From bbb75e646f6804154cab2c290ae599be7cfcb133 Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Tue, 12 Jan 2010 19:11:19 +0000 Subject: [PATCH] - CVE-2009-4492 ruby WEBrick log escape sequence (bug 554485) --- ruby-1.8.6-p383-mkmf-use-shared.patch | 11 +++ ruby-1.8.6.x-CVE-2009-4492.patch | 134 ++++++++++++++++++++++++++ ruby.spec | 38 +++++++- 3 files changed, 179 insertions(+), 4 deletions(-) create mode 100644 ruby-1.8.6-p383-mkmf-use-shared.patch create mode 100644 ruby-1.8.6.x-CVE-2009-4492.patch diff --git a/ruby-1.8.6-p383-mkmf-use-shared.patch b/ruby-1.8.6-p383-mkmf-use-shared.patch new file mode 100644 index 0000000..fb0e6a5 --- /dev/null +++ b/ruby-1.8.6-p383-mkmf-use-shared.patch @@ -0,0 +1,11 @@ +--- ruby-1.8.6-p383/lib/mkmf.rb.static 2009-03-31 18:19:39.000000000 +0900 ++++ ruby-1.8.6-p383/lib/mkmf.rb 2009-12-09 15:03:19.000000000 +0900 +@@ -275,7 +275,7 @@ + 'LDFLAGS' => "#$LDFLAGS #{ldflags}", + 'LIBPATH' => libpathflag(libpath), + 'LOCAL_LIBS' => "#$LOCAL_LIBS #$libs", +- 'LIBS' => "#$LIBRUBYARG_STATIC #{opt} #$LIBS") ++ 'LIBS' => "#$LIBRUBYARG_SHARED #{opt} #$LIBS") + Config::expand(TRY_LINK.dup, conf) + end + diff --git a/ruby-1.8.6.x-CVE-2009-4492.patch b/ruby-1.8.6.x-CVE-2009-4492.patch new file mode 100644 index 0000000..00fa053 --- /dev/null +++ b/ruby-1.8.6.x-CVE-2009-4492.patch @@ -0,0 +1,134 @@ +Index: lib/webrick/httpstatus.rb +=================================================================== +--- lib/webrick/httpstatus.rb (revision 26273) ++++ lib/webrick/httpstatus.rb (revision 26274) +@@ -12,7 +12,17 @@ + + module HTTPStatus + +- class Status < StandardError; end ++ class Status < StandardError ++ def initialize(message=self.class, *rest) ++ super(AccessLog.escape(message), *rest) ++ end ++ class << self ++ attr_reader :code, :reason_phrase ++ end ++ def code() self::class::code end ++ def reason_phrase() self::class::reason_phrase end ++ alias to_i code ++ end + class Info < Status; end + class Success < Status; end + class Redirect < Status; end +@@ -68,6 +78,7 @@ + CodeToError = {} + + StatusMessage.each{|code, message| ++ message.freeze + var_name = message.gsub(/[ \-]/,'_').upcase + err_name = message.gsub(/[ \-]/,'') + +@@ -79,18 +90,12 @@ + when 500...600; parent = ServerError + end + +- eval %- +- RC_#{var_name} = #{code} +- class #{err_name} < #{parent} +- def self.code() RC_#{var_name} end +- def self.reason_phrase() StatusMessage[code] end +- def code() self::class::code end +- def reason_phrase() self::class::reason_phrase end +- alias to_i code +- end +- - +- +- CodeToError[code] = const_get(err_name) ++ const_set("RC_#{var_name}", code) ++ err_class = Class.new(parent) ++ err_class.instance_variable_set(:@code, code) ++ err_class.instance_variable_set(:@reason_phrase, message) ++ const_set(err_name, err_class) ++ CodeToError[code] = err_class + } + + def reason_phrase(code) +Index: lib/webrick/httprequest.rb +=================================================================== +--- lib/webrick/httprequest.rb (revision 26273) ++++ lib/webrick/httprequest.rb (revision 26274) +@@ -242,11 +242,7 @@ + @raw_header << line + end + end +- begin +- @header = HTTPUtils::parse_header(@raw_header) +- rescue => ex +- raise HTTPStatus::BadRequest, ex.message +- end ++ @header = HTTPUtils::parse_header(@raw_header.join) + end + + def parse_uri(str, scheme="http") +Index: lib/webrick/httpresponse.rb +=================================================================== +--- lib/webrick/httpresponse.rb (revision 26273) ++++ lib/webrick/httpresponse.rb (revision 26274) +@@ -132,7 +132,7 @@ + end + end + +- # Determin the message length (RFC2616 -- 4.4 Message Length) ++ # Determine the message length (RFC2616 -- 4.4 Message Length) + if @status == 304 || @status == 204 || HTTPStatus::info?(@status) + @header.delete('content-length') + @body = "" +Index: lib/webrick/httputils.rb +=================================================================== +--- lib/webrick/httputils.rb (revision 26273) ++++ lib/webrick/httputils.rb (revision 26274) +@@ -128,11 +128,11 @@ + when /^\s+(.