Bug#895778: jruby: Several security vulnerabilities
Markus Koschany
apo at debian.org
Sun Apr 29 22:34:11 BST 2018
Hi Miguel,
I have prepared security updates for Jessie and Stretch. Unfortunately I
discovered that jruby in Jessie FTBFS at the moment. This is unrelated
to the patches.
Do you know how to resolve that?
generate-method-classes:
_gmc_internal_:
[echo] Generating invokers...
[java] Exception in thread "main" java.lang.ClassFormatError:
Duplicate method name&signature in class file
org/jruby/RubyFixnum$i_method_multi$RUBYINVOKER$to_s
[java] >---at java.lang.ClassLoader.defineClass1(Native Method)
[java] >---at java.lang.ClassLoader.defineClass(ClassLoader.java:803)
[java] >---at
org.jruby.util.JRubyClassLoader.defineClass(JRubyClassLoader.java:39)
[java] >---at
org.jruby.internal.runtime.methods.DumpingInvocationMethodFactory.endClass(DumpingInvocationMethodFactory.java:64)
[java] >---at
org.jruby.internal.runtime.methods.InvocationMethodFactory.getAnnotatedMethodClass(InvocationMethodFactory.java:721)
[java] >---at
org.jruby.anno.InvokerGenerator.main(InvokerGenerator.java:45)
I'm attaching the stretch debdiff to this bug report and push the
patches for Jessie.
Cheers,
Markus
-------------- next part --------------
diff -Nru jruby-1.7.26/debian/changelog jruby-1.7.26/debian/changelog
--- jruby-1.7.26/debian/changelog 2016-11-12 21:33:13.000000000 +0100
+++ jruby-1.7.26/debian/changelog 2018-04-29 22:24:33.000000000 +0200
@@ -1,3 +1,25 @@
+jruby (1.7.26-1+deb9u1) stretch-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2018-1000073: Directory Traversal vulnerability in install_location
+ function of package.rb that can result in path traversal when writing to a
+ symlinked basedir outside of the root.
+ * Fix CVE-2018-1000074: possible Unsafe Object Deserialization Vulnerability
+ in gem owner.
+ * Fix CVE-2018-1000075: Strictly interpret octal fields in tar headers to
+ avoid infinite loop
+ * Fix CVE-2018-1000076: Raise a security error when there are duplicate
+ files in a package
+ * Fix CVE-2018-1000077: Enforce URL validation on spec homepage attribute.
+ * Fix CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute
+ when displayed via gem server.
+ * Fix CVE-2018-1000079: Directory Traversal vulnerability in gem installation
+ that can result in writing to arbitrary filesystem locations during
+ installation of malicious gems.
+ (Closes: #895778)
+
+ -- Markus Koschany <apo at debian.org> Sun, 29 Apr 2018 22:24:33 +0200
+
jruby (1.7.26-1) unstable; urgency=medium
* Team upload.
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000073.patch jruby-1.7.26/debian/patches/CVE-2018-1000073.patch
--- jruby-1.7.26/debian/patches/CVE-2018-1000073.patch 1970-01-01 01:00:00.000000000 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-1000073.patch 2018-04-29 22:24:33.000000000 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 29 Apr 2018 21:29:28 +0200
+Subject: CVE-2018-1000073
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
+---
+ lib/ruby/shared/rubygems/package.rb | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/ruby/shared/rubygems/package.rb b/lib/ruby/shared/rubygems/package.rb
+index e8b8b38..25ac814 100644
+--- a/lib/ruby/shared/rubygems/package.rb
++++ b/lib/ruby/shared/rubygems/package.rb
+@@ -405,6 +405,8 @@ EOM
+ destination_dir = File.expand_path destination_dir
+
+ destination = File.join destination_dir, filename
++ destination = File.realpath destination if
++ File.respond_to? :realpath
+ destination = File.expand_path destination
+
+ raise Gem::Package::PathError.new(destination, destination_dir) unless
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000074.patch jruby-1.7.26/debian/patches/CVE-2018-1000074.patch
--- jruby-1.7.26/debian/patches/CVE-2018-1000074.patch 1970-01-01 01:00:00.000000000 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-1000074.patch 2018-04-29 22:24:33.000000000 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 29 Apr 2018 21:11:01 +0200
+Subject: CVE-2018-1000074
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
+---
+ lib/ruby/shared/rubygems/commands/owner_command.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ruby/shared/rubygems/commands/owner_command.rb b/lib/ruby/shared/rubygems/commands/owner_command.rb
+index 322bf65..c5416f8 100644
+--- a/lib/ruby/shared/rubygems/commands/owner_command.rb
++++ b/lib/ruby/shared/rubygems/commands/owner_command.rb
+@@ -61,7 +61,7 @@ permission to.
