 @@ end
+       end
+ 
+       assert_equal '"over at my cool site" is not a URI', e.message
++
++      @a1.homepage = 'ftp://rubygems.org'
++
++      e = assert_raises Gem::InvalidSpecificationException do
++        @a1.validate
++      end
++
++      assert_equal '"ftp://rubygems.org" is not a URI', e.message
++
++      @a1.homepage = 'http://rubygems.org'
++
++      assert_equal true, @a1.validate
++
+     end
+   end
+ 
diff --git a/debian/patches/CVE-2018-1000078.patch b/debian/patches/CVE-2018-1000078.patch
new file mode 100644
index 0000000..84683f3
--- /dev/null
+++ b/debian/patches/CVE-2018-1000078.patch
@@ -0,0 +1,18 @@
+From 66a28b9275551384fdab45f3591a82d6b59952cb Mon Sep 17 00:00:00 2001
+From: Jonathan Claudius <jclaudius at mozilla.com>
+Date: Thu, 1 Feb 2018 23:04:33 -0500
+Subject: [PATCH] Fix 289313
+
+Index: jruby/lib/ruby/site_ruby/1.8/rubygems/server.rb
+===================================================================
+--- jruby.orig/lib/ruby/site_ruby/1.8/rubygems/server.rb
++++ jruby/lib/ruby/site_ruby/1.8/rubygems/server.rb
+@@ -619,7 +619,7 @@ div.method-source-code pre { color: #ffd
+         "only_one_executable" => (executables && executables.size == 1),
+         "full_name"           => spec.full_name,
+         "has_deps"            => !deps.empty?,
+-        "homepage"            => spec.homepage,
++        "homepage"            => (URI.parse(spec.homepage).is_a?(URI::HTTP) || URI.parse(spec.homepage).is_a?(URI::HTTPS)) ? spec.homepage : ".",
+         "name"                => spec.name,
+         "rdoc_installed"      => Gem::DocManager.new(spec).rdoc_installed?,
+         "summary"             => spec.summary,
diff --git a/debian/patches/series b/debian/patches/series
index 875449d..163e6c2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,8 @@
 0010-jruby-Set-FD_CLOEXEC-correctly-using-F_SETFD-not-F_S.patch
 0011-java7-compat.patch
 0012-nailgun.patch
+CVE-2018-1000074.patch
+CVE-2018-1000075.patch
+CVE-2018-1000076.patch
+CVE-2018-1000077.patch
+CVE-2018-1000078.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/jruby.git



More information about the pkg-java-commits mailing list