[jruby] 01/01: Fix CVE-2018-1000074, CVE-2018-1000075, CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078
Markus Koschany
apo at moszumanska.debian.org
Sun Apr 29 22:42:48 BST 2018
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch jessie
in repository jruby.
commit 77b2be25836829422ff05dd98a23a4247bf89e8b
Author: Markus Koschany <apo at debian.org>
Date: Sun Apr 29 23:41:40 2018 +0200
Fix CVE-2018-1000074, CVE-2018-1000075, CVE-2018-1000076, CVE-2018-1000077, CVE-2018-1000078
---
debian/patches/CVE-2018-1000074.patch | 22 +++++++++
debian/patches/CVE-2018-1000075.patch | 91 +++++++++++++++++++++++++++++++++++
debian/patches/CVE-2018-1000076.patch | 87 +++++++++++++++++++++++++++++++++
debian/patches/CVE-2018-1000077.patch | 67 ++++++++++++++++++++++++++
debian/patches/CVE-2018-1000078.patch | 18 +++++++
debian/patches/series | 5 ++
6 files changed, 290 insertions(+)
diff --git a/debian/patches/CVE-2018-1000074.patch b/debian/patches/CVE-2018-1000074.patch
new file mode 100644
index 0000000..02f4926
--- /dev/null
+++ b/debian/patches/CVE-2018-1000074.patch
@@ -0,0 +1,22 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 17 Apr 2018 22:25:40 +0200
+Subject: CVE-2018-1000074
+
+Origin: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
+---
+ lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb b/lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb
+index e88734e..4bb8302 100644
+--- a/lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb
++++ b/lib/ruby/site_ruby/1.8/rubygems/commands/owner_command.rb
+@@ -43,7 +43,7 @@ class Gem::Commands::OwnerCommand < Gem::Command
+ end
+
+ with_response response do |resp|
+- owners = YAML.load resp.body
++ owners = Gem::SafeYAML.load resp.body
+
+ say "Owners for gem: #{name}"
+ owners.each do |owner|
diff --git a/debian/patches/CVE-2018-1000075.patch b/debian/patches/CVE-2018-1000075.patch
new file mode 100644
index 0000000..d6f4bd2
--- /dev/null
+++ b/debian/patches/CVE-2018-1000075.patch
@@ -0,0 +1,91 @@
+From 92e98bf8f810bd812f919120d4832df51bc25d83 Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins at segiddins.me>
+Date: Sun, 11 Feb 2018 22:00:03 -0800
+Subject: [PATCH] Strictly interpret octal fields in tar headers
+
+Any octal field that contains characters other that 0-7 will cause acn
+exception to be raised.
+
+This prevents a negative size from being set, which could cause an
+infinite loop.
+---
+ lib/rubygems/package/tar_header.rb | 23 ++++++++++++++---------
+ test/rubygems/test_gem_package_tar_header.rb | 20 ++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 9 deletions(-)
+
+Index: jruby/lib/ruby/site_ruby/1.8/rubygems/package/tar_header.rb
+===================================================================
+--- jruby.orig/lib/ruby/site_ruby/1.8/rubygems/package/tar_header.rb
++++ jruby/lib/ruby/site_ruby/1.8/rubygems/package/tar_header.rb
+@@ -102,20 +102,20 @@ class Gem::Package::TarHeader
+ fields = header.unpack UNPACK_FORMAT
+
+ name = fields.shift
+- mode = fields.shift.oct
+- uid = fields.shift.oct
+- gid = fields.shift.oct
+- size = fields.shift.oct
+- mtime = fields.shift.oct
+- checksum = fields.shift.oct
++ mode = strict_oct(fields.shift)
++ uid = strict_oct(fields.shift)
++ gid = strict_oct(fields.shift)
++ size = strict_oct(fields.shift)
++ mtime = strict_oct(fields.shift)
++ checksum = strict_oct(fields.shift)
+ typeflag = fields.shift
+ linkname = fields.shift
+ magic = fields.shift
+- version = fields.shift.oct
++ version = strict_oct(fields.shift)
+ uname = fields.shift
+ gname = fields.shift
+- devmajor = fields.shift.oct
+- devminor = fields.shift.oct
++ devmajor = strict_oct(fields.shift)
++ devminor = strict_oct(fields.shift)
+ prefix = fields.shift
+
+ new :name => name,
+@@ -158,6 +158,11 @@ class Gem::Package::TarHeader
+ # :empty => empty
+ end
+
++ def self.strict_oct(str)
++ return str.oct if str =~ /\A[0-7]*\z/
++ raise ArgumentError, "#{str.inspect} is not an octal string"
++ end
++
+ ##
