rpms/ruby
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

- CVE-2009-4492 ruby WEBrick log escape sequence (bug 554485)

Browse Source
This commit is contained in:
Mamoru Tasaka 2010-01-12 19:11:19 +00:00
parent f6e0b7bfc3
commit bbb75e646f
3 changed files with 179 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ruby-1.8.6-p383-mkmf-use-shared.patch Normal file
View File

@ -0,0 +1,11 @@
--- ruby-1.8.6-p383/lib/mkmf.rb.static 2009-03-31 18:19:39.000000000 +0900
+++ ruby-1.8.6-p383/lib/mkmf.rb 2009-12-09 15:03:19.000000000 +0900
@@ -275,7 +275,7 @@
'LDFLAGS' => "#$LDFLAGS #{ldflags}",
'LIBPATH' => libpathflag(libpath),
'LOCAL_LIBS' => "#$LOCAL_LIBS #$libs",
- 'LIBS' => "#$LIBRUBYARG_STATIC #{opt} #$LIBS")
+ 'LIBS' => "#$LIBRUBYARG_SHARED #{opt} #$LIBS")
Config::expand(TRY_LINK.dup, conf)
end

134
ruby-1.8.6.x-CVE-2009-4492.patch Normal file
View File

@ -0,0 +1,134 @@
Index: lib/webrick/httpstatus.rb
===================================================================
--- lib/webrick/httpstatus.rb (revision 26273)
+++ lib/webrick/httpstatus.rb (revision 26274)
@@ -12,7 +12,17 @@
module HTTPStatus
- class Status < StandardError; end
+ class Status < StandardError
+ def initialize(message=self.class, *rest)
+ super(AccessLog.escape(message), *rest)
+ end
+ class << self
+ attr_reader :code, :reason_phrase
+ end
+ def code() self::class::code end
+ def reason_phrase() self::class::reason_phrase end
+ alias to_i code
+ end
class Info < Status; end
class Success < Status; end
class Redirect < Status; end
@@ -68,6 +78,7 @@
CodeToError = {}
StatusMessage.each{|code, message|
+ message.freeze
var_name = message.gsub(/[ \-]/,'_').upcase
err_name = message.gsub(/[ \-]/,'')
@@ -79,18 +90,12 @@
when 500...600; parent = ServerError
end
- eval %-
- RC_#{var_name} = #{code}
- class #{err_name} < #{parent}
- def self.code() RC_#{var_name} end
- def self.reason_phrase() StatusMessage[code] end
- def code() self::class::code end
- def reason_phrase() self::class::reason_phrase end
- alias to_i code
- end
- -
-
- CodeToError[code] = const_get(err_name)
+ const_set("RC_#{var_name}", code)
+ err_class = Class.new(parent)
+ err_class.instance_variable_set(:@code, code)
+ err_class.instance_variable_set(:@reason_phrase, message)
+ const_set(err_name, err_class)
+ CodeToError[code] = err_class
}
def reason_phrase(code)
Index: lib/webrick/httprequest.rb
===================================================================
--- lib/webrick/httprequest.rb (revision 26273)
+++ lib/webrick/httprequest.rb (revision 26274)
@@ -242,11 +242,7 @@
@raw_header << line
end
end
- begin
- @header = HTTPUtils::parse_header(@raw_header)
- rescue => ex
- raise HTTPStatus::BadRequest, ex.message
- end
+ @header = HTTPUtils::parse_header(@raw_header.join)
end
def parse_uri(str, scheme="http")
Index: lib/webrick/httpresponse.rb
===================================================================
--- lib/webrick/httpresponse.rb (revision 26273)
+++ lib/webrick/httpresponse.rb (revision 26274)
@@ -132,7 +132,7 @@
end
end
- # Determin the message length (RFC2616 -- 4.4 Message Length)
+ # Determine the message length (RFC2616 -- 4.4 Message Length)
if @status == 304 || @status == 204 || HTTPStatus::info?(@status)
@header.delete('content-length')
@body = ""
Index: lib/webrick/httputils.rb
===================================================================
--- lib/webrick/httputils.rb (revision 26273)
+++ lib/webrick/httputils.rb (revision 26274)
@@ -128,11 +128,11 @@
when /^\s+(.*?)\s*\z/om
value = $1
unless field
- raise "bad header '#{line.inspect}'."
+ raise HTTPStatus::BadRequest, "bad header '#{line}'."
end
header[field][-1] << " " << value
else
- raise "bad header '#{line.inspect}'."
+ raise HTTPStatus::BadRequest, "bad header '#{line}'."
end
}
header.each{|key, values|
Index: lib/webrick/accesslog.rb
===================================================================
--- lib/webrick/accesslog.rb (revision 26273)
+++ lib/webrick/accesslog.rb (revision 26274)
@@ -53,15 +53,23 @@
when ?e, ?i, ?n, ?o
raise AccessLogError,
"parameter is required for \"#{spec}\"" unless param
- params[spec][param] || "-"
+ param = params[spec][param] ? escape(param) : "-"
when ?t
params[spec].strftime(param || CLF_TIME_FORMAT)
when ?%
"%"
else
- params[spec]
+ escape(params[spec].to_s)
end
}
end
+
+ def escape(data)
+ if data.tainted?
+ data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint
+ else
+ data
+ end
+ end
end
end

