rpms/ruby
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to Ruby 2.3.5.

Browse Source 
Patch10, Patch11, Patch12 and Patch13 subsumed.
This commit is contained in:
Pavel Valena 2017-10-02 13:54:11 +02:00
parent 0cea76d0f1
commit 76119c738a
13 changed files with 20 additions and 783 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch
View File

@ -39,7 +39,7 @@ diff --git a/configure.in b/configure.in
index 0e371e2..d4f1dcb 100644
--- a/configure.in
+++ b/configure.in
@@ -4407,6 +4407,13 @@ AC_SUBST(rubyarchhdrdir)dnl
@@ -4402,6 +4402,13 @@ AC_SUBST(rubyarchhdrdir)dnl
AC_SUBST(sitearchhdrdir)dnl
AC_SUBST(vendorarchhdrdir)dnl

2
ruby-2.1.0-Enable-configuration-of-archlibdir.patch
View File

@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in
index 37d9a62..553d4d0 100644
--- a/configure.in
+++ b/configure.in
@@ -3665,6 +3665,11 @@ if test ${multiarch+set}; then
@@ -3666,6 +3666,11 @@ if test ${multiarch+set}; then
fi
archlibdir='${libdir}/${arch}'

2
ruby-2.1.0-Prevent-duplicated-paths-when-empty-version-string-i.patch
View File

@ -14,7 +14,7 @@ diff --git a/configure.in b/configure.in
index db37cd6..ce8d149 100644
--- a/configure.in
+++ b/configure.in
@@ -4261,7 +4261,8 @@ AS_CASE(["$ruby_version_dir_name"],
@@ -4256,7 +4256,8 @@ AS_CASE(["$ruby_version_dir_name"],
ruby_version_dir=/'${ruby_version_dir_name}'
if test -z "${ruby_version_dir_name}"; then

2
ruby-2.1.0-always-use-i386.patch
View File

@ -11,7 +11,7 @@ diff --git a/configure.in b/configure.in
index 553d4d0..03a4152 100644
--- a/configure.in
+++ b/configure.in
@@ -4325,6 +4325,8 @@ AC_SUBST(vendorarchdir)dnl
@@ -4320,6 +4320,8 @@ AC_SUBST(vendorarchdir)dnl
AC_SUBST(CONFIGURE, "`echo $0 | sed 's|.*/||'`")dnl
AC_SUBST(configure_args, "`echo "${ac_configure_args}" | sed 's/\\$/$$/g'`")dnl

4
ruby-2.1.0-custom-rubygems-location.patch
View File

@ -15,7 +15,7 @@ diff --git a/configure.in b/configure.in
index 03a4152..0e371e2 100644
--- a/configure.in
+++ b/configure.in
@@ -4297,6 +4297,10 @@ AC_ARG_WITH(vendorarchdir,
@@ -4292,6 +4292,10 @@ AC_ARG_WITH(vendorarchdir,
[vendorarchdir=$withval],
[vendorarchdir=${multiarch+'${rubysitearchprefix}/vendor_ruby'${ruby_version_dir}}${multiarch-'${vendorlibdir}/${sitearch}'}])
@ -26,7 +26,7 @@ index 03a4152..0e371e2 100644
if test "${LOAD_RELATIVE+set}"; then
AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
RUBY_EXEC_PREFIX=''
@@ -4321,6 +4325,7 @@ AC_SUBST(sitearchdir)dnl
@@ -4316,6 +4320,7 @@ AC_SUBST(sitearchdir)dnl
AC_SUBST(vendordir)dnl
AC_SUBST(vendorlibdir)dnl
AC_SUBST(vendorarchdir)dnl

6
ruby-2.3.0-ruby_version.patch
View File

@ -20,7 +20,7 @@ diff --git a/configure.in b/configure.in
index db37cd6..6e73fae 100644
--- a/configure.in
+++ b/configure.in
@@ -4210,9 +4210,6 @@ AS_CASE(["$target_os"],
@@ -4205,9 +4205,6 @@ AS_CASE(["$target_os"],
rubyw_install_name='$(RUBYW_INSTALL_NAME)'
])
@ -30,7 +30,7 @@ index db37cd6..6e73fae 100644
rubyarchprefix=${multiarch+'${archlibdir}/${RUBY_BASE_NAME}'}${multiarch-'${rubylibprefix}/${arch}'}
AC_ARG_WITH(rubyarchprefix,
AS_HELP_STRING([--with-rubyarchprefix=DIR],
@@ -4235,58 +4232,64 @@ AC_ARG_WITH(ridir,
@@ -4230,58 +4227,64 @@ AC_ARG_WITH(ridir,
AC_SUBST(ridir)
AC_SUBST(RI_BASE_NAME)
@ -124,7 +124,7 @@ index db37cd6..6e73fae 100644
if test "${LOAD_RELATIVE+set}"; then
AC_DEFINE_UNQUOTED(LOAD_RELATIVE, $LOAD_RELATIVE)
@@ -4303,6 +4306,7 @@ AC_SUBST(sitearchincludedir)dnl
@@ -4298,6 +4301,7 @@ AC_SUBST(sitearchincludedir)dnl
AC_SUBST(arch)dnl
AC_SUBST(sitearch)dnl
AC_SUBST(ruby_version)dnl

