Hello community,
here is the log from the commit of package ruby for openSUSE:11.2
checked in at Fri Mar 4 17:27:03 CET 2011.
--------
--- old-versions/11.2/all/ruby/ruby.changes 2009-08-20 21:20:54.000000000 +0200
+++ 11.2/ruby/ruby.changes 2011-03-03 19:00:10.000000000 +0100
@@ -1,0 +2,18 @@
+Thu Mar 3 17:27:23 UTC 2011 - mrueckert@suse.de
+
+- added patch ruby-1.8.x_accesslog_escape.patch:
+ properly escape input from the net (bnc#570616) CVE-2009-4492
+- added ruby-1.8.x_exception_tainted_message.patch:
+ Exception#to_s method can be used to trick $SAFE check, which
+ makes a untrusted codes to modify arbitrary strings. (bnc#673750)
+ CVE-2011-1005
+- added ruby-1.8.x_fileutils_symlink_race.patch:
+ A symlink race condition vulnerability was found in
+ FileUtils.remove_entry_secure. The vulnerability allows local
+ users to delete arbitrary files and directories. (bnc#673740)
+ CVE-2011-1004
+- added patch ruby-1.8.x_webrick_charset_issue.patch:
+ fix cross site scripting bug in webrick (bnc#600752)
+ CVE-2010-0541
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback old-versions/11.2/all/ruby
Destination is old-versions/11.2/UPDATES/all/ruby
calling whatdependson for 11.2-i586
New:
----
ruby-1.8.x_accesslog_escape.patch
ruby-1.8.x_exception_tainted_message.patch
ruby-1.8.x_fileutils_symlink_race.patch
ruby-1.8.x_webrick_charset_issue.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ruby.spec ++++++
--- /var/tmp/diff_new_pack.G0Rk4Y/_old 2011-03-04 17:26:42.000000000 +0100
+++ /var/tmp/diff_new_pack.G0Rk4Y/_new 2011-03-04 17:26:42.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package ruby (Version 1.8.7.p72)
+# spec file for package ruby
#
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,13 +20,13 @@
Name: ruby
Version: 1.8.7.p72
-Release: 6
+Release: 7.<RELEASE5>
#
%define pkg_version 1.8.7
%define patch_level p72
%define rb_ver %(echo %{pkg_version} | sed -e 's/\\\.[0-9]\\\+$//')
#
-License: GPL v2 or later
+License: GPLv2+
Group: Development/Languages/Ruby
#
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -62,6 +62,10 @@
Patch6: ruby-pedantic-headers.diff
Patch7: ruby-1.8.7-p72_vendor_specific.patch
Patch8: ruby-1.8.7-p72_topdir.patch
+Patch10: ruby-1.8.x_accesslog_escape.patch
+Patch11: ruby-1.8.x_webrick_charset_issue.patch
+Patch12: ruby-1.8.x_exception_tainted_message.patch
+Patch13: ruby-1.8.x_fileutils_symlink_race.patch
# vendor ruby files taken from:
# http://svn.macports.org/repository/macports/trunk/dports/lang/ruby/
Source3: site-specific.rb
@@ -111,7 +115,7 @@
Yukihiro Matsumoto
%package devel
-License: GPL v2 or later
+License: GPLv2+
Group: Development/Languages/Ruby
Summary: Development files to link against Ruby
Requires: %{name} = %{version}
@@ -130,7 +134,7 @@
Yukihiro Matsumoto
%package tk
-License: GPL v2 or later
+License: GPLv2+
Group: Development/Languages/Ruby
Summary: TCL/TK bindings for Ruby
Requires: %{name} = %{version}
@@ -145,7 +149,7 @@
Yukihiro Matsumoto
%package doc-ri
-License: GPL v2 or later
+License: GPLv2+
Group: Development/Languages/Ruby
Summary: Ruby Interactive Documentation
Requires: %{name} = %{version}
@@ -160,7 +164,7 @@
Yukihiro Matsumoto
%package doc-html
-License: GPL v2 or later
+License: GPLv2+
Group: Development/Languages/Ruby
Summary: This package contains the HTML docs for ruby
@@ -174,7 +178,7 @@
Yukihiro Matsumoto
%package examples
-License: GPL v2 or later
+License: GPLv2+
Group: Development/Languages/Ruby
Summary: Example scripts for ruby
