diff -Nru ruby1.8-1.8.7.375/debian/changelog ruby1.8-1.8.7.375/debian/changelog --- ruby1.8-1.8.7.375/debian/changelog 2013-11-24 13:28:56.000000000 +0000 +++ ruby1.8-1.8.7.375/debian/changelog 2015-04-14 22:59:45.000000000 +0000 @@ -1,10 +1,17 @@ -ruby1.8 (1:1.8.7.375-1bbox1~lucid1) lucid; urgency=high +ruby1.8 (1:1.8.7.375-2bbox2~lucid1) lucid; urgency=medium + + * Fix for CVE-2015-1855, backported by tobias.kraze@makandra.de + + -- John Leach Tue, 14 Apr 2015 23:18:51 +0100 + +ruby1.8 (1:1.8.7.375-1bbox2~trusty1) trusty; urgency=high * Fix a problem with the patch for CVE-2013-4164. * Fix building on Raring and Saucy * Bumped patch level to 375 - - -- John Leach Sun, 24 Nov 2013 13:25:07 +0000 + * Fix building for trusty + + -- John Leach Wed, 11 Jun 2014 15:34:29 +0100 ruby1.8 (1:1.8.7.374-1bbox2~lucid1) lucid; urgency=high diff -Nru ruby1.8-1.8.7.375/debian/control ruby1.8-1.8.7.375/debian/control --- ruby1.8-1.8.7.375/debian/control 2013-11-23 13:44:13.000000000 +0000 +++ ruby1.8-1.8.7.375/debian/control 2014-02-20 10:10:41.000000000 +0000 @@ -3,7 +3,7 @@ Priority: optional Maintainer: John Leach Uploaders: John Leach -Build-Depends: cdbs, debhelper (>= 5), autotools-dev, autoconf, m4, quilt (>= 0.40), patch, bison, binutils (>= 2.14.90.0.7), libgdbm-dev, libncurses5-dev, libreadline-gplv2-dev | libreadline5-dev, zlib1g-dev, libssl-dev (>= 0.9.6b), file, coreutils, gcc (<< 4:4.7) | gcc-4.6, libgoogle-perftools-dev +Build-Depends: cdbs, debhelper (>= 5), autotools-dev, autoconf, m4, quilt (>= 0.40), patch, bison, binutils (>= 2.14.90.0.7), libgdbm-dev, libncurses5-dev, libreadline-gplv2-dev | libreadline5-dev, zlib1g-dev, libssl-dev (>= 0.9.6b), file, coreutils, gcc (<< 4:4.7) | gcc-4.6, libgoogle-perftools-dev, lsb-release Standards-Version: 3.9.2 Homepage: http://www.ruby-lang.org/ Vcs-Git: git://github.com/brightbox/deb-ruby1.8-ng.git diff -Nru ruby1.8-1.8.7.375/debian/patches/131124_version.patch ruby1.8-1.8.7.375/debian/patches/131124_version.patch --- ruby1.8-1.8.7.375/debian/patches/131124_version.patch 2013-11-24 13:39:10.000000000 +0000 +++ ruby1.8-1.8.7.375/debian/patches/131124_version.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -diff --git a/version.h b/version.h -index 418be8b..6b0dda7 100644 ---- a/version.h -+++ b/version.h -@@ -3,7 +3,7 @@ - #define RUBY_RELEASE_DATE "2013-06-27" - #define RUBY_VERSION_CODE 187 - #define RUBY_RELEASE_CODE 20130627 --#define RUBY_PATCHLEVEL 374 -+#define RUBY_PATCHLEVEL 375 - - #define RUBY_VERSION_MAJOR 1 - #define RUBY_VERSION_MINOR 8 diff -Nru ruby1.8-1.8.7.375/debian/patches/ruby_1_8_7-p374-fixes-2015-04-14.patch ruby1.8-1.8.7.375/debian/patches/ruby_1_8_7-p374-fixes-2015-04-14.patch --- ruby1.8-1.8.7.375/debian/patches/ruby_1_8_7-p374-fixes-2015-04-14.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby1.8-1.8.7.375/debian/patches/ruby_1_8_7-p374-fixes-2015-04-14.patch 2015-04-14 22:03:58.000000000 +0000 @@ -0,0 +1,255 @@ +From 9d7d09b62e8b34a9eb20a7d47b9d41354d278864 Mon Sep 17 00:00:00 2001 +From: Tobias Kraze +Date: Tue, 14 Apr 2015 11:03:08 +0200 +Subject: [PATCH 4/4] backport [Backport #9644] + +--- + ext/openssl/lib/openssl/ssl-internal.rb | 55 +++++++++++- + test/openssl/test_ssl.rb | 152 +++++++++++++++++++++++++++++++- + 2 files changed, 204 insertions(+), 3 deletions(-) + +diff --git a/ext/openssl/lib/openssl/ssl-internal.rb b/ext/openssl/lib/openssl/ssl-internal.rb +index 9ef6f92..4ff6d72 100644 +--- a/ext/openssl/lib/openssl/ssl-internal.rb ++++ b/ext/openssl/lib/openssl/ssl-internal.rb +@@ -97,7 +97,7 @@ module OpenSSL + when 2 # dNSName in GeneralName (RFC5280) + should_verify_common_name = false + reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+") +- return true if /\A#{reg}\z/i =~ hostname ++ return true if verify_hostname(hostname, san.value) + when 7 # iPAddress in GeneralName (RFC5280) + should_verify_common_name = false + # follows GENERAL_NAME_print() in x509v3/v3_alt.c +@@ -113,7 +113,7 @@ module OpenSSL + cert.subject.to_a.each{|oid, value| + if oid == "CN" + reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+") +- return true if /\A#{reg}\z/i =~ hostname ++ return true if verify_hostname(hostname, value) + end + } + end +@@ -121,6 +121,57 @@ module OpenSSL + end + module_function :verify_certificate_identity + ++ def verify_hostname(hostname, san) # :nodoc: ++ # RFC 5280, IA5String is limited to the set of ASCII characters ++ return false if san =~ /[\x80-\xff]/ ++ return false if hostname =~ /[\x80-\xff]/ ++ ++ # See RFC 6125, section 6.4.1 ++ # Matching is case-insensitive. ++ san_parts = san.downcase.split(".") ++ ++ # TODO: this behavior should probably be more strict ++ return san == hostname if san_parts.size < 2 ++ ++ # Matching is case-insensitive. ++ host_parts = hostname.downcase.split(".") ++ ++ # RFC 6125, section 6.4.3, subitem 2. ++ # If the wildcard character is the only character of the left-most ++ # label in the presented identifier, the client SHOULD NOT compare ++ # against anything but the left-most label of the reference ++ # identifier (e.g., *.example.com would match foo.example.com but ++ # not bar.foo.example.com or example.com). ++ return false unless san_parts.size == host_parts.size ++ ++ # RFC 6125, section 6.4.3, subitem 1. ++ # The client SHOULD NOT attempt to match a presented identifier in ++ # which the wildcard character comprises a label other than the ++ # left-most label (e.g., do not match bar.*.example.net). ++ return false unless verify_wildcard(host_parts.shift, san_parts.shift) ++ ++ san_parts.join(".") == host_parts.join(".") ++ end ++ module_function :verify_hostname ++ ++ def verify_wildcard(domain_component, san_component) # :nodoc: ++ parts = san_component.split("*", -1) ++ ++ return false if parts.size > 2 ++ return san_component == domain_component if parts.size == 1 ++ ++ # RFC 6125, section 6.4.3, subitem 3. ++ # The client SHOULD NOT attempt to match a presented identifier ++ # where the wildcard character is embedded within an A-label or ++ # U-label of an internationalized domain name. ++ return false if domain_component.start_with?("xn--") && san_component != "*" ++ ++ parts[0].length + parts[1].length < domain_component.length && ++ domain_component.start_with?(parts[0]) && ++ domain_component.end_with?(parts[1]) ++ end ++ module_function :verify_wildcard ++ + class SSLSocket + include Buffering + include SocketForwarder +diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb +index 2e014f1..125f057 100644 +--- a/test/openssl/test_ssl.rb ++++ b/test/openssl/test_ssl.rb +@@ -569,6 +569,156 @@ class OpenSSL::TestSSL < Test::Unit::TestCase + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17')) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17')) + end +-end + ++ def test_verify_hostname ++ assert_equal(true, OpenSSL::SSL.verify_hostname("www.example.com", "*.example.com")) ++ assert_equal(false, OpenSSL::SSL.verify_hostname("www.subdomain.example.com", "*.example.com")) ++ end ++ ++ def test_verify_wildcard ++ assert_equal(false, OpenSSL::SSL.verify_wildcard("foo", "x*")) ++ assert_equal(true, OpenSSL::SSL.verify_wildcard("foo", "foo")) ++ assert_equal(true, OpenSSL::SSL.verify_wildcard("foo", "f*")) ++ assert_equal(true, OpenSSL::SSL.verify_wildcard("foo", "*")) ++ assert_equal(false, OpenSSL::SSL.verify_wildcard("abc*bcd", "abcd")) ++ assert_equal(false, OpenSSL::SSL.verify_wildcard("xn--qdk4b9b", "x*")) ++ assert_equal(false, OpenSSL::SSL.verify_wildcard("xn--qdk4b9b", "*--qdk4b9b")) ++ assert_equal(true, OpenSSL::SSL.verify_wildcard("xn--qdk4b9b", "xn--qdk4b9b")) ++ end ++ ++ # Comments in this test is excerpted from http://tools.ietf.org/html/rfc6125#page-27 ++ def test_post_connection_check_wildcard_san ++ # case-insensitive ASCII comparison ++ # RFC 6125, section 6.4.1 ++ # ++ # "..matching of the reference identifier against the presented identifier ++ # is performed by comparing the set of domain name labels using a ++ # case-insensitive ASCII comparison, as clarified by [DNS-CASE] (e.g., ++ # "WWW.Example.Com" would be lower-cased to "www.example.com" for ++ # comparison purposes) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*.example.com'), 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*.Example.COM'), 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*.example.com'), 'WWW.Example.COM')) ++ # 1. The client SHOULD NOT attempt to match a presented identifier in ++ # which the wildcard character comprises a label other than the ++ # left-most label (e.g., do not match bar.*.example.net). ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:www.*.com'), 'www.example.com')) ++ # 2. If the wildcard character is the only character of the left-most ++ # label in the presented identifier, the client SHOULD NOT compare ++ # against anything but the left-most label of the reference ++ # identifier (e.g., *.example.com would match foo.example.com but ++ # not bar.foo.example.com or example.com). ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*.example.com'), 'foo.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*.example.com'), 'bar.foo.example.com')) ++ # 3. The client MAY match a presented identifier in which the wildcard ++ # character is not the only character of the label (e.g., ++ # baz*.example.net and *baz.example.net and b*z.example.net would ++ # be taken to match baz1.example.net and foobaz.example.net and ++ # buzz.example.net, respectively). ... ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com')) ++ # Section 6.4.3 of RFC6125 states that client should NOT match identifier ++ # where wildcard is other than left-most label. ++ # ++ # Also implicitly mentions the wildcard character only in singular form, ++ # and discourages matching against more than one wildcard. ++ # ++ # See RFC 6125, section 7.2, subitem 2. ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*b*.example.com'), 'abc.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*b*.example.com'), 'ab.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:*b*.example.com'), 'bc.example.com')) ++ # ... However, the client SHOULD NOT ++ # attempt to match a presented identifier where the wildcard ++ # character is embedded within an A-label or U-label [IDNA-DEFS] of ++ # an internationalized domain name [IDNA-PROTO]. ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:xn*.example.com'), 'xn1ca.example.com')) ++ # part of A-label ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:xn--*.example.com'), 'xn--1ca.example.com')) ++ # part of U-label ++ # dNSName in RFC5280 is an IA5String so U-label should NOT be allowed ++ # regardless of wildcard. ++ # ++ # See Section 7.2 of RFC 5280: ++ # IA5String is limited to the set of ASCII characters. ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_san('DNS:á*.example.com'), 'á1.example.com')) ++ end ++ ++ def test_post_connection_check_wildcard_cn ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*.example.com'), 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*.Example.COM'), 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*.example.com'), 'WWW.Example.COM')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('www.*.com'), 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*.example.com'), 'foo.