+ end
+
+ with_response response do |resp|
+- owners = YAML.load resp.body
++ owners = Gem::SafeYAML.load resp.body
+
+ say "Owners for gem: #{name}"
+ owners.each do |owner|
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000075.patch jruby-1.7.26/debian/patches/CVE-2018-1000075.patch
--- jruby-1.7.26/debian/patches/CVE-2018-1000075.patch 1970-01-01 01:00:00.000000000 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-1000075.patch 2018-04-29 22:24:33.000000000 +0200
@@ -0,0 +1,85 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 29 Apr 2018 21:34:44 +0200
+Subject: CVE-2018-1000075
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83
+---
+ lib/ruby/shared/rubygems/package/tar_header.rb | 23 +++++++++++++---------
+ .../rubygems/test_gem_package_tar_header.rb | 20 +++++++++++++++++++
+ 2 files changed, 34 insertions(+), 9 deletions(-)
+
+diff --git a/lib/ruby/shared/rubygems/package/tar_header.rb b/lib/ruby/shared/rubygems/package/tar_header.rb
+index f9ab13a..9b457ec 100644
+--- a/lib/ruby/shared/rubygems/package/tar_header.rb
++++ b/lib/ruby/shared/rubygems/package/tar_header.rb
+@@ -103,25 +103,30 @@ class Gem::Package::TarHeader
+ fields = header.unpack UNPACK_FORMAT
+
+ new :name => fields.shift,
+- :mode => fields.shift.oct,
+- :uid => fields.shift.oct,
+- :gid => fields.shift.oct,
+- :size => fields.shift.oct,
+- :mtime => fields.shift.oct,
+- :checksum => fields.shift.oct,
++ :mode => strict_oct(fields.shift),
++ :uid => strict_oct(fields.shift),
++ :gid => strict_oct(fields.shift),
++ :size => strict_oct(fields.shift),
++ :mtime => strict_oct(fields.shift),
++ :checksum => strict_oct(fields.shift),
+ :typeflag => fields.shift,
+ :linkname => fields.shift,
+ :magic => fields.shift,
+- :version => fields.shift.oct,
++ :version => strict_oct(fields.shift),
+ :uname => fields.shift,
+ :gname => fields.shift,
+- :devmajor => fields.shift.oct,
+- :devminor => fields.shift.oct,
++ :devmajor => strict_oct(fields.shift),
++ :devminor => strict_oct(fields.shift),
+ :prefix => fields.shift,
+
+ :empty => empty
+ end
+
++ def self.strict_oct(str)
++ return str.oct if str =~ /\A[0-7]*\z/
++ raise ArgumentError, "#{str.inspect} is not an octal string"
++ end
++
+ ##
+ # Creates a new TarHeader using +vals+
+
+diff --git a/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb b/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb
+index 5d85543..0ddb440 100644
+--- a/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb
++++ b/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb
+@@ -126,5 +126,25 @@ group\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
+ assert_equal '012467', @tar_header.checksum
+ end
+
++ def test_from_bad_octal
++ test_cases = [
++ "00000006,44\000", # bogus character
++ "00000006789\000", # non-octal digit
++ "+0000001234\000", # positive sign
++ "-0000001000\000", # negative sign
++ "0x000123abc\000", # radix prefix
++ ]
++
++ test_cases.each do |val|
++ header_s = @tar_header.to_s
++ # overwrite the size field
++ header_s[124, 12] = val
++ io = TempIO.new header_s
++ assert_raises ArgumentError do
++ new_header = Gem::Package::TarHeader.from io
++ end
++ end
++ end
++
+ end
+
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000076.patch jruby-1.7.26/debian/patches/CVE-2018-1000076.patch
