rpms/ruby
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix Command injection in lib/resolv.rb:lazy_initialize()

Browse Source 
https://bugzilla.redhat.com/show_bug.cgi?id=1528226
This commit is contained in:
Pavel Valena 2017-12-21 17:19:13 +01:00
parent b0fc019125
commit d69aee08ce
2 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
ruby-2.4.3-Fix-Command-injection-in-lib-resolv-lazy_initialize.patch Normal file
View File

@ -0,0 +1,29 @@
From e7464561b5151501beb356fc750d5dd1a88014f7 Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 20 Dec 2017 04:18:31 +0000
Subject: [PATCH] Fixed command Injection
* resolv.rb (Resolv::Hosts#lazy_initialize): fixed potential
command Injection in Hosts::new() by use of Kernel#open.
[Fix GH-1777] [ruby-core:84347] [Bug #14205]
From: Drigg3r <drigg3r@yandex.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61349 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
lib/resolv.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/resolv.rb b/lib/resolv.rb
index 1044b95e6810..56183b837d81 100644
--- a/lib/resolv.rb
+++ b/lib/resolv.rb
@@ -188,7 +188,7 @@ def lazy_initialize # :nodoc:
unless @initialized
@name2addr = {}
@addr2name = {}
- open(@filename, 'rb') {|f|
+ File.open(@filename, 'rb') {|f|
f.each {|line|
line.sub!(/#.*/, '')
addr, hostname, *aliases = line.split(/\s+/)

5
ruby.spec
View File

@ -127,6 +127,10 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch
# hardening features of glibc (rhbz#1361037).
# https://bugs.ruby-lang.org/issues/12666
Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch
# Fix: Command injection in lib/resolv.rb:lazy_initialize()
# https://bugzilla.redhat.com/show_bug.cgi?id=1528226
# https://github.com/ruby/ruby/commit/e7464561b5151501beb356fc750d5dd1a88014f7
Patch10: ruby-2.4.3-Fix-Command-injection-in-lib-resolv-lazy_initialize.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Suggests: rubypick
@ -1023,6 +1027,7 @@ make check TESTS="-v $DISABLE_TESTS"
%changelog
* Thu Dec 21 2017 Pavel Valena <pvalena@redhat.com> - 2.4.3-86
- Update to Ruby 2.4.3.
- Fix: Command injection in lib/resolv.rb:lazy_initialize() (rhbz#1528226)
* Fri Oct 27 2017 Jun Aruga <jaruga@redhat.com> - 2.4.2-86
- Improve "with" conditional statement as inline.