[Git][java-team/jruby][master] 3 commits: Import Debian changes 9.1.17.0-2.1
Hideki Yamane
gitlab at salsa.debian.org
Wed May 29 06:00:17 BST 2019
Hideki Yamane pushed to branch master at Debian Java Maintainers / jruby
Commits:
57d997c8 by Salvatore Bonaccorso at 2019-05-28T23:09:53Z
Import Debian changes 9.1.17.0-2.1
jruby (9.1.17.0-2.1) unstable; urgency=medium
* Non-maintainer upload.
* Directory traversal vulnerability in install_location (CVE-2018-1000073)
(Closes: #925986)
- - - - -
721c7636 by Hideki Yamane at 2019-05-28T23:14:47Z
add 0018-fix-rubygem-vulnerabilities.patch
- - - - -
f6e65303 by Hideki Yamane at 2019-05-28T23:14:54Z
note to changelog
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/0017-CVE-2018-1000073.patch
- + debian/patches/0018-fix-rubygem-vulnerabilities.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,21 @@
+jruby (9.1.17.0-3) unstable; urgency=medium
+
+ * Team upload.
+ * debian/patches
+ - add 0017-fix-rubygem-vulnerabilities.patch to fix CVEs (Closes: #925987)
+ (CVE-2019-8320 CVE-2019-8321 CVE-2019-8322 CVE-2019-8323 CVE-2019-8324
+ CVE-2019-8325)
+
+ -- Hideki Yamane <henrich at debian.org> Wed, 29 May 2019 08:06:41 +0900
+
+jruby (9.1.17.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Directory traversal vulnerability in install_location (CVE-2018-1000073)
+ (Closes: #925986)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Wed, 01 May 2019 11:25:03 +0200
+
jruby (9.1.17.0-2) unstable; urgency=medium
* Annotate the javax.annotation.Generated patch.
=====================================
debian/patches/0017-CVE-2018-1000073.patch
=====================================
@@ -0,0 +1,25 @@
+From: Jonathan Claudius <jclaudius at mozilla.com>
+Date: Wed, 7 Feb 2018 23:54:52 -0500
+Subject: Non-working patch for deducing symlinked base-dirs
+Origin: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000073
+Bug-Debian: https://bugs.debian.org/925986
+
+---
+
+diff --git a/lib/ruby/stdlib/rubygems/package.rb b/lib/ruby/stdlib/rubygems/package.rb
+index dede959981e7..cb9c74a0fc07 100644
+--- a/lib/ruby/stdlib/rubygems/package.rb
++++ b/lib/ruby/stdlib/rubygems/package.rb
+@@ -421,6 +421,8 @@ EOM
+ destination_dir = File.expand_path destination_dir
+
+ destination = File.join destination_dir, filename
++ destination = File.realpath destination if
++ File.respond_to? :realpath
+ destination = File.expand_path destination
+
+ raise Gem::Package::PathError.new(destination, destination_dir) unless
+--
+2.20.1
+
=====================================
debian/patches/0018-fix-rubygem-vulnerabilities.patch
=====================================
@@ -0,0 +1,424 @@
+From: Hideki Yamane <henrich at debian.org>
+Date: Wed, 29 May 2019 07:54:22 +0900
+Subject: fix rubygem vulnerabilities
+
+Bug-Debian: https://bugs.debian.org/925987
+Origin: vendor, https://bugs.ruby-lang.org/attachments/7669
+Forwarded: not-needed
+Last-Update: 2019-05-29
+
+fix below CVEs
+CVE-2019-8320
+CVE-2019-8321
+CVE-2019-8322
+CVE-2019-8323
+CVE-2019-8324
+CVE-2019-8325
+
+see https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
+---
+ lib/ruby/stdlib/rubygems/command_manager.rb | 10 +-
+ lib/ruby/stdlib/rubygems/commands/owner_command.rb | 5 +-
+ lib/ruby/stdlib/rubygems/gemcutter_utilities.rb | 7 +-