--- jruby-1.7.26/debian/patches/CVE-2018-1000076.patch 1970-01-01 01:00:00.000000000 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-1000076.patch 2018-04-29 22:24:33.000000000 +0200
@@ -0,0 +1,78 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 29 Apr 2018 21:39:35 +0200
+Subject: CVE-2018-1000076
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693
+---
+ lib/ruby/shared/rubygems/package.rb | 4 ++++
+ lib/ruby/shared/rubygems/package/tar_writer.rb | 2 ++
+ .../rubygems/test_gem_package_tar_output.rb | 27 ++++++++++++++++++++++
+ 3 files changed, 33 insertions(+)
+
+diff --git a/lib/ruby/shared/rubygems/package.rb b/lib/ruby/shared/rubygems/package.rb
+index 25ac814..42b753c 100644
+--- a/lib/ruby/shared/rubygems/package.rb
++++ b/lib/ruby/shared/rubygems/package.rb
+@@ -589,6 +589,10 @@ EOM
+ raise Gem::Package::FormatError.new \
+ 'package content (data.tar.gz) is missing', @gem
+ end
++
++ if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
++ raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
++ end
+ end
+
+ ##
+diff --git a/lib/ruby/shared/rubygems/package/tar_writer.rb b/lib/ruby/shared/rubygems/package/tar_writer.rb
+index dfd6357..59bb476 100644
+--- a/lib/ruby/shared/rubygems/package/tar_writer.rb
++++ b/lib/ruby/shared/rubygems/package/tar_writer.rb
+@@ -195,6 +195,8 @@ class Gem::Package::TarWriter
+ digest_name == signer.digest_name
+ end
+
++ raise "no #{signer.digest_name} in #{digests.values.compact}" unless signature_digest
++
+ if signer.key then
+ signature = signer.sign signature_digest.digest
+
+diff --git a/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb b/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb
+index ecf25ef..c8b500f 100644
+--- a/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb
++++ b/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb
+@@ -48,6 +48,33 @@ class TestGemPackageTarOutput < Gem::Package::TarTestCase
+ gz.close if gz
+ end
+
++ def test_verify_duplicate_file
++ FileUtils.mkdir_p 'lib'
++ FileUtils.touch 'lib/code.rb'
++
++ build = Gem::Package.new @gem
++ build.spec = @spec
++ build.setup_signer
++ open @gem, 'wb' do |gem_io|
++ Gem::Package::TarWriter.new gem_io do |gem|
++ build.add_metadata gem
++ build.add_contents gem
++
++ gem.add_file_simple 'a.sig', 0444, 0
++ gem.add_file_simple 'a.sig', 0444, 0
++ end
++ end
++
++ package = Gem::Package.new @gem
++
++ e = assert_raises Gem::Security::Exception do
++ package.verify
++ end
++
++ assert_equal 'duplicate files in the package: ("a.sig")', e.message
++ end
++
++
+ if defined? OpenSSL then
+ def test_self_open_signed
+ @private_key = File.expand_path('test/rubygems/private_key.pem', @@project_dir)
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000077.patch jruby-1.7.26/debian/patches/CVE-2018-1000077.patch
--- jruby-1.7.26/debian/patches/CVE-2018-1000077.patch 1970-01-01 01:00:00.000000000 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-1000077.patch 2018-04-29 22:24:33.000000000 +0200
@@ -0,0 +1,68 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 29 Apr 2018 21:41:01 +0200
+Subject: CVE-2018-1000077
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964
+---
+ lib/ruby/shared/rubygems/specification.rb | 15 +++++++++++----
+ test/externals/ruby1.9/rubygems/test_gem_specification.rb | 13 +++++++++++++