8
ruby-2.3.3-Revert-use-frozen-strings-in-serialized-specs.patch
View File

@ -13,7 +13,7 @@ diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
index 7128532..654996a 100644
--- a/lib/rubygems/specification.rb
+++ b/lib/rubygems/specification.rb
@@ -2335,7 +2335,7 @@ class Gem::Specification < Gem::BasicSpecification
@@ -2337,7 +2337,7 @@ class Gem::Specification < Gem::BasicSpecification
def ruby_code(obj)
case obj
@ -22,7 +22,7 @@ index 7128532..654996a 100644
when Array then '[' + obj.map { |x| ruby_code x }.join(", ") + ']'
when Hash then
seg = obj.keys.sort.map { |k| "#{k.to_s.dump} => #{obj[k].to_s.dump}" }
@@ -2525,14 +2525,14 @@ class Gem::Specification < Gem::BasicSpecification
@@ -2527,14 +2527,14 @@ class Gem::Specification < Gem::BasicSpecification
dependencies.each do |dep|
req = dep.requirements_list.inspect
dep.instance_variable_set :@type, :runtime if dep.type.nil? # HACK
@ -39,7 +39,7 @@ index 7128532..654996a 100644
end
result << ' end'
@@ -2540,7 +2540,7 @@ class Gem::Specification < Gem::BasicSpecification
@@ -2542,7 +2542,7 @@ class Gem::Specification < Gem::BasicSpecification
result << " else"
dependencies.each do |dep|
version_reqs_param = dep.requirements_list.inspect
@ -209,7 +209,7 @@ index dc7b134..204e100 100644
end
end
SPEC
@@ -3294,20 +3294,20 @@ Did you mean 'Ruby'?
@@ -3324,20 +3324,20 @@ Did you mean 'Ruby'?
# stub: m 1 ruby lib
Gem::Specification.new do |s|