+ lib/ruby/stdlib/rubygems/installer.rb | 29 +++++-
+ lib/ruby/stdlib/rubygems/package.rb | 10 ++
+ lib/ruby/stdlib/rubygems/user_interaction.rb | 7 +-
+ test/mri/rubygems/test_gem_installer.rb | 108 +++++++++++++++++++++
+ test/mri/rubygems/test_gem_package.rb | 36 +++++++
+ test/mri/rubygems/test_gem_text.rb | 5 +
+ 9 files changed, 203 insertions(+), 14 deletions(-)
+
+diff --git a/lib/ruby/stdlib/rubygems/command_manager.rb b/lib/ruby/stdlib/rubygems/command_manager.rb
+index 451b719..d3ff661 100644
+--- a/lib/ruby/stdlib/rubygems/command_manager.rb
++++ b/lib/ruby/stdlib/rubygems/command_manager.rb
+@@ -7,6 +7,7 @@
+
+ require 'rubygems/command'
+ require 'rubygems/user_interaction'
++require 'rubygems/text'
+
+ ##
+ # The command manager registers and installs all the individual sub-commands
+@@ -32,6 +33,7 @@ require 'rubygems/user_interaction'
+
+ class Gem::CommandManager
+
++ include Gem::Text
+ include Gem::UserInteraction
+
+ BUILTIN_COMMANDS = [ # :nodoc:
+@@ -138,12 +140,12 @@ class Gem::CommandManager
+ def run(args, build_args=nil)
+ process_args(args, build_args)
+ rescue StandardError, Timeout::Error => ex
+- alert_error "While executing gem ... (#{ex.class})\n #{ex}"
++ alert_error clean_text("While executing gem ... (#{ex.class})\n #{ex}")
+ ui.backtrace ex
+
+ terminate_interaction(1)
+ rescue Interrupt
+- alert_error "Interrupted"
++ alert_error clean_text("Interrupted")
+ terminate_interaction(1)
+ end
+
+@@ -161,7 +163,7 @@ class Gem::CommandManager
+ say Gem::VERSION
+ terminate_interaction 0
+ when /^-/ then
+- alert_error "Invalid option: #{args.first}. See 'gem --help'."
++ alert_error clean_text("Invalid option: #{args.first}. See 'gem --help'.")
+ terminate_interaction 1
+ else
+ cmd_name = args.shift.downcase
+@@ -210,7 +212,7 @@ class Gem::CommandManager
+ rescue Exception => e
+ e = load_error if load_error
+
+- alert_error "Loading command: #{command_name} (#{e.class})\n\t#{e}"
++ alert_error clean_text("Loading command: #{command_name} (#{e.class})\n\t#{e}")
+ ui.backtrace e
+ end
+ end
+diff --git a/lib/ruby/stdlib/rubygems/commands/owner_command.rb b/lib/ruby/stdlib/rubygems/commands/owner_command.rb
+index 2ee7f84..7842a32 100644
+--- a/lib/ruby/stdlib/rubygems/commands/owner_command.rb
++++ b/lib/ruby/stdlib/rubygems/commands/owner_command.rb
+@@ -2,8 +2,11 @@
+ require 'rubygems/command'
+ require 'rubygems/local_remote_options'
+ require 'rubygems/gemcutter_utilities'
++require 'rubygems/text'
+
+ class Gem::Commands::OwnerCommand < Gem::Command
++
++ include Gem::Text
+ include Gem::LocalRemoteOptions
+ include Gem::GemcutterUtilities
+
+@@ -62,7 +65,7 @@ permission to.
+ end
+
+ with_response response do |resp|
+- owners = Gem::SafeYAML.load resp.body
++ owners = Gem::SafeYAML.load clean_text(resp.body)
+
+ say "Owners for gem: #{name}"
+ owners.each do |owner|
+diff --git a/lib/ruby/stdlib/rubygems/gemcutter_utilities.rb b/lib/ruby/stdlib/rubygems/gemcutter_utilities.rb
+index 7c6d6bb..623d930 100644
+--- a/lib/ruby/stdlib/rubygems/gemcutter_utilities.rb
++++ b/lib/ruby/stdlib/rubygems/gemcutter_utilities.rb
+@@ -1,11 +1,14 @@
+ # frozen_string_literal: true
+ require 'rubygems/remote_fetcher'
++require 'rubygems/text'
+
+ ##
+ # Utility methods for using the RubyGems API.