Requires: %{name} = %{version}
@@ -189,7 +193,7 @@
Yukihiro Matsumoto
%package test-suite
-License: GPL v2 or later
+License: GPLv2+
Group: Development/Languages/Ruby
Summary: An Interpreted Object-Oriented Scripting Language
@@ -238,6 +242,10 @@
%patch6
%patch7
%patch8
+%patch10
+%patch11
+%patch12
+%patch13
%if 0%{?with_bleak_house}
for patch in valgrind configure gc ; do
patch -p0 < bleak_house-%{bleak_house_version}/ruby/${patch}.patch
++++++ ruby-1.8.x_accesslog_escape.patch ++++++
Index: lib/webrick/httpstatus.rb
===================================================================
--- lib/webrick/httpstatus.rb (revision 26266)
+++ lib/webrick/httpstatus.rb (revision 26267)
@@ -12,7 +12,17 @@
module HTTPStatus
- class Status < StandardError; end
+ class Status < StandardError
+ def initialize(message, *rest)
+ super(AccessLog.escape(message), *rest)
+ end
+ class << self
+ attr_reader :code, :reason_phrase
+ end
+ def code() self::class::code end
+ def reason_phrase() self::class::reason_phrase end
+ alias to_i code
+ end
class Info < Status; end
class Success < Status; end
class Redirect < Status; end
@@ -68,6 +78,7 @@
CodeToError = {}
StatusMessage.each{|code, message|
+ message.freeze
var_name = message.gsub(/[ \-]/,'_').upcase
err_name = message.gsub(/[ \-]/,'')
@@ -79,18 +90,12 @@
when 500...600; parent = ServerError
end
- eval %-
- RC_#{var_name} = #{code}
- class #{err_name} < #{parent}
- def self.code() RC_#{var_name} end
- def self.reason_phrase() StatusMessage[code] end
- def code() self::class::code end
- def reason_phrase() self::class::reason_phrase end
- alias to_i code
- end
- -
-
- CodeToError[code] = const_get(err_name)
+ const_set("RC_#{var_name}", code)
+ err_class = Class.new(parent)
+ err_class.instance_variable_set(:@code, code)
+ err_class.instance_variable_set(:@reason_phrase, message)
+ const_set(err_name, err_class)
+ CodeToError[code] = err_class
}
def reason_phrase(code)
Index: lib/webrick/httprequest.rb
===================================================================
--- lib/webrick/httprequest.rb (revision 26266)
+++ lib/webrick/httprequest.rb (revision 26267)
@@ -242,11 +242,7 @@
@raw_header << line
end
end
- begin
- @header = HTTPUtils::parse_header(@raw_header)
- rescue => ex
- raise HTTPStatus::BadRequest, ex.message
- end
+ @header = HTTPUtils::parse_header(@raw_header.join)
end
def parse_uri(str, scheme="http")
Index: lib/webrick/httputils.rb
===================================================================
--- lib/webrick/httputils.rb (revision 26266)
+++ lib/webrick/httputils.rb (revision 26267)
@@ -128,11 +128,11 @@
when /^\s+(.*?)\s*\z/om
value = $1
unless field
- raise "bad header '#{line.inspect}'."
+ raise HTTPStatus::BadRequest, "bad header '#{line}'."
end
header[field][-1] << " " << value
else
- raise "bad header '#{line.inspect}'."
+ raise HTTPStatus::BadRequest, "bad header '#{line}'."
end
}
header.each{|key, values|
Index: lib/webrick/accesslog.rb
===================================================================
--- lib/webrick/accesslog.rb (revision 26266)
+++ lib/webrick/accesslog.rb (revision 26267)
@@ -53,15 +53,23 @@
when ?e, ?i, ?n, ?o
raise AccessLogError,
"parameter is required for \"#{spec}\"" unless param
- params[spec][param] || "-"
+ param = params[spec][param] ? escape(param) : "-"
when ?t
params[spec].strftime(param || CLF_TIME_FORMAT)
when ?%
"%"
else
- params[spec]
+ escape(params[spec].to_s)
end
}
end
+
+ def escape(data)
+ if data.tainted?