+ 2 files changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/lib/ruby/shared/rubygems/specification.rb b/lib/ruby/shared/rubygems/specification.rb
+index eb89c4c..2ef709a 100644
+--- a/lib/ruby/shared/rubygems/specification.rb
++++ b/lib/ruby/shared/rubygems/specification.rb
+@@ -13,6 +13,7 @@ require 'rubygems/deprecate'
+ require 'rubygems/basic_specification'
+ require 'rubygems/stub_specification'
+ require 'rubygems/util/stringio'
++require 'uri'
+
+ ##
+ # The Specification class contains the information for a Gem. Typically
+@@ -2601,10 +2602,16 @@ http://opensource.org/licenses/alphabetical
+ raise Gem::InvalidSpecificationException, "#{lazy} is not a summary"
+ end
+
+- if homepage and not homepage.empty? and
+- homepage !~ /\A[a-z][a-z\d+.-]*:/i then
+- raise Gem::InvalidSpecificationException,
+- "\"#{homepage}\" is not a URI"
++ # Make sure a homepage is valid HTTP/HTTPS URI
++ if homepage and not homepage.empty?
++ begin
++ homepage_uri = URI.parse(homepage)
++ unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
++ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI"
++ end
++ rescue URI::InvalidURIError
++ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI"
++ end
+ end
+
+ # Warnings
+diff --git a/test/externals/ruby1.9/rubygems/test_gem_specification.rb b/test/externals/ruby1.9/rubygems/test_gem_specification.rb
+index aa648c9..5541f7f 100644
+--- a/test/externals/ruby1.9/rubygems/test_gem_specification.rb
++++ b/test/externals/ruby1.9/rubygems/test_gem_specification.rb
+@@ -1454,6 +1454,19 @@ end
+ end
+
+ assert_equal '"over at my cool site" is not a URI', e.message
++
++ @a1.homepage = 'ftp://rubygems.org'
++
++ e = assert_raises Gem::InvalidSpecificationException do
++ @a1.validate
++ end
++
++ assert_equal '"ftp://rubygems.org" is not a URI', e.message
++
++ @a1.homepage = 'http://rubygems.org'
++
++ assert_equal true, @a1.validate
++
+ end
+ end
+
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000078.patch jruby-1.7.26/debian/patches/CVE-2018-1000078.patch
--- jruby-1.7.26/debian/patches/CVE-2018-1000078.patch 1970-01-01 01:00:00.000000000 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-1000078.patch 2018-04-29 22:24:33.000000000 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 29 Apr 2018 21:41:43 +0200
+Subject: CVE-2018-1000078
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb
+---
+ lib/ruby/shared/rubygems/server.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ruby/shared/rubygems/server.rb b/lib/ruby/shared/rubygems/server.rb
+index 7655be2..aa9604d 100644
+--- a/lib/ruby/shared/rubygems/server.rb
++++ b/lib/ruby/shared/rubygems/server.rb
+@@ -634,7 +634,7 @@ div.method-source-code pre { color: #ffdead; overflow: hidden; }
+ "only_one_executable" => (executables && executables.size == 1),
+ "full_name" => spec.full_name,
+ "has_deps" => !deps.empty?,
+- "homepage" => spec.homepage,
++ "homepage" => (URI.parse(spec.homepage).is_a?(URI::HTTP) || URI.parse(spec.homepage).is_a?(URI::HTTPS)) ? spec.homepage : ".",
+ "name" => spec.name,
+ "rdoc_installed" => Gem::RDoc.new(spec).rdoc_installed?,
+ "ri_installed" => Gem::RDoc.new(spec).ri_installed?,
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000079.patch jruby-1.7.26/debian/patches/CVE-2018-1000079.patch