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*.example.com'), 'bar.foo.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('baz*.example.com'), 'baz1.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*baz.example.com'), 'foobaz.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('b*z.example.com'), 'buzz.example.com')) ++ # Section 6.4.3 of RFC6125 states that client should NOT match identifier ++ # where wildcard is other than left-most label. ++ # ++ # Also implicitly mentions the wildcard character only in singular form, ++ # and discourages matching against more than one wildcard. ++ # ++ # See RFC 6125, section 7.2, subitem 2. ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*b*.example.com'), 'abc.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*b*.example.com'), 'ab.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('*b*.example.com'), 'bc.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('xn*.example.com'), 'xn1ca.example.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('xn--*.example.com'), 'xn--1ca.example.com')) ++ # part of U-label ++ # Subject in RFC5280 states case-insensitive ASCII comparison. ++ # ++ # See Section 7.2 of RFC 5280: ++ # IA5String is limited to the set of ASCII characters. ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity( ++ create_cert_with_name('á*.example.com'), 'á1.example.com')) ++ end ++ ++ def create_cert_with_san(san) ++ ef = OpenSSL::X509::ExtensionFactory.new ++ cert = OpenSSL::X509::Certificate.new ++ cert.subject = OpenSSL::X509::Name.parse("/DC=some/DC=site/CN=Some Site") ++ ext = ef.create_ext('subjectAltName', san) ++ cert.add_extension(ext) ++ cert ++ end ++ ++ def create_cert_with_name(name) ++ cert = OpenSSL::X509::Certificate.new ++ cert.subject = OpenSSL::X509::Name.new([['DC', 'some'], ['DC', 'site'], ['CN', name]]) ++ cert ++ end ++ ++ ++end + end +-- +2.3.5 + diff -Nru ruby1.8-1.8.7.375/debian/patches/series ruby1.8-1.8.7.375/debian/patches/series --- ruby1.8-1.8.7.375/debian/patches/series 2013-11-24 13:39:24.000000000 +0000 +++ ruby1.8-1.8.7.375/debian/patches/series 2015-04-14 22:55:58.000000000 +0000 @@ -14,4 +14,5 @@ 120302_ruby_ee.patch use-ldflags.patch 131122_float_parsing_overflow.patch -131124_version.patch \ No newline at end of file +ruby_1_8_7-p374-fixes-2015-04-14.patch +version_update.patch diff -Nru ruby1.8-1.8.7.375/debian/patches/version_update.patch ruby1.8-1.8.7.375/debian/patches/version_update.patch --- ruby1.8-1.8.7.375/debian/patches/version_update.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby1.8-1.8.7.375/debian/patches/version_update.patch 2015-04-14 22:55:58.000000000 +0000 @@ -0,0 +1,16 @@ +diff --git a/version.h b/version.h +index 6b6d57e..38a9d7b 100644 +--- a/version.h ++++ b/version.h +@@ -1,8 +1,8 @@ + #define RUBY_VERSION "1.8.7" +-#define RUBY_RELEASE_DATE "2013-06-27" ++#define RUBY_RELEASE_DATE "2015-04-14" + #define RUBY_VERSION_CODE 187 +-#define RUBY_RELEASE_CODE 20130627 +-#define RUBY_PATCHLEVEL 374 ++#define RUBY_RELEASE_CODE 20150414 ++#define RUBY_PATCHLEVEL 375 + + #define RUBY_VERSION_MAJOR 1 + #define RUBY_VERSION_MINOR 8 diff -Nru ruby1.8-1.8.7.375/debian/rules ruby1.8-1.8.7.375/debian/rules --- ruby1.8-1.8.7.375/debian/rules 2013-11-24 13:25:26.000000000 +0000 +++ ruby1.8-1.8.7.375/debian/rules 2014-06-11 13:38:44.000000000 +0000 @@ -53,7 +53,7 @@ # For some reason, builds on raring and saucy end up with pthread needing linking in # Hacky fix, but a fix. lsbcodename := $(shell lsb_release -cs) -ifneq (,$(filter $(lsbcodename),raring saucy)) +ifneq (,$(filter $(lsbcodename),raring saucy trusty)) DEB_CONFIGURE_USER_FLAGS += --enable-pthread else DEB_CONFIGURE_USER_FLAGS += --disable-pthread