diff -Nru ruby1.9.1-1.9.3.551/debian/changelog ruby1.9.1-1.9.3.551/debian/changelog --- ruby1.9.1-1.9.3.551/debian/changelog 2017-09-26 17:37:25.000000000 +0000 +++ ruby1.9.1-1.9.3.551/debian/changelog 2018-01-16 12:05:10.000000000 +0000 @@ -1,3 +1,10 @@ +ruby1.9.1 (1:1.9.3.551-556bbox1~artful2) artful; urgency=medium + + * Backported fixes for CVE-2017-17405 Net::FTP + * Backported Unsafe Object Deserialization Vulnerability in RubyGems + + -- John Leach Tue, 16 Jan 2018 12:05:10 +0000 + ruby1.9.1 (1:1.9.3.551-555bbox2~artful1) artful; urgency=medium * Backported fixes for CVE-2017-0898, CVE-2017-10784, CVE-2017-14033, CVE-2017-14064 diff -Nru ruby1.9.1-1.9.3.551/debian/patches/debian-changes ruby1.9.1-1.9.3.551/debian/patches/debian-changes --- ruby1.9.1-1.9.3.551/debian/patches/debian-changes 2017-09-26 17:37:25.000000000 +0000 +++ ruby1.9.1-1.9.3.551/debian/patches/debian-changes 2018-01-16 12:05:10.000000000 +0000 @@ -5,12 +5,11 @@ information below has been extracted from the changelog. Adjust it or drop it. . - ruby1.9.1 (1:1.9.3.551-555bbox2~artful1) artful; urgency=medium + ruby1.9.1 (1:1.9.3.551-556bbox1~artful2) artful; urgency=medium . - * Backported fixes for CVE-2017-0898, CVE-2017-10784, CVE-2017-14033, CVE-2017-14064 - * Backported rubygems fixes for CVE-2017-0899, CVE-2017-0900 and - CVE-2017-0901 -Author: John Leach + * Backported fixes for CVE-2017-17405 Net::FTP + * Backported Unsafe Object Deserialization Vulnerability in RubyGems +Author: John Leach --- The information above should follow the Patch Tagging Guidelines, please @@ -23,11 +22,21 @@ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: Reviewed-By: -Last-Update: 2017-09-26 +Last-Update: 2018-01-17 --- ruby1.9.1-1.9.3.551.orig/ChangeLog +++ ruby1.9.1-1.9.3.551/ChangeLog -@@ -1,3 +1,32 @@ +@@ -1,3 +1,42 @@ ++Thu Dec 14 22:52:11 2017 Shugo Maeda ++ ++ Fix a command injection vulnerability in Net::FTP. ++ ++Thu Dec 14 22:49:08 2017 SHIBATA Hiroshi ++ ++ Merge rubygems-2.6.14 changes. ++ ++ It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html ++ +Thu Sep 14 20:44:26 2017 SHIBATA Hiroshi + + * ext/json: bump to version 1.8.1.1. [Backport #13853] @@ -172,6 +181,48 @@ inner_read += hlen; } else { +--- ruby1.9.1-1.9.3.551.orig/lib/net/ftp.rb ++++ ruby1.9.1-1.9.3.551/lib/net/ftp.rb +@@ -563,10 +563,10 @@ module Net + if localfile + if @resume + rest_offset = File.size?(localfile) +- f = open(localfile, "a") ++ f = File.open(localfile, "a") + else + rest_offset = nil +- f = open(localfile, "w") ++ f = File.open(localfile, "w") + end + elsif !block_given? + result = "" +@@ -594,7 +594,7 @@ module Net + def gettextfile(remotefile, localfile = File.basename(remotefile)) # :yield: line + result = nil + if localfile +- f = open(localfile, "w") ++ f = File.open(localfile, "w") + elsif !block_given? + result = "" + end +@@ -640,7 +640,7 @@ module Net + else + rest_offset = nil + end +- f = open(localfile) ++ f = File.open(localfile) + begin + f.binmode + if rest_offset +@@ -659,7 +659,7 @@ module Net + # passing in the transmitted data one line at a time. + # + def puttextfile(localfile, remotefile = File.basename(localfile), &block) # :yield: line +- f = open(localfile) ++ f = File.open(localfile) + begin + storlines("STOR " + remotefile, f, &block) + ensure --- ruby1.9.1-1.9.3.551.orig/lib/rubygems.rb +++ ruby1.9.1-1.9.3.551/lib/rubygems.rb @@ -121,7 +121,7 @@ require "rubygems/deprecate" @@ -183,6 +234,23 @@ ## # Raised when RubyGems is unable to load or activate a gem. Contains the +@@ -654,7 +654,7 @@ module Gem + + unless test_syck + begin +- gem 'psych', '~> 1.2', '>= 1.2.1' ++ gem 'psych', '~> 2.0.0' + rescue Gem::LoadError + # It's OK if the user does not have the psych