38
ruby.spec
View File

@ -16,7 +16,7 @@
Name: ruby
Version: %{rubyver}%{?dotpatchlevel}
Release: 4%{?dist}
Release: 6%{?dist}
License: Ruby or GPLv2
URL: http://www.ruby-lang.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -47,8 +47,11 @@ Patch27: ruby-1.8.6-p287-CVE-2008-5189.patch
Patch28: ruby-1.8.6-p287-remove-ssl-rand-range.patch
Patch29: ruby-always-use-i386.patch
Patch31: ruby-1.8.6-p369-ri-gem_multipath.patch
# Patch from ruby_1_8 branch
# Patch32 from ruby_1_8 branch
Patch32: ruby-1.8head-irb-save-history.patch
Patch33: ruby-1.8.6-p383-mkmf-use-shared.patch
# Patch34 already applied in 1.8.6p388
Patch34: ruby-1.8.6.x-CVE-2009-4492.patch
Summary: An interpreter of object-oriented scripting language
Group: Development/Languages
@ -79,12 +82,20 @@ This package includes the libruby, necessary to run Ruby.
Summary: A Ruby development environment
Group: Development/Languages
Requires: %{name}-libs = %{version}-%{release}
Provides: %{name}-libs-static = %{version}-%{release}
#Provides: %{name}-libs-static = %{version}-%{release}
%description devel
Header files and libraries for building a extension library for the
Ruby or an application embedded Ruby.
%package static
Summary: Static libraries for Ruby development environment
Group: Development/Languages
Requires: %{name}-devel = %{version}-%{release}
%description static
Static libraries for for building a extension library for the
Ruby or an application embedded Ruby.
%package tcltk
Summary: Tcl/Tk interface for scripting language Ruby
@ -180,6 +191,8 @@ pushd %{name}-%{arcver}
%patch29 -p1
%patch31 -p1
%patch32 -p0
%patch33 -p1
%patch34 -p0
popd
%build
@ -206,6 +219,11 @@ export CFLAGS
--disable-rpath \
--with-ruby-prefix=%{_prefix}/lib
# For example ext/socket/extconf.rb uses try_run (for getaddrinfo test),
# which executes conftest and setting LD_LIBRARY_PATH for libruby.so is
# needed.
export LD_LIBRARY_PATH=$(pwd)
make RUBY_INSTALL_NAME=ruby %{?_smp_mflags} COPY="cp -p" %{?_smp_mflags}
%ifarch ia64
# Miscompilation? Buggy code?
@ -397,9 +415,13 @@ rm -rf $RPM_BUILD_ROOT
%doc %{name}-%{arcver}/README.EXT
%lang(ja) %doc %{name}-%{arcver}/README.EXT.ja
%{_libdir}/libruby.so
%{_libdir}/libruby-static.a
#%%{_libdir}/libruby-static.a
%{_libdir}/ruby/%{rubyxver}/*/*.h
%files static
%defattr(-, root, root, -)
%{_libdir}/libruby-static.a
%files libs
%defattr(-, root, root, -)
%doc %{name}-%{arcver}/README
@ -542,6 +564,14 @@ rm -rf $RPM_BUILD_ROOT
%{_emacs_sitestartdir}/ruby-mode-init.el
%changelog
* Wed Jan 13 2010 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 1.8.6.383-6
- CVE-2009-4492 ruby WEBrick log escape sequence (bug 554485)
* Wed Dec 9 2009 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 1.8.6.383-5
- Change mkmf.rb to use LIBRUBYARG_SHARED so that have_library() works
without libruby-static.a (bug 428384)
- And move libruby-static.a to -static subpackage
* Thu Oct 29 2009 Mamoru Tasaka <mtasaka@ioa.s.u-tokyo.ac.jp> - 1.8.6.383-4
- Use bison to regenerate parse.c to keep the original format of error
messages (bug 530275 comment 4)