355
ruby-2.3.4-Fix-RubyGems-CVEs.patch
View File

@ -1,355 +0,0 @@
diff --git lib/rubygems.rb lib/rubygems.rb
index 04031c765c..9c0219ce06 100644
--- lib/rubygems.rb
+++ lib/rubygems.rb
@@ -10,7 +10,7 @@
require 'thread'
module Gem
- VERSION = '2.5.2'
+ VERSION = '2.5.2.1'
end
# Must be first since it unloads the prelude from 1.9.2
diff --git lib/rubygems/commands/query_command.rb lib/rubygems/commands/query_command.rb
index d6196b44ed..61e9808860 100644
--- lib/rubygems/commands/query_command.rb
+++ lib/rubygems/commands/query_command.rb
@@ -226,7 +226,7 @@ def output_versions output, versions
end
end
- output << make_entry(matching_tuples, platforms)
+ output << clean_text(make_entry(matching_tuples, platforms))
end
end
@@ -344,7 +344,8 @@ def spec_platforms entry, platforms
end
def spec_summary entry, spec
- entry << "\n\n" << format_text(spec.summary, 68, 4)
+ summary = truncate_text(spec.summary, "the summary for #{spec.full_name}")
+ entry << "\n\n" << format_text(summary, 68, 4)
end
end
diff --git lib/rubygems/installer.rb lib/rubygems/installer.rb
index 85358e0d1a..709b77d126 100644
--- lib/rubygems/installer.rb
+++ lib/rubygems/installer.rb
@@ -693,6 +693,11 @@ def verify_gem_home(unpack = false) # :nodoc:
unpack or File.writable?(gem_home)
end
+ def verify_spec_name
+ return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
+ raise Gem::InstallError, "#{spec} has an invalid name"
+ end
+
##
# Return the text for an application file.
@@ -812,6 +817,8 @@ def pre_install_checks
ensure_loadable_spec
+ verify_spec_name
+
if options[:install_as_default]
Gem.ensure_default_gem_subdirectories gem_home
else
diff --git lib/rubygems/remote_fetcher.rb lib/rubygems/remote_fetcher.rb
index fda1e067ef..254bebfadf 100644
--- lib/rubygems/remote_fetcher.rb
+++ lib/rubygems/remote_fetcher.rb
@@ -104,7 +104,7 @@ def api_endpoint(uri)
else
target = res.target.to_s.strip
- if /\.#{Regexp.quote(host)}\z/ =~ target
+ if URI("http://" + target).host.end_with?(".#{host}")
return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
end
diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb
index 8e2557cdb2..dd4fde1776 100644
--- lib/rubygems/specification.rb
+++ lib/rubygems/specification.rb
@@ -108,6 +108,8 @@ class Gem::Specification < Gem::BasicSpecification
private_constant :LOAD_CACHE if defined? private_constant
+ VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc:
+
# :startdoc:
##
@@ -2665,9 +2667,15 @@ def validate packaging = true
end
end
- unless String === name then
+ if !name.is_a?(String) then
raise Gem::InvalidSpecificationException,
- "invalid value for attribute name: \"#{name.inspect}\""
+ "invalid value for attribute name: \"#{name.inspect}\" must be a string"
+ elsif name !~ /[a-zA-Z]/ then
+ raise Gem::InvalidSpecificationException,
+ "invalid value for attribute name: #{name.dump} must include at least one letter"
+ elsif name !~ VALID_NAME_PATTERN then
+ raise Gem::InvalidSpecificationException,
+ "invalid value for attribute name: #{name.dump} can only include letters, numbers, dashes, and underscores"
end
if raw_require_paths.empty? then
diff --git lib/rubygems/text.rb lib/rubygems/text.rb
index 732f1b99f2..b944b62c27 100644
--- lib/rubygems/text.rb
+++ lib/rubygems/text.rb
@@ -6,13 +6,26 @@
module Gem::Text
+ ##
+ # Remove any non-printable characters and make the text suitable for
+ # printing.
+ def clean_text(text)
+ text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze)
+ end
+
+ def truncate_text(text, description, max_length = 100_000)
+ raise ArgumentError, "max_length must be positive" unless max_length > 0
+ return text if text.size <= max_length
+ "Truncating #{description} to #{max_length.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} characters:\n" + text[0, max_length]
+ end
+
##
# Wraps +text+ to +wrap+ characters and optionally indents by +indent+
# characters
def format_text(text, wrap, indent=0)
result = []
- work = text.dup
+ work = clean_text(text)
while work.length > wrap do
if work =~ /^(.{0,#{wrap}})[ \n]/ then
diff --git test/rubygems/test_gem_commands_query_command.rb test/rubygems/test_gem_commands_query_command.rb
index 78c15a1770..9ec715492f 100644
--- test/rubygems/test_gem_commands_query_command.rb
+++ test/rubygems/test_gem_commands_query_command.rb
@@ -116,6 +116,86 @@ def test_execute_details
This is a lot of text. This is a lot of text. This is a lot of text.
This is a lot of text.
+pl (1)
+ Platform: i386-linux
+ Author: A User
+ Homepage: http://example.com
+
+ this is a summary
+ EOF
+
+ assert_equal expected, @ui.output
+ assert_equal '', @ui.error
+ end
+
+ def test_execute_details_cleans_text
+ spec_fetcher do |fetcher|
+ fetcher.spec 'a', 2 do |s|
+ s.summary = 'This is a lot of text. ' * 4
+ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
+ s.homepage = "http://a.example.com/\x03"
+ end
+
+ fetcher.legacy_platform
+ end
+
+ @cmd.handle_options %w[-r -d]
+
+ use_ui @ui do
+ @cmd.execute
+ end
+
+ expected = <<-EOF
+
+*** REMOTE GEMS ***
+
+a (2)