+
+ module Gem::GemcutterUtilities
+
++ include Gem::Text
++
+ # TODO: move to Gem::Command
+ OptionParser.accept Symbol do |value|
+ value.to_sym
+@@ -145,13 +148,13 @@ module Gem::GemcutterUtilities
+ if block_given? then
+ yield response
+ else
+- say response.body
++ say clean_text(response.body)
+ end
+ else
+ message = response.body
+ message = "#{error_prefix}: #{message}" if error_prefix
+
+- say message
++ say clean_text(message)
+ terminate_interaction 1 # TODO: question this
+ end
+ end
+diff --git a/lib/ruby/stdlib/rubygems/installer.rb b/lib/ruby/stdlib/rubygems/installer.rb
+index 6fd3399..5818b94 100644
+--- a/lib/ruby/stdlib/rubygems/installer.rb
++++ b/lib/ruby/stdlib/rubygems/installer.rb
+@@ -697,9 +697,26 @@ class Gem::Installer
+ unpack or File.writable?(gem_home)
+ end
+
+- def verify_spec_name
+- return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
+- raise Gem::InstallError, "#{spec} has an invalid name"
++ def verify_spec
++ unless spec.name =~ Gem::Specification::VALID_NAME_PATTERN
++ raise Gem::InstallError, "#{spec} has an invalid name"
++ end
++
++ if spec.raw_require_paths.any?{|path| path =~ /\r\n|\r|\n/ }
++ raise Gem::InstallError, "#{spec} has an invalid require_paths"
++ end
++
++ if spec.extensions.any?{|ext| ext =~ /\r\n|\r|\n/ }
++ raise Gem::InstallError, "#{spec} has an invalid extensions"
++ end
++
++ unless spec.specification_version.to_s =~ /\A\d+\z/
++ raise Gem::InstallError, "#{spec} has an invalid specification_version"
++ end
++
++ if spec.dependencies.any? {|dep| dep.type =~ /\r\n|\r|\n/ || dep.name =~ /\r\n|\r|\n/ }
++ raise Gem::InstallError, "#{spec} has an invalid dependencies"
++ end
+ end
+
+ ##
+@@ -826,9 +843,11 @@ TEXT
+ def pre_install_checks
+ verify_gem_home options[:unpack]
+
+- ensure_loadable_spec
++ # The name and require_paths must be verified first, since it could contain
++ # ruby code that would be eval'ed in #ensure_loadable_spec
++ verify_spec
+
+- verify_spec_name
++ ensure_loadable_spec
+
+ if options[:install_as_default]
+ Gem.ensure_default_gem_subdirectories gem_home
+diff --git a/lib/ruby/stdlib/rubygems/package.rb b/lib/ruby/stdlib/rubygems/package.rb
+index b5a5fe2..e4e4545 100644
+--- a/lib/ruby/stdlib/rubygems/package.rb
++++ b/lib/ruby/stdlib/rubygems/package.rb
+@@ -425,6 +425,16 @@ EOM
+ raise Gem::Package::PathError.new(destination, destination_dir) unless
+ destination.start_with? destination_dir + '/'
+
++ begin
++ real_destination = File.expand_path(File.realpath(destination))
++ rescue
++ # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage
++ nil
++ else
++ raise Gem::Package::PathError.new(real_destination, destination_dir) unless
++ real_destination.start_with? destination_dir + '/'
++ end
++
+ destination.untaint
+ destination
+ end
+diff --git a/lib/ruby/stdlib/rubygems/user_interaction.rb b/lib/ruby/stdlib/rubygems/user_interaction.rb
+index 390d0f2..237ae2b 100644
+--- a/lib/ruby/stdlib/rubygems/user_interaction.rb
++++ b/lib/ruby/stdlib/rubygems/user_interaction.rb
+@@ -6,6 +6,7 @@
+ #++
+
+ require 'rubygems/util'
++require 'rubygems/text'
+
+ begin
+ require 'io/console'
+@@ -18,6 +19,8 @@ end
+
+ module Gem::DefaultUserInteraction
+
++ include Gem::Text
++
+ ##
+ # The default UI is a class variable of the singleton class for this
+ # module.