+ # Creates a new TarHeader using +vals+
+
+Index: jruby/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb
+===================================================================
+--- jruby.orig/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb
++++ jruby/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb
+@@ -132,5 +132,25 @@ group\000\000\000\000\000\000\000\000\00
+ assert_equal '012467', @tar_header.checksum
+ end
+
++ def test_from_bad_octal
++ test_cases = [
++ "00000006,44\000", # bogus character
++ "00000006789\000", # non-octal digit
++ "+0000001234\000", # positive sign
++ "-0000001000\000", # negative sign
++ "0x000123abc\000", # radix prefix
++ ]
++
++ test_cases.each do |val|
++ header_s = @tar_header.to_s
++ # overwrite the size field
++ header_s[124, 12] = val
++ io = TempIO.new header_s
++ assert_raises ArgumentError do
++ new_header = Gem::Package::TarHeader.from io
++ end
++ end
++ end
++
+ end
+
diff --git a/debian/patches/CVE-2018-1000076.patch b/debian/patches/CVE-2018-1000076.patch
new file mode 100644
index 0000000..327da1a
--- /dev/null
+++ b/debian/patches/CVE-2018-1000076.patch
@@ -0,0 +1,87 @@
+From f5042b879259b1f1ce95a0c5082622c646376693 Mon Sep 17 00:00:00 2001
+From: Samuel Giddins <segiddins at segiddins.me>
+Date: Sun, 11 Feb 2018 20:47:37 -0800
+Subject: [PATCH] Raise a security error when there are duplicate files in a
+ package
+
+This is a rudimentary fix for an issue where RubyGems would allow a
+mis-signed gem to be installed, as the tarball would contain multiple
+gem signatures.
+
+Nothing should give us a tarball with multiple entries, so we'll just
+disallow that.
+---
+ lib/rubygems/package.rb | 4 ++++
+ lib/rubygems/package/tar_writer.rb | 2 ++
+ test/rubygems/test_gem_package.rb | 34 +++++++++++++++++++++++++++++++++-
+ 3 files changed, 39 insertions(+), 1 deletion(-)
+
+Index: jruby/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb
+===================================================================
+--- jruby.orig/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb
++++ jruby/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb
+@@ -53,6 +53,33 @@ class TestGemPackageTarOutput < TarTestC
+ gz.close if gz
+ end
+
++ def test_verify_duplicate_file
++ FileUtils.mkdir_p 'lib'
++ FileUtils.touch 'lib/code.rb'
++
++ build = Gem::Package.new @gem
++ build.spec = @spec
++ build.setup_signer
++ open @gem, 'wb' do |gem_io|
++ Gem::Package::TarWriter.new gem_io do |gem|
++ build.add_metadata gem
++ build.add_contents gem
++
++ gem.add_file_simple 'a.sig', 0444, 0
++ gem.add_file_simple 'a.sig', 0444, 0
++ end
++ end
++
++ package = Gem::Package.new @gem
++
++ e = assert_raises Gem::Security::Exception do
++ package.verify
++ end
++
++ assert_equal 'duplicate files in the package: ("a.sig")', e.message
++ end
++
++
+ if defined? OpenSSL then
+ def test_self_open_signed
+ signer = Gem::Security::Signer.new @private_key, [@public_cert]
+Index: jruby/lib/ruby/site_ruby/1.8/rubygems/package/tar_input.rb
+===================================================================
+--- jruby.orig/lib/ruby/site_ruby/1.8/rubygems/package/tar_input.rb
++++ jruby/lib/ruby/site_ruby/1.8/rubygems/package/tar_input.rb
+@@ -24,12 +24,15 @@ class Gem::Package::TarInput
+ def initialize(io, security_policy = nil)
+ @io = io
+ @tarreader = Gem::Package::TarReader.new @io
++ @files = []
+ has_meta = false
+
+ data_sig, meta_sig, data_dgst, meta_dgst = nil, nil, nil, nil
+ dgst_algo = security_policy ? Gem::Security::OPT[:dgst_algo] : nil
+
+ @tarreader.each do |entry|
++ file_name = entry.full_name
++ @files << file_name
+ case entry.full_name
+ when "metadata"
+ @metadata = load_gemspec entry.read
+@@ -109,6 +112,10 @@ class Gem::Package::TarInput
+ @fileops = Gem::FileOperations.new
+
+ raise Gem::Package::FormatError, "No metadata found!" unless has_meta
++
++ if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
++ raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
++ end
+ end
+