+ Authors: Abraham Lincoln ., . Hirohito
+ Homepage: http://a.example.com/.
+
+ This is a lot of text. This is a lot of text. This is a lot of text.
+ This is a lot of text.
+
+pl (1)
+ Platform: i386-linux
+ Author: A User
+ Homepage: http://example.com
+
+ this is a summary
+ EOF
+
+ assert_equal expected, @ui.output
+ assert_equal '', @ui.error
+ end
+
+ def test_execute_details_truncates_summary
+ spec_fetcher do |fetcher|
+ fetcher.spec 'a', 2 do |s|
+ s.summary = 'This is a lot of text. ' * 10_000
+ s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
+ s.homepage = "http://a.example.com/\x03"
+ end
+
+ fetcher.legacy_platform
+ end
+
+ @cmd.handle_options %w[-r -d]
+
+ use_ui @ui do
+ @cmd.execute
+ end
+
+ expected = <<-EOF
+
+*** REMOTE GEMS ***
+
+a (2)
+ Authors: Abraham Lincoln ., . Hirohito
+ Homepage: http://a.example.com/.
+
+ Truncating the summary for a-2 to 100,000 characters:
+#{" This is a lot of text. This is a lot of text. This is a lot of text.\n" * 1449} This is a lot of te
+
pl (1)
Platform: i386-linux
Author: A User
diff --git test/rubygems/test_gem_installer.rb test/rubygems/test_gem_installer.rb
index 5ec71d0a01..1092a0c68f 100644
--- test/rubygems/test_gem_installer.rb
+++ test/rubygems/test_gem_installer.rb
@@ -1227,6 +1227,26 @@ def test_pre_install_checks_wrong_rubygems_version
end
end
+ def test_pre_install_checks_malicious_name
+ spec = util_spec '../malicious', '1'
+ def spec.full_name # so the spec is buildable
+ "malicious-1"
+ end
+ def spec.validate; end
+
+ util_build_gem spec
+
+ gem = File.join(@gemhome, 'cache', spec.file_name)
+
+ use_ui @ui do
+ @installer = Gem::Installer.at gem
+ e = assert_raises Gem::InstallError do
+ @installer.pre_install_checks
+ end
+ assert_equal '#<Gem::Specification name=../malicious version=1> has an invalid name', e.message
+ end
+ end
+
def test_shebang
util_make_exec @spec, "#!/usr/bin/ruby"
diff --git test/rubygems/test_gem_remote_fetcher.rb test/rubygems/test_gem_remote_fetcher.rb
index 49b6b6656c..a3919c8ef2 100644
--- test/rubygems/test_gem_remote_fetcher.rb
+++ test/rubygems/test_gem_remote_fetcher.rb
@@ -253,6 +253,21 @@ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
dns.verify
end
+ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path
+ uri = URI.parse "http://example.com/foo"
+ target = MiniTest::Mock.new
+ target.expect :target, "evil.com/a.example.com"
+
+ dns = MiniTest::Mock.new
+ dns.expect :getresource, target, [String, Object]
+
+ fetch = Gem::RemoteFetcher.new nil, dns
+ assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
+
+ target.verify
+ dns.verify
+ end
+
def test_api_endpoint_timeout_warning
uri = URI.parse "http://gems.example.com/foo"
diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb
index bc1c8d2ca7..9a49bbbf59 100644
--- test/rubygems/test_gem_specification.rb
+++ test/rubygems/test_gem_specification.rb
@@ -2974,7 +2974,37 @@ def test_validate_name
@a1.validate
end
- assert_equal 'invalid value for attribute name: ":json"', e.message
+ assert_equal 'invalid value for attribute name: ":json" must be a string', e.message
+
+ @a1.name = []
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+ assert_equal "invalid value for attribute name: \"[]\" must be a string", e.message
+
+ @a1.name = ""
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+ assert_equal "invalid value for attribute name: \"\" must include at least one letter", e.message
+
+ @a1.name = "12345"
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+ assert_equal "invalid value for attribute name: \"12345\" must include at least one letter", e.message
+
+ @a1.name = "../malicious"
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+ assert_equal "invalid value for attribute name: \"../malicious\" can only include letters, numbers, dashes, and underscores", e.message
+
+ @a1.name = "\ba\t"
+ e = assert_raises Gem::InvalidSpecificationException do
+ @a1.validate
+ end
+ assert_equal "invalid value for attribute name: \"\\ba\\t\" can only include letters, numbers, dashes, and underscores", e.message
end
def test_validate_non_nil
diff --git test/rubygems/test_gem_text.rb test/rubygems/test_gem_text.rb
index a6e22e04da..04f3f605e8 100644
--- test/rubygems/test_gem_text.rb
+++ test/rubygems/test_gem_text.rb
@@ -36,6 +36,10 @@ def test_format_text_trailing # for two spaces after .
assert_equal expected, format_text(text, 78)
end
+ def test_format_removes_nonprintable_characters
+ assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40)
+ end
+
def test_min3
assert_equal 1, min3(1, 1, 1)
assert_equal 1, min3(1, 1, 2)
@@ -74,4 +78,11 @@ def test_levenshtein_distance_replace
assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest")
assert_equal 7, levenshtein_distance("zentest", "xxxxxxx")
end
+
+ def test_truncate_text
+ assert_equal "abc", truncate_text("abc", "desc")
+ assert_equal "Truncating desc to 2 characters:\nab", truncate_text("abc", "desc", 2)
+ s = "ab" * 500_001
+ assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000)
+ end
end