--- jruby-1.7.26/debian/patches/CVE-2018-1000079.patch 1970-01-01 01:00:00.000000000 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-1000079.patch 2018-04-29 22:24:33.000000000 +0200
@@ -0,0 +1,82 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 29 Apr 2018 21:56:44 +0200
+Subject: CVE-2018-1000079
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
+Origin: https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759
+---
+ lib/ruby/shared/rubygems/package.rb | 35 +++++++++++++++++++++++++++++------
+ 1 file changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/lib/ruby/shared/rubygems/package.rb b/lib/ruby/shared/rubygems/package.rb
+index 42b753c..8e5c295 100644
+--- a/lib/ruby/shared/rubygems/package.rb
++++ b/lib/ruby/shared/rubygems/package.rb
+@@ -364,7 +364,7 @@ EOM
+ File.dirname destination
+ end
+
+- FileUtils.mkdir_p mkdir, mkdir_options
++ mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name
+
+ open destination, 'wb' do |out|
+ out.write entry.read
+@@ -400,22 +400,35 @@ EOM
+ raise Gem::Package::PathError.new(filename, destination_dir) if
+ filename.start_with? '/'
+
+- destination_dir = File.realpath destination_dir if
+- File.respond_to? :realpath
++ destination_dir = realpath destination_dir
+ destination_dir = File.expand_path destination_dir
+
+ destination = File.join destination_dir, filename
+- destination = File.realpath destination if
+- File.respond_to? :realpath
+ destination = File.expand_path destination
+
+ raise Gem::Package::PathError.new(destination, destination_dir) unless
+- destination.start_with? destination_dir
++ destination.start_with? destination_dir + '/'
+
+ destination.untaint
+ destination
+ end
+
++ def mkdir_p_safe mkdir, mkdir_options, destination_dir, file_name
++ destination_dir = realpath File.expand_path(destination_dir)
++ parts = mkdir.split(File::SEPARATOR)
++ parts.reduce do |path, basename|
++ path = realpath path unless path == ""
++ path = File.expand_path(path + File::SEPARATOR + basename)
++ lstat = File.lstat path rescue nil
++ if !lstat || !lstat.directory?
++ unless path.start_with? destination_dir and (FileUtils.mkdir path, mkdir_options rescue false)
++ raise Gem::Package::PathError.new(file_name, destination_dir)
++ end
++ end
++ path
++ end
++ end
++
+ ##
+ # Loads a Gem::Specification from the TarEntry +entry+
+
+@@ -606,6 +619,16 @@ EOM
+ raise Gem::Package::FormatError.new(e.message, entry.full_name)
+ end
+
++ if File.respond_to? :realpath
++ def realpath file
++ File.realpath file
++ end
++ else
++ def realpath file
++ file
++ end
++ end
++
+ end
+
+ require 'rubygems/package/digest_io'
diff -Nru jruby-1.7.26/debian/patches/series jruby-1.7.26/debian/patches/series
--- jruby-1.7.26/debian/patches/series 2016-11-12 21:27:48.000000000 +0100
+++ jruby-1.7.26/debian/patches/series 2018-04-29 22:24:33.000000000 +0200
@@ -8,3 +8,10 @@
0010-Disable-maven-invoker-plugin.patch
0011-Snakeyaml-1.17-compatibility.patch
0012-Disable-outdated-specs.patch
+CVE-2018-1000073.patch
+CVE-2018-1000074.patch
+CVE-2018-1000075.patch
+CVE-2018-1000076.patch
+CVE-2018-1000077.patch
+CVE-2018-1000078.patch
+CVE-2018-1000079.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20180429/1ea1653a/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list