+ data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint
+ else
+ data
+ end
+ end
end
end
++++++ ruby-1.8.x_exception_tainted_message.patch ++++++
r30903 | shyouhei | 2011-02-18 12:05:02 +0100 (Fri, 18 Feb 2011) | 9 lines
* error.c (exc_to_s): untainted strings can be tainted via
Exception#to_s, which enables attackers to overwrite sane strings.
Reported by: Yusuke Endoh <mame at tsg.ne.jp>.
* error.c (name_err_to_s): ditto.
* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
Test for it.
Index: error.c
===================================================================
--- error.c (revision 30902)
+++ error.c (revision 30903)
@@ -403,7 +403,6 @@
VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
- if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
return mesg;
}
@@ -667,10 +666,9 @@
if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
StringValue(str);
if (str != mesg) {
- rb_iv_set(exc, "mesg", mesg = str);
+ OBJ_INFECT(str, mesg);
}
- if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
- return mesg;
+ return str;
}
/*
Index: test/ruby/test_exception.rb
===================================================================
--- test/ruby/test_exception.rb (revision 30902)
+++ test/ruby/test_exception.rb (revision 30903)
@@ -184,4 +184,26 @@
assert(false)
end
end
+
+ def test_to_s_taintness_propagation
+ for exc in [Exception, NameError]
+ m = "abcdefg"
+ e = exc.new(m)
+ e.taint
+ s = e.to_s
+ assert_equal(false, m.tainted?,
+ "#{exc}#to_s should not propagate taintness")
+ assert_equal(false, s.tainted?,
+ "#{exc}#to_s should not propagate taintness")
+ end
+
+ o = Object.new
+ def o.to_str
+ "foo"
+ end
+ o.taint
+ e = NameError.new(o)
+ s = e.to_s
+ assert_equal(true, s.tainted?)
+ end
end
++++++ ruby-1.8.x_fileutils_symlink_race.patch ++++++
r30905 | shyouhei | 2011-02-18 12:48:02 +0100 (Fri, 18 Feb 2011) | 7 lines
merge revision(s) 30896:
* lib/fileutils.rb (FileUtils::remove_entry_secure): there is a
race condition in the case where the given path is a directory,
and some other user can move that directory, and create a
symlink while this method is executing.
Reported by: Nicholas Jefferson <nicholas at pythonic.com.au>
Index: lib/fileutils.rb
===================================================================
--- lib/fileutils.rb (revision 30904)
+++ lib/fileutils.rb (revision 30905)
@@ -668,10 +668,10 @@
# removing directories. This requires the current process is the
# owner of the removing whole directory tree, or is the super user (root).
#
- # WARNING: You must ensure that *ALL* parent directories are not
- # world writable. Otherwise this method does not work.
- # Only exception is temporary directory like /tmp and /var/tmp,
- # whose permission is 1777.
+ # WARNING: You must ensure that *ALL* parent directories cannot be
+ # moved by other untrusted users. For example, parent directories
+ # should not be owned by untrusted users, and should not be world
+ # writable except when the sticky bit set.
#
# WARNING: Only the owner of the removing directory tree, or Unix super
# user (root) should invoke this method. Otherwise this method does not
@@ -714,6 +714,11 @@
end
f.chown euid, -1
f.chmod 0700
+ unless fu_stat_identical_entry?(st, File.lstat(fullpath))
+ # TOC-to-TOU attack?
+ File.unlink fullpath
+ return
+ end
}
# ---- tree root is frozen ----
root = Entry_.new(path)
++++++ ruby-1.8.x_webrick_charset_issue.patch ++++++
Sun Aug 15 19:59:58 2010 Yuki Sonoda (Yugui)
* lib/webrick/httpresponse.rb (WEBrick::HTTPResponse#set_error):
Fix for possible cross-site scripting (CVE-2010-0541).
Found by Apple, reported by Hideki Yamane.
Patch by Hirokazu Nishio .
Index: lib/webrick/httpresponse.rb
===================================================================
--- lib/webrick/httpresponse.rb (revision 29001)
+++ lib/webrick/httpresponse.rb (revision 29002)
@@ -209,7 +209,7 @@
@keep_alive = false
self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR
end
- @header['content-type'] = "text/html"
+ @header['content-type'] = "text/html; charset=ISO-8859-1"
if respond_to?(:create_error_page)
create_error_page()
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org