93
ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch
View File

@ -1,93 +0,0 @@
diff --git ext/json/generator/generator.c ext/json/generator/generator.c
index a135e28348..2cdca5685f 100644
--- ext/json/generator/generator.c
+++ ext/json/generator/generator.c
@@ -301,7 +301,7 @@ static char *fstrndup(const char *ptr, unsigned long len) {
char *result;
if (len <= 0) return NULL;
result = ALLOC_N(char, len);
- memccpy(result, ptr, 0, len);
+ memcpy(result, ptr, len);
return result;
}
@@ -1055,7 +1055,7 @@ static VALUE cState_indent_set(VALUE self, VALUE indent)
}
} else {
if (state->indent) ruby_xfree(state->indent);
- state->indent = strdup(RSTRING_PTR(indent));
+ state->indent = fstrndup(RSTRING_PTR(indent), len);
state->indent_len = len;
}
return Qnil;
@@ -1093,7 +1093,7 @@ static VALUE cState_space_set(VALUE self, VALUE space)
}
} else {
if (state->space) ruby_xfree(state->space);
- state->space = strdup(RSTRING_PTR(space));
+ state->space = fstrndup(RSTRING_PTR(space), len);
state->space_len = len;
}
return Qnil;
@@ -1129,7 +1129,7 @@ static VALUE cState_space_before_set(VALUE self, VALUE space_before)
}
} else {
if (state->space_before) ruby_xfree(state->space_before);
- state->space_before = strdup(RSTRING_PTR(space_before));
+ state->space_before = fstrndup(RSTRING_PTR(space_before), len);
state->space_before_len = len;
}
return Qnil;
@@ -1166,7 +1166,7 @@ static VALUE cState_object_nl_set(VALUE self, VALUE object_nl)
}
} else {
if (state->object_nl) ruby_xfree(state->object_nl);
- state->object_nl = strdup(RSTRING_PTR(object_nl));
+ state->object_nl = fstrndup(RSTRING_PTR(object_nl), len);
state->object_nl_len = len;
}
return Qnil;
@@ -1201,7 +1201,7 @@ static VALUE cState_array_nl_set(VALUE self, VALUE array_nl)
}
} else {
if (state->array_nl) ruby_xfree(state->array_nl);
- state->array_nl = strdup(RSTRING_PTR(array_nl));
+ state->array_nl = fstrndup(RSTRING_PTR(array_nl), len);
state->array_nl_len = len;
}
return Qnil;
diff --git ext/json/generator/generator.h ext/json/generator/generator.h
index 298c0a4965..6bbf817b7d 100644
--- ext/json/generator/generator.h
+++ ext/json/generator/generator.h
@@ -1,7 +1,6 @@
#ifndef _GENERATOR_H_
#define _GENERATOR_H_
-#include <string.h>
#include <math.h>
#include <ctype.h>
diff --git ext/json/lib/json/version.rb ext/json/lib/json/version.rb
index b5748334b9..cd7ddf8777 100644
--- ext/json/lib/json/version.rb
+++ ext/json/lib/json/version.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: false
module JSON
# JSON version
- VERSION = '1.8.3'
+ VERSION = '1.8.3.1'
VERSION_ARRAY = VERSION.split(/\./).map { |x| x.to_i } # :nodoc:
VERSION_MAJOR = VERSION_ARRAY[0] # :nodoc:
VERSION_MINOR = VERSION_ARRAY[1] # :nodoc:
--- ext/json/json.gemspec
+++ ext/json/json.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = "json"
- s.version = "1.8.3"
+ s.version = "1.8.3.1"
s.summary = "This json is bundled with Ruby"
s.executables = []
s.files = ["json.rb", "json/add/bigdecimal.rb", "json/add/complex.rb", "json/add/core.rb", "json/add/date.rb", "json/add/date_time.rb", "json/add/exception.rb", "json/add/ostruct.rb", "json/add/range.rb", "json/add/rational.rb", "json/add/regexp.rb", "json/add/struct.rb", "json/add/symbol.rb", "json/add/time.rb", "json/common.rb", "json/ext.rb", "json/ext/generator.bundle", "json/ext/parser.bundle", "json/generic_object.rb", "json/version.rb"]