+ def close
diff --git a/debian/patches/CVE-2018-1000077.patch b/debian/patches/CVE-2018-1000077.patch
new file mode 100644
index 0000000..b31059e
--- /dev/null
+++ b/debian/patches/CVE-2018-1000077.patch
@@ -0,0 +1,67 @@
+From feadefc2d351dcb95d6492f5ad17ebca546eb964 Mon Sep 17 00:00:00 2001
+From: Jonathan Claudius <jclaudius at mozilla.com>
+Date: Fri, 2 Feb 2018 00:09:29 -0500
+Subject: [PATCH] Enforce URL validation on spec homepage attribute
+
+---
+ lib/rubygems/specification.rb | 15 +++++++++++----
+ test/rubygems/test_gem_specification.rb | 13 +++++++++++++
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+Index: jruby/lib/ruby/site_ruby/1.8/rubygems/specification.rb
+===================================================================
+--- jruby.orig/lib/ruby/site_ruby/1.8/rubygems/specification.rb
++++ jruby/lib/ruby/site_ruby/1.8/rubygems/specification.rb
+@@ -7,6 +7,7 @@
+ require 'rubygems/version'
+ require 'rubygems/requirement'
+ require 'rubygems/platform'
++require 'uri'
+
+ # :stopdoc:
+ class Date; end # for ruby_code if date.rb wasn't required
+@@ -891,10 +892,16 @@ class Gem::Specification
+ '"FIXME" or "TODO" is not a summary'
+ end
+
+- if homepage and not homepage.empty? and
+- homepage !~ /\A[a-z][a-z\d+.-]*:/i then
+- raise Gem::InvalidSpecificationException,
+- "\"#{homepage}\" is not a URI"
++ # Make sure a homepage is valid HTTP/HTTPS URI
++ if homepage and not homepage.empty?
++ begin
++ homepage_uri = URI.parse(homepage)
++ unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
++ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI"
++ end
++ rescue URI::InvalidURIError
++ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI"
++ end
+ end
+
+ # Warnings
+Index: jruby/test/externals/ruby1.9/rubygems/test_gem_specification.rb
+===================================================================
+--- jruby.orig/test/externals/ruby1.9/rubygems/test_gem_specification.rb
++++ jruby/test/externals/ruby1.9/rubygems/test_gem_specification.rb
+@@ -1134,6 +1134,19 @@ end
+ end
+
+ assert_equal '"over at my cool site" is not a URI', e.message
++
++ @a1.homepage = 'ftp://rubygems.org'
++
++ e = assert_raises Gem::InvalidSpecificationException do
++ @a1.validate
++ end
++
++ assert_equal '"ftp://rubygems.org" is not a URI', e.message
++
++ @a1.homepage = 'http://rubygems.org'
++
++ assert_equal true, @a1.validate
++
+ end
+ end
+
diff --git a/debian/patches/CVE-2018-1000078.patch b/debian/patches/CVE-2018-1000078.patch
new file mode 100644
index 0000000..84683f3
--- /dev/null
+++ b/debian/patches/CVE-2018-1000078.patch
@@ -0,0 +1,18 @@
+From 66a28b9275551384fdab45f3591a82d6b59952cb Mon Sep 17 00:00:00 2001
+From: Jonathan Claudius <jclaudius at mozilla.com>
+Date: Thu, 1 Feb 2018 23:04:33 -0500
+Subject: [PATCH] Fix 289313
+
+Index: jruby/lib/ruby/site_ruby/1.8/rubygems/server.rb
+===================================================================
+--- jruby.orig/lib/ruby/site_ruby/1.8/rubygems/server.rb
++++ jruby/lib/ruby/site_ruby/1.8/rubygems/server.rb
+@@ -619,7 +619,7 @@ div.method-source-code pre { color: #ffd
+ "only_one_executable" => (executables && executables.size == 1),
+ "full_name" => spec.full_name,
+ "has_deps" => !deps.empty?,
+- "homepage" => spec.homepage,
++ "homepage" => (URI.parse(spec.homepage).is_a?(URI::HTTP) || URI.parse(spec.homepage).is_a?(URI::HTTPS)) ? spec.homepage : ".",
+ "name" => spec.name,
+ "rdoc_installed" => Gem::DocManager.new(spec).rdoc_installed?,
+ "summary" => spec.summary,
diff --git a/debian/patches/series b/debian/patches/series
index 875449d..163e6c2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,8 @@
0010-jruby-Set-FD_CLOEXEC-correctly-using-F_SETFD-not-F_S.patch
0011-java7-compat.patch
0012-nailgun.patch
+CVE-2018-1000074.patch
+CVE-2018-1000075.patch
+CVE-2018-1000076.patch
+CVE-2018-1000077.patch
+CVE-2018-1000078.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/jruby.git
More information about the pkg-java-commits
mailing list