*?)\s*\z/om + value = $1 + unless field +- raise "bad header '#{line.inspect}'." ++ raise HTTPStatus::BadRequest, "bad header '#{line}'." + end + header[field][-1] << " " << value + else +- raise "bad header '#{line.inspect}'." ++ raise HTTPStatus::BadRequest, "bad header '#{line}'." + end + } + header.each{|key, values| +Index: lib/webrick/accesslog.rb +=================================================================== +--- lib/webrick/accesslog.rb (revision 26273) ++++ lib/webrick/accesslog.rb (revision 26274) +@@ -53,15 +53,23 @@ + when ?e, ?i, ?n, ?o + raise AccessLogError, + "parameter is required for \"#{spec}\"" unless param +- params[spec][param] || "-" ++ param = params[spec][param] ? escape(param) : "-" + when ?t + params[spec].strftime(param || CLF_TIME_FORMAT) + when ?% + "%" + else +- params[spec] ++ escape(params[spec].to_s) + end + } + end ++ ++ def escape(data) ++ if data.tainted? ++ data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint ++ else ++ data ++ end ++ end + end + end diff --git a/ruby.spec b/ruby.spec index f155269..ab64ef8 100644 --- a/ruby.spec +++ b/ruby.spec @@ -16,7 +16,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 4%{?dist} +Release: 6%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -47,8 +47,11 @@ Patch27: ruby-1.8.6-p287-CVE-2008-5189.patch Patch28: ruby-1.8.6-p287-remove-ssl-rand-range.patch Patch29: ruby-always-use-i386.patch Patch31: ruby-1.8.6-p369-ri-gem_multipath.patch -# Patch from ruby_1_8 branch +# Patch32 from ruby_1_8 branch Patch32: ruby-1.8head-irb-save-history.patch +Patch33: ruby-1.8.6-p383-mkmf-use-shared.patch +# Patch34 already applied in 1.8.6p388 +Patch34: ruby-1.8.6.x-CVE-2009-4492.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -79,12 +82,20 @@ This package includes the libruby, necessary to run Ruby. Summary: A Ruby development environment Group: Development/Languages Requires: %{name}-libs = %{version}-%{release} -Provides: %{name}-libs-static = %{version}-%{release} +#Provides: %{name}-libs-static = %{version}-%{release} %description devel Header files and libraries for building a extension library for the Ruby or an application embedded Ruby. +%package static +Summary: Static libraries for Ruby development environment +Group: Development/Languages +Requires: %{name}-devel = %{version}-%{release} + +%description static +Static libraries for for building a extension library for the +Ruby or an application embedded Ruby. %package tcltk Summary: Tcl/Tk interface for scripting language Ruby @@ -180,6 +191,8 @@ pushd %{name}-%{arcver} %patch29 -p1 %patch31 -p1 %patch32 -p0 +%patch33 -p1 +%patch34 -p0 popd %build @@ -206,6 +219,11 @@ export CFLAGS --disable-rpath \ --with-ruby-prefix=%{_prefix}/lib +# For example ext/socket/extconf.rb uses try_run (for getaddrinfo test), +# which executes conftest and setting LD_LIBRARY_PATH for libruby.so is +# needed. +export LD_LIBRARY_PATH=$(pwd) + make RUBY_INSTALL_NAME=ruby %{?_smp_mflags} COPY="cp -p" %{?_smp_mflags} %ifarch ia64 # Miscompilation? Buggy code? @@ -397,9 +415,13 @@ rm -rf $RPM_BUILD_ROOT %doc %{name}-%{arcver}/README.EXT %lang(ja) %doc %{name}-%{arcver}/README.EXT.ja %{_libdir}/libruby.so -%{_libdir}/libruby-static.a +#%%{_libdir}/libruby-static.a %{_libdir}/ruby/%{rubyxver}/*/*.h +%files static +%defattr(-, root, root, -) +%{_libdir}/libruby-static.a + %files libs %defattr(-, root, root, -) %doc %{name}-%{arcver}/README @@ -542,6 +564,14 @@ rm -rf $RPM_BUILD_ROOT %{_emacs_sitestartdir}/ruby-mode-init.el %changelog +* Wed Jan 13 2010 Mamoru Tasaka - 1.8.6.383-6 +- CVE-2009-4492 ruby WEBrick log escape sequence (bug 554485) + +* Wed Dec 9 2009 Mamoru Tasaka - 1.8.6.383-5 +- Change mkmf.rb to use LIBRUBYARG_SHARED so that have_library() works + without libruby-static.a (bug 428384) +- And move libruby-static.a to -static subpackage + * Thu Oct 29 2009 Mamoru Tasaka - 1.8.6.383-4 - Use bison to regenerate parse.c to keep the original format of error messages (bug 530275 comment 4)