170
ruby-2.3.4-remove-the-encryption-key-initialization.patch
View File

@ -1,170 +0,0 @@
From 739782e37a6662fea379e7ef3ec89e851b04b46c Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 5 Jul 2017 07:06:45 +0000
Subject: [PATCH] * ext/openssl/ossl_cipher.c: remove the encryption key
initialization from Cipher#initialize. This is effectively a revert of
r32723 ("Avoid possible SEGV from AES encryption/decryption", 2011-07-28).
the patch is derived from
https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062,
written by Kazuki Yamaguchi. [Backport #8221]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@59267 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
ChangeLog | 9 +++++++++
ext/openssl/ossl_cipher.c | 23 ++++++++++++++---------
test/openssl/test_cipher.rb | 29 +++++++++++++++++++++++------
version.h | 6 +++---
3 files changed, 46 insertions(+), 15 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 33b9dbe79fef..ad89c9c4bd52 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+Wed Jul 5 15:55:35 2017 NAKAMURA Usaku <usa@ruby-lang.org>
+
+ * ext/openssl/ossl_cipher.c: remove the encryption key initialization
+ from Cipher#initialize. This is effectively a revert of r32723
+ ("Avoid possible SEGV from AES encryption/decryption", 2011-07-28).
+ the patch is derived from https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062,
+ written by Kazuki Yamaguchi.
+ [Backport #8221]
+
Wed Mar 29 23:47:31 2017 CHIKANAGA Tomoyuki <nagachika@ruby-lang.org>
* hash.c (any_hash): fix CI failure on L32LLP64 architecture.
diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c
index 09b021d9873a..24caba6e3721 100644
--- a/ext/openssl/ossl_cipher.c
+++ b/ext/openssl/ossl_cipher.c
@@ -34,6 +34,7 @@
*/
VALUE cCipher;
VALUE eCipherError;
+static ID id_key_set;
static VALUE ossl_cipher_alloc(VALUE klass);
static void ossl_cipher_free(void *ptr);
@@ -114,7 +115,6 @@ ossl_cipher_initialize(VALUE self, VALUE str)
EVP_CIPHER_CTX *ctx;
const EVP_CIPHER *cipher;
char *name;
- unsigned char key[EVP_MAX_KEY_LENGTH];
name = StringValuePtr(str);
GetCipherInit(self, ctx);
@@ -126,14 +126,7 @@ ossl_cipher_initialize(VALUE self, VALUE str)
if (!(cipher = EVP_get_cipherbyname(name))) {
ossl_raise(rb_eRuntimeError, "unsupported cipher algorithm (%s)", name);
}
- /*
- * The EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) allows
- * uninitialized key, but other EVPs (such as AES) does not allow it.
- * Calling EVP_CipherUpdate() without initializing key causes SEGV so we
- * set the data filled with "\0" as the key by default.
- */
- memset(key, 0, EVP_MAX_KEY_LENGTH);
- if (EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, -1) != 1)
+ if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1)
ossl_raise(eCipherError, NULL);
return self;
@@ -252,6 +245,9 @@ ossl_cipher_init(int argc, VALUE *argv, VALUE self, int mode)
ossl_raise(eCipherError, NULL);
}
+ if (p_key)
+ rb_ivar_set(self, id_key_set, Qtrue);
+
return self;
}
@@ -338,6 +334,8 @@ ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self)
OPENSSL_cleanse(key, sizeof key);
OPENSSL_cleanse(iv, sizeof iv);
+ rb_ivar_set(self, id_key_set, Qtrue);
+
return Qnil;
}
@@ -391,6 +389,9 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
rb_scan_args(argc, argv, "11", &data, &str);
+ if (!RTEST(rb_attr_get(self, id_key_set)))
+ ossl_raise(eCipherError, "key not set");
+
StringValue(data);
in = (unsigned char *)RSTRING_PTR(data);
if ((in_len = RSTRING_LEN(data)) == 0)
@@ -490,6 +491,8 @@ ossl_cipher_set_key(VALUE self, VALUE key)
if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1)
ossl_raise(eCipherError, NULL);
+ rb_ivar_set(self, id_key_set, Qtrue);
+
return key;
}
@@ -1008,4 +1011,6 @@ Init_ossl_cipher(void)
rb_define_method(cCipher, "iv_len", ossl_cipher_iv_length, 0);
rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0);
rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1);
+
+ id_key_set = rb_intern_const("key_set");
}
diff --git a/test/openssl/test_cipher.rb b/test/openssl/test_cipher.rb
index 89c176f4de41..95058b5f196b 100644
--- a/test/openssl/test_cipher.rb
+++ b/test/openssl/test_cipher.rb
@@ -81,6 +81,7 @@ def test_reset
def test_empty_data
@c1.encrypt
+ @c1.random_key
assert_raise(ArgumentError){ @c1.update("") }
end
@@ -129,12 +130,10 @@ def test_AES
}
end
- def test_AES_crush
- 500.times do
- assert_nothing_raised("[Bug #2768]") do
- # it caused OpenSSL SEGV by uninitialized key
- OpenSSL::Cipher::AES128.new("ECB").update "." * 17
- end
+ def test_update_raise_if_key_not_set
+ assert_raise(OpenSSL::Cipher::CipherError) do
+ # it caused OpenSSL SEGV by uninitialized key [Bug #2768]
+ OpenSSL::Cipher::AES128.new("ECB").update "." * 17
end
end
end
@@ -236,6 +235,24 @@ def test_aes_gcm_wrong_ciphertext
end
end
+ def test_aes_gcm_key_iv_order_issue
+ pt = "[ruby/openssl#49]"
+ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt
+ cipher.key = "x" * 16
+ cipher.iv = "a" * 12
+ ct1 = cipher.update(pt) << cipher.final
+ tag1 = cipher.auth_tag
+
+ cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt
+ cipher.iv = "a" * 12
+ cipher.key = "x" * 16
+ ct2 = cipher.update(pt) << cipher.final
+ tag2 = cipher.auth_tag
+
+ assert_equal ct1, ct2
+ assert_equal tag1, tag2
+ end if has_cipher?("aes-128-gcm")
+
end
private