+@@ -165,8 +168,8 @@ module Gem::UserInteraction
+ # Calls +say+ with +msg+ or the results of the block if really_verbose
+ # is true.
+
+- def verbose msg = nil
+- say(msg || yield) if Gem.configuration.really_verbose
++ def verbose(msg = nil)
++ say(clean_text(msg || yield)) if Gem.configuration.really_verbose
+ end
+ end
+
+diff --git a/test/mri/rubygems/test_gem_installer.rb b/test/mri/rubygems/test_gem_installer.rb
+index 129c235..8fe984e 100644
+--- a/test/mri/rubygems/test_gem_installer.rb
++++ b/test/mri/rubygems/test_gem_installer.rb
+@@ -1215,6 +1215,114 @@ gem 'other', version
+ end
+ end
+
++ def test_pre_install_checks_malicious_name_before_eval
++ spec = util_spec "malicious\n::Object.const_set(:FROM_EVAL, true)#", '1'
++ def spec.full_name # so the spec is buildable
++ "malicious-1"
++ end
++ def spec.validate(*args); end
++
++ util_build_gem spec
++
++ gem = File.join(@gemhome, 'cache', spec.file_name)
++
++ use_ui @ui do
++ @installer = Gem::Installer.at gem
++ e = assert_raises Gem::InstallError do
++ @installer.pre_install_checks
++ end
++ assert_equal "#<Gem::Specification name=malicious\n::Object.const_set(:FROM_EVAL, true)# version=1> has an invalid name", e.message
++ end
++ refute defined?(::Object::FROM_EVAL)
++ end
++
++ def test_pre_install_checks_malicious_require_paths_before_eval
++ spec = util_spec "malicious", '1'
++ def spec.full_name # so the spec is buildable
++ "malicious-1"
++ end
++ def spec.validate(*args); end
++ spec.require_paths = ["malicious\n``"]
++
++ util_build_gem spec
++
++ gem = File.join(@gemhome, 'cache', spec.file_name)
++
++ use_ui @ui do
++ @installer = Gem::Installer.at gem
++ e = assert_raises Gem::InstallError do
++ @installer.pre_install_checks
++ end
++ assert_equal "#<Gem::Specification name=malicious version=1> has an invalid require_paths", e.message
++ end
++ end
++
++ def test_pre_install_checks_malicious_extensions_before_eval
++ skip "mswin environment disallow to create file contained the carriage return code." if Gem.win_platform?
++
++ spec = util_spec "malicious", '1'
++ def spec.full_name # so the spec is buildable
++ "malicious-1"
++ end
++ def spec.validate(*args); end
++ spec.extensions = ["malicious\n``"]
++
++ util_build_gem spec
++
++ gem = File.join(@gemhome, 'cache', spec.file_name)
++
++ use_ui @ui do
++ @installer = Gem::Installer.at gem
++ e = assert_raises Gem::InstallError do
++ @installer.pre_install_checks
++ end
++ assert_equal "#<Gem::Specification name=malicious version=1> has an invalid extensions", e.message
++ end
++ end
++
++ def test_pre_install_checks_malicious_specification_version_before_eval
++ spec = util_spec "malicious", '1'
++ def spec.full_name # so the spec is buildable
++ "malicious-1"
++ end
++ def spec.validate(*args); end
++ spec.specification_version = "malicious\n``"
++
++ util_build_gem spec
++
++ gem = File.join(@gemhome, 'cache', spec.file_name)
++
++ use_ui @ui do
++ @installer = Gem::Installer.at gem
++ e = assert_raises Gem::InstallError do
++ @installer.pre_install_checks
++ end
++ assert_equal "#<Gem::Specification name=malicious version=1> has an invalid specification_version", e.message
++ end
++ end
++
++ def test_pre_install_checks_malicious_dependencies_before_eval
++ spec = util_spec "malicious", '1'
++ def spec.full_name # so the spec is buildable
++ "malicious-1"
++ end
++ def spec.validate(*args); end