gem installed. We will + # attempt to require the stdlib version +@@ -678,6 +678,7 @@ module Gem + end + + require 'yaml' ++ require 'rubygems/safe_yaml' + + # If we're supposed to be using syck, then we may have to force + # activate it via the YAML::ENGINE API. --- ruby1.9.1-1.9.3.551.orig/lib/rubygems/commands/query_command.rb +++ ruby1.9.1-1.9.3.551/lib/rubygems/commands/query_command.rb @@ -251,9 +251,10 @@ class Gem::Commands::QueryCommand < Gem: @@ -232,6 +300,22 @@ lib_files.each do |lib_file| dest_file = File.join lib_dir, lib_file +--- ruby1.9.1-1.9.3.551.orig/lib/rubygems/config_file.rb ++++ ruby1.9.1-1.9.3.551/lib/rubygems/config_file.rb +@@ -250,7 +250,12 @@ class Gem::ConfigFile + + return {} unless filename and File.exist? filename + begin +- YAML.load(File.read(filename)) ++ content = Gem::SafeYAML.load(File.read(filename)) ++ unless content.kind_of? Hash ++ warn "Failed to load #{filename} because it doesn't contain valid YAML hash" ++ return {} ++ end ++ return content + rescue ArgumentError + warn "Failed to load #{config_file_name}" + rescue Errno::EACCES --- ruby1.9.1-1.9.3.551.orig/lib/rubygems/ext/builder.rb +++ ruby1.9.1-1.9.3.551/lib/rubygems/ext/builder.rb @@ -4,8 +4,18 @@ @@ -421,6 +505,187 @@ end rescue results = results.join "\n" +--- /dev/null ++++ ruby1.9.1-1.9.3.551/lib/rubygems/package/old.rb +@@ -0,0 +1,178 @@ ++#-- ++# Copyright 2006 by Chad Fowler, Rich Kilmer, Jim Weirich and others. ++# All rights reserved. ++# See LICENSE.txt for permissions. ++#++ ++ ++## ++# The format class knows the guts of the ancient .gem file format and provides ++# the capability to read such ancient gems. ++# ++# Please pretend this doesn't exist. ++ ++class Gem::Package::Old < Gem::Package ++ ++ undef_method :spec= ++ ++ ## ++ # Creates a new old-format package reader for +gem+. Old-format packages ++ # cannot be written. ++ ++ def initialize gem ++ require 'fileutils' ++ require 'zlib' ++ Gem.load_yaml ++ ++ @contents = nil ++ @gem = gem ++ @security_policy = nil ++ @spec = nil ++ end ++ ++ ## ++ # A list of file names contained in this gem ++ ++ def contents ++ verify ++ ++ return @contents if @contents ++ ++ open @gem, 'rb' do |io| ++ read_until_dashes io # spec ++ header = file_list io ++ ++ @contents = header.map { |file| file['path'] } ++ end ++ end ++ ++ ## ++ # Extracts the files in this package into +destination_dir+ ++ ++ def extract_files destination_dir ++ verify ++ ++ errstr = "Error reading files from gem" ++ ++ open @gem, 'rb' do |io| ++ read_until_dashes io # spec ++ header = file_list io ++ raise Gem::Exception, errstr unless header ++ ++ header.each do |entry| ++ full_name = entry['path'] ++ ++ destination = install_location full_name, destination_dir ++ ++ file_data = '' ++ ++ read_until_dashes io do |line| ++ file_data << line ++ end ++ ++ file_data = file_data.strip.unpack("m")[0] ++ file_data = Zlib::Inflate.inflate file_data ++ ++ raise Gem::Package::FormatError, "#{full_name} in #{@gem} is corrupt" if ++ file_data.length != entry['size'].to_i ++ ++ FileUtils.rm_rf destination ++ ++ FileUtils.mkdir_p File.dirname destination ++ ++ open destination, 'wb', entry['mode'] do |out| ++ out.write file_data ++ end ++ ++ say destination if Gem.configuration.really_verbose ++ end ++ end ++ rescue Zlib::DataError ++ raise Gem::Exception, errstr ++ end ++ ++ ## ++ # Reads the file list section from the old-format gem +io+ ++ ++ def file_list io # :nodoc: ++ header = '' ++ ++ read_until_dashes io do |line| ++ header << line ++ end ++ ++ Gem::SafeYAML.safe_load header ++ end ++ ++ ## ++ # Reads lines until a "---" separator is found ++ ++ def read_until_dashes io # :nodoc: ++ while (line = io.gets) && line.chomp.strip != "---" do ++ yield line if block_given? ++ end ++ end ++ ++ ## ++ # Skips the Ruby self-install header in +io+. ++ ++ def skip_ruby io # :nodoc: ++ loop do ++ line = io.gets ++ ++ return if line.chomp == '__END__' ++ break unless line ++ end ++ ++ raise Gem::Exception, "Failed to find end of ruby script while reading gem" ++ end ++ ++ ## ++ # The specification for this gem ++ ++ def spec ++ verify ++ ++ return @spec if @spec ++ ++ yaml = '' ++ ++ open @gem, 'rb' do |io| ++ skip_ruby io ++ read_until_dashes io do |line| ++ yaml << line ++ end ++ end ++ ++ yaml_error = if RUBY_VERSION < '1.9' then ++ YAML::ParseError ++ elsif YAML::ENGINE.yamler == 'syck' then ++ YAML::ParseError ++ else ++ YAML::SyntaxError ++ end ++ ++ begin ++ @spec = Gem::Specification.from_yaml yaml ++ rescue yaml_error => e ++ raise Gem::Exception, "Failed to parse gem specification out of gem file" ++ end ++ rescue ArgumentError => e ++ raise Gem::Exception, "Failed to parse gem specification out of gem file" ++ end ++ ++ ## ++ # Raises an exception if a security policy that verifies data is active. ++ # Old format gems cannot be verified as signed. ++ ++ def verify ++ return true unless @security_policy ++ ++ raise Gem::Security::Exception, ++ 'old format gems do not contain signatures and cannot be verified' if ++ @security_policy.verify_data ++ ++ true ++ end ++ ++end ++ --- ruby1.9.1-1.9.3.551.orig/lib/rubygems/package/tar_input.rb +++ ruby1.9.1-1.9.3.551/lib/rubygems/package/tar_input.rb @@ -5,7 +5,6 @@ @@ -529,6 +794,57 @@ fix_syck_default_key_in_requirements end +--- /dev/null ++++ ruby1.9.1-1.9.3.551/lib/rubygems/safe_yaml.rb +@@ -0,0 +1,48 @@ ++module Gem ++ ++ ### ++ # This module is used for safely loading YAML specs from a gem. The ++ # `safe_load` method defined on this module is specifically designed for ++ # loading Gem specifications. For loading other YAML safely, please see ++ # Psych.safe_load ++ ++ module SafeYAML ++ WHITELISTED_CLASSES = %w( ++ Symbol ++ Time ++ Date ++ Gem::Dependency ++ Gem::Platform ++ Gem::Requirement ++ Gem::Specification ++ Gem::Version ++ Gem::Version::Requirement ++ YAML::Syck::DefaultKey ++ Syck::DefaultKey ++ ) ++ ++ WHITELISTED_SYMBOLS = %w( ++ development ++ runtime ++ ) ++ ++ if ::YAML.respond_to? :safe_load ++ def self.safe_load input ++ ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true) ++ end ++ ++ def self.load input ++ ::YAML.safe_load(input, [::Symbol]) ++ end ++ else ++ warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." ++ def self.safe_load input, *args ++ ::YAML.load input ++ end ++ ++ def self.load input ++ ::YAML.load input ++ end ++ end ++ end ++end --- ruby1.9.1-1.9.3.551.orig/lib/rubygems/specification.rb +++ ruby1.9.1-1.9.3.551/lib/rubygems/specification.rb @@ -1,3 +1,4 @@ @@ -545,6 +861,15 @@ # :startdoc: ## +@@ -488,7 +491,7 @@ class Gem::Specification + Gem.load_yaml + + input = normalize_yaml_input input +- spec = YAML.load input ++ spec = Gem::SafeYAML.safe_load input + + if spec && spec.class == FalseClass then + raise Gem::EndOfYAMLException @@ -1720,7 +1723,9 @@ class Gem::Specification when Numeric then obj.inspect when true, false, nil then obj.inspect @@ -1844,16 +2169,16 @@ @@ -1,10 +1,10 @@ #define RUBY_VERSION "1.9.3" -#define RUBY_PATCHLEVEL 551 -+#define RUBY_PATCHLEVEL 555 ++#define RUBY_PATCHLEVEL 556 -#define RUBY_RELEASE_DATE "2014-11-13" -#define RUBY_RELEASE_YEAR 2014 -#define RUBY_RELEASE_MONTH 11 -#define RUBY_RELEASE_DAY 13 -+#define RUBY_RELEASE_DATE "2017-09-14" ++#define RUBY_RELEASE_DATE "2017-12-15" +#define RUBY_RELEASE_YEAR 2017 -+#define RUBY_RELEASE_MONTH 9 -+#define RUBY_RELEASE_DAY 14 ++#define RUBY_RELEASE_MONTH 12 ++#define RUBY_RELEASE_DAY 15 #include "ruby/version.h"