122
ruby-2.4.0-SMTP-injection-fix.patch
View File

@ -1,122 +0,0 @@
From ea7b67981156f3eaee8420bb34c49605573387a5 Mon Sep 17 00:00:00 2001
From: shugo <shugo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 8 Jun 2016 07:06:57 +0000
Subject: [PATCH] Security: backport SMTP injection fix
* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
CR or LF is included in a line, because they are not allowed in
RFC5321.
https://hackerone.com/reports/137631
---
ChangeLog | 6 ++++++
lib/net/smtp.rb | 9 +++++++++
test/net/smtp/test_smtp.rb | 47 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 62 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index ab9a6bf18281..5176d362881b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+Sun Jun 11 21:25:09 2017 Shugo Maeda <shugo@ruby-lang.org>
+
+ * lib/net/smtp.rb (getok, get_response): raise an ArgumentError when
+ CR or LF is included in a line, because they are not allowed in
+ RFC5321. https://hackerone.com/reports/137631 [Backport 0827a7e]
+
Wed Jul 5 15:55:35 2017 NAKAMURA Usaku <usa@ruby-lang.org>
* ext/openssl/ossl_cipher.c: remove the encryption key initialization
diff --git a/lib/net/smtp.rb b/lib/net/smtp.rb
index d634274c3ee8..78f2181d2a8b 100644
--- a/lib/net/smtp.rb
+++ b/lib/net/smtp.rb
@@ -926,7 +926,15 @@ def quit
private
+ def validate_line(line)
+ # A bare CR or LF is not allowed in RFC5321.
+ if /[\r\n]/ =~ line
+ raise ArgumentError, "A line must not contain CR or LF"
+ end
+ end
+
def getok(reqline)
+ validate_line reqline
res = critical {
@socket.writeline reqline
recv_response()
@@ -936,6 +944,7 @@ def getok(reqline)
end
def get_response(reqline)
+ validate_line reqline
@socket.writeline reqline
recv_response()
end
diff --git a/test/net/smtp/test_smtp.rb b/test/net/smtp/test_smtp.rb
index 0edb3419d56e..3bcceb6fc5bb 100644
--- a/test/net/smtp/test_smtp.rb
+++ b/test/net/smtp/test_smtp.rb
@@ -6,6 +6,8 @@
module Net
class TestSMTP < Test::Unit::TestCase
class FakeSocket
+ attr_reader :write_io
+
def initialize out = "250 OK\n"
@write_io = StringIO.new
@read_io = StringIO.new out
@@ -51,5 +53,50 @@ def test_rset
assert smtp.rset
end
+
+ def test_mailfrom
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.mailfrom("foo@example.com").success?
+ assert_equal "MAIL FROM:<foo@example.com>\r\n", sock.write_io.string
+ end
+
+ def test_rcptto
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.rcptto("foo@example.com").success?
+ assert_equal "RCPT TO:<foo@example.com>\r\n", sock.write_io.string
+ end
+
+ def test_auth_plain
+ sock = FakeSocket.new
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, sock
+ assert smtp.auth_plain("foo", "bar").success?
+ assert_equal "AUTH PLAIN AGZvbwBiYXI=\r\n", sock.write_io.string
+ end
+
+ def test_crlf_injection
+ smtp = Net::SMTP.new 'localhost', 25
+ smtp.instance_variable_set :@socket, FakeSocket.new
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\r\nbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\rbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.mailfrom("foo\nbar")
+ end
+
+ assert_raise(ArgumentError) do
+ smtp.rcptto("foo\r\nbar")
+ end
+ end
end
end

