Hello community,
here is the log from the commit of package ruby for openSUSE:11.3
checked in at Fri Mar 4 17:49:45 CET 2011.
--------
--- old-versions/11.3/all/ruby/ruby.changes 2010-07-02 11:50:18.000000000 +0200
+++ 11.3/ruby/ruby.changes 2011-03-04 17:29:32.000000000 +0100
@@ -1,0 +2,22 @@
+Fri Mar 4 16:07:00 UTC 2011 - mrueckert@suse.de
+
+- added ruby-1.8.x_net_http_close_in_rescue.patch
+ Dont call close on nil in case of on exception. (bnc#655136)
+
+-------------------------------------------------------------------
+Thu Mar 3 17:14:51 UTC 2011 - mrueckert@suse.de
+
+- added ruby-1.8.x_exception_tainted_message.patch:
+ Exception#to_s method can be used to trick $SAFE check, which
+ makes a untrusted codes to modify arbitrary strings. (bnc#673750)
+ CVE-2011-1005
+- added ruby-1.8.x_fileutils_symlink_race.patch:
+ A symlink race condition vulnerability was found in
+ FileUtils.remove_entry_secure. The vulnerability allows local
+ users to delete arbitrary files and directories. (bnc#673740)
+ CVE-2011-1004
+- added patch ruby-1.8.x_webrick_charset_issue.patch:
+ fix cross site scripting bug in webrick (bnc#600752)
+ CVE-2010-0541
+
+-------------------------------------------------------------------
Package does not exist at destination yet. Using Fallback old-versions/11.3/all/ruby
Destination is old-versions/11.3/UPDATES/all/ruby
calling whatdependson for 11.3-i586
New:
----
ruby-1.8.x_exception_tainted_message.patch
ruby-1.8.x_fileutils_symlink_race.patch
ruby-1.8.x_net_http_close_in_rescue.patch
ruby-1.8.x_webrick_charset_issue.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ruby.spec ++++++
--- /var/tmp/diff_new_pack.Fqhemq/_old 2011-03-04 17:49:19.000000000 +0100
+++ /var/tmp/diff_new_pack.Fqhemq/_new 2011-03-04 17:49:19.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package ruby (Version 1.8.7.p249)
+# spec file for package ruby
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
Name: ruby
Version: 1.8.7.p249
-Release: 5
+Release: 8.<RELEASE2>
#
%define pkg_version 1.8.7
%define patch_level p249
@@ -68,6 +68,10 @@
Patch10: ruby-1.8.x_openssl-1.0.patch
Patch11: ruby-1.8.x_openssl-1.0-tests.patch
Patch12: ruby-1.8.x_yaml2byte.patch
+Patch13: ruby-1.8.x_exception_tainted_message.patch
+Patch14: ruby-1.8.x_webrick_charset_issue.patch
+Patch15: ruby-1.8.x_fileutils_symlink_race.patch
+Patch16: ruby-1.8.x_net_http_close_in_rescue.patch
# vendor ruby files taken from:
# http://svn.macports.org/repository/macports/trunk/dports/lang/ruby/
Source3: site-specific.rb
@@ -253,6 +257,10 @@
%patch10
%patch11
%patch12
+%patch13
+%patch14
+%patch15
+%patch16
%if 0%{?with_bleak_house}
for patch in valgrind configure gc ; do
patch -p0 < bleak_house-%{bleak_house_version}/ruby/${patch}.patch
++++++ ruby-1.8.x_exception_tainted_message.patch ++++++
r30903 | shyouhei | 2011-02-18 12:05:02 +0100 (Fri, 18 Feb 2011) | 9 lines
* error.c (exc_to_s): untainted strings can be tainted via
Exception#to_s, which enables attackers to overwrite sane strings.
Reported by: Yusuke Endoh <mame at tsg.ne.jp>.
* error.c (name_err_to_s): ditto.
* test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation):
Test for it.
Index: error.c
===================================================================
--- error.c (revision 30902)
+++ error.c (revision 30903)
@@ -403,7 +403,6 @@
VALUE mesg = rb_attr_get(exc, rb_intern("mesg"));
if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
- if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
return mesg;
}
@@ -667,10 +666,9 @@
if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
StringValue(str);
if (str != mesg) {
- rb_iv_set(exc, "mesg", mesg = str);
+ OBJ_INFECT(str, mesg);
}
- if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg);
- return mesg;
+ return str;
}
/*
Index: test/ruby/test_exception.rb
===================================================================
--- test/ruby/test_exception.rb (revision 30902)
+++ test/ruby/test_exception.rb (revision 30903)
@@ -184,4 +184,26 @@
assert(false)
end
end
+
+ def test_to_s_taintness_propagation
+ for exc in [Exception, NameError]
+ m = "abcdefg"
+ e = exc.new(m)
+ e.taint
+ s = e.to_s
+ assert_equal(false, m.tainted?,
+ "#{exc}#to_s should not propagate taintness")
+ assert_equal(false, s.tainted?,
+ "#{exc}#to_s should not propagate taintness")
+ end
+
+ o = Object.new
+ def o.to_str
+ "foo"
+ end
+ o.taint
+ e = NameError.new(o)
+ s = e.to_s
+ assert_equal(true, s.tainted?)
+ end
end
++++++ ruby-1.8.x_fileutils_symlink_race.patch ++++++
r30905 | shyouhei | 2011-02-18 12:48:02 +0100 (Fri, 18 Feb 2011) | 7 lines
merge revision(s) 30896:
* lib/fileutils.rb (FileUtils::remove_entry_secure): there is a
race condition in the case where the given path is a directory,
and some other user can move that directory, and create a
symlink while this method is executing.
Reported by: Nicholas Jefferson <nicholas at pythonic.com.au>
Index: lib/fileutils.rb
===================================================================
--- lib/fileutils.rb.orig 2009-06-29 06:21:32.000000000 +0200
+++ lib/fileutils.rb 2011-03-03 18:13:17.026046278 +0100
@@ -657,10 +657,10 @@ module FileUtils
# removing directories. This requires the current process is the
# owner of the removing whole directory tree, or is the super user (root).
#
- # WARNING: You must ensure that *ALL* parent directories are not
- # world writable. Otherwise this method does not work.
- # Only exception is temporary directory like /tmp and /var/tmp,
- # whose permission is 1777.
+ # WARNING: You must ensure that *ALL* parent directories cannot be
+ # moved by