++ spec.add_dependency "b\nfoo", '> 5'
++
++ util_build_gem spec
++
++ gem = File.join(@gemhome, 'cache', spec.file_name)
++
++ use_ui @ui do
++ @installer = Gem::Installer.at gem
++ @installer.ignore_dependencies = true
++ e = assert_raises Gem::InstallError do
++ @installer.pre_install_checks
++ end
++ assert_equal "#<Gem::Specification name=malicious version=1> has an invalid dependencies", e.message
++ end
++ end
++
+ def test_shebang
+ util_make_exec @spec, "#!/usr/bin/ruby"
+
+diff --git a/test/mri/rubygems/test_gem_package.rb b/test/mri/rubygems/test_gem_package.rb
+index 7848bc2..930825e 100644
+--- a/test/mri/rubygems/test_gem_package.rb
++++ b/test/mri/rubygems/test_gem_package.rb
+@@ -443,6 +443,42 @@ class TestGemPackage < Gem::Package::TarTestCase
+ "#{@destination} is not allowed", e.message)
+ end
+
++ def test_extract_symlink_parent_doesnt_delete_user_dir
++ skip if RUBY_VERSION <= "1.8.7"
++
++ package = Gem::Package.new @gem
++
++ # Extract into a subdirectory of @destination; if this test fails it writes
++ # a file outside destination_subdir, but we want the file to remain inside
++ # @destination so it will be cleaned up.
++ destination_subdir = File.join @destination, 'subdir'
++ FileUtils.mkdir_p destination_subdir
++
++ destination_user_dir = File.join @destination, 'user'
++ destination_user_subdir = File.join destination_user_dir, 'dir'
++ FileUtils.mkdir_p destination_user_subdir
++
++ tgz_io = util_tar_gz do |tar|
++ tar.add_symlink 'link', destination_user_dir, 16877
++ tar.add_symlink 'link/dir', '.', 16877
++ end
++
++ e = assert_raises(Gem::Package::PathError, Errno::EACCES) do
++ package.extract_tar_gz tgz_io, destination_subdir
++ end
++
++ assert_path_exists destination_user_subdir
++
++ if Gem::Package::PathError === e
++ assert_equal("installing into parent path #{destination_user_subdir} of " +
++ "#{destination_subdir} is not allowed", e.message)
++ elsif win_platform?
++ skip "symlink - must be admin with no UAC on Windows"
++ else
++ raise e
++ end
++ end
++
+ def test_extract_tar_gz_directory
+ package = Gem::Package.new @gem
+
+diff --git a/test/mri/rubygems/test_gem_text.rb b/test/mri/rubygems/test_gem_text.rb
+index 855e9ac..db96a20 100644
+--- a/test/mri/rubygems/test_gem_text.rb
++++ b/test/mri/rubygems/test_gem_text.rb
+@@ -74,4 +74,9 @@ Without the wrapping, the text might not look good in the RSS feed.
+ assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest")
+ assert_equal 7, levenshtein_distance("zentest", "xxxxxxx")
+ end
++
++ def test_clean_text
++ assert_equal ".]2;nyan.", clean_text("\e]2;nyan\a")
++ end
++
+ end
=====================================
debian/patches/series
=====================================
@@ -12,3 +12,5 @@
0014-FELIX-5430.patch
0015-javax-annotation-Generated.patch
0016-Disable-SkinnyMethodAdapter-test.patch
+0017-CVE-2018-1000073.patch
+0018-fix-rubygem-vulnerabilities.patch
View it on GitLab: https://salsa.debian.org/java-team/jruby/compare/d834f464eea4946caefdc77bcd50ad58f093e528...f6e653039bc515d0892efda63eb0fa3d59c735eb
--
View it on GitLab: https://salsa.debian.org/java-team/jruby/compare/d834f464eea4946caefdc77bcd50ad58f093e528...f6e653039bc515d0892efda63eb0fa3d59c735eb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20190529/aa5b1fb5/attachment.html>
More information about the pkg-java-commits
mailing list