35
ruby.spec
View File

@ -1,6 +1,6 @@
%global major_version 2
%global minor_version 3
%global teeny_version 4
%global teeny_version 5
%global major_minor_version %{major_version}.%{minor_version}
%global ruby_version %{major_minor_version}.%{teeny_version}
@ -21,7 +21,7 @@
%endif
%global release 64
%global release 65
%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
# The RubyGems library has to stay out of Ruby directory three, since the
@ -42,7 +42,7 @@
%global json_version 1.8.3.1
%global minitest_version 5.8.5
%global power_assert_version 0.2.6
%global psych_version 2.1.0
%global psych_version 2.1.0.1
%global rake_version 10.4.2
%global rdoc_version 4.2.1
%global net_telnet_version 0.1.1
@ -126,28 +126,6 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch
# hardening features of glibc (rhbz#1361037).
# https://bugs.ruby-lang.org/issues/12666
Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch
# Fix IV Reuse in GCM Mode (CVE-2016-7798).
# https://bugzilla.redhat.com/show_bug.cgi?id=1381527
# https://github.com/ruby/ruby/commit/739782e37a6662fea379e7ef3ec89e851b04b46c
Patch10: ruby-2.3.4-remove-the-encryption-key-initialization.patch
# Fix SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM
# commands in Net::SMTP (CVE-2015-9096).
# https://bugzilla.redhat.com/show_bug.cgi?id=1461848
# https://github.com/ruby/ruby/pull/1647
Patch11: ruby-2.4.0-SMTP-injection-fix.patch
# Fix various RubyGems CVEs:
# an ANSI escape sequence vulnerability (CVE-2017-0899).
# a DoS vulnerability in the query command (CVE-2017-0900).
# a vulnerability in the gem installer that allowed a malicious gem
# to overwrite arbitrary files (CVE-2017-0901).
# a DNS request hijacking vulnerability (CVE-2017-0902).
# https://bugzilla.redhat.com/show_bug.cgi?id=1487591
# https://bugs.ruby-lang.org/issues/13842
Patch12: ruby-2.3.4-Fix-RubyGems-CVEs.patch
# Fix arbitrary heap exposure during a JSON.generate call (CVE-2017-14064).
# https://bugzilla.redhat.com/show_bug.cgi?id=1487553
# https://bugs.ruby-lang.org/issues/13853
Patch13: ruby-2.3.4-Fix-arbitrary-heap-exposure-during-a-JSON.generate-call.patch
# Do not freeze strings in generated .gemspec. This causes regressions
# and FTBFS in Fedora packages. This is revert of:
# https://github.com/rubygems/rubygems/commit/8eda3272d28010c768a05620de776e5a8195c1ae
@ -501,10 +479,6 @@ rm -rf ext/fiddle/libffi*
%patch6 -p1
%patch7 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12
%patch13
%patch100 -p1
# Provide an example of usage of the tapset:
@ -995,6 +969,9 @@ make check TESTS="-v $DISABLE_TESTS"
%{ruby_libdir}/tkextlib
%changelog
* Mon Oct 02 2017 Pavel Valena <pvalena@redhat.com> - 2.3.5-65
- Update to Ruby 2.3.5.
* Wed Sep 06 2017 Vít Ondruch <vondruch@redhat.com> - 2.3.4-64
- Fix ANSI escape sequence vulnerability (rhbz#1487590).
- Fix DoS vulnerability in the query command (rhbz#1487588).

2
sources
View File

@ -1 +1 @@
SHA512 (ruby-2.3.4.tar.xz) = 9e3adc2de6703e50e75db37db2981006d4c69759929d61db6a0d63627cfe5977d0ad66d2c69d7161cfc0c0d1c2cb38e5181a06ccd2790df2f72ec25c2ad01e02
SHA512 (ruby-2.3.5.tar.xz) = c55e3b71241f505b6bbad78b3bd40235064faae3443ca14b77b6356556caed6a0d055dc2e2cd7ebdb5290ab908e06d2b7d68f72469af5017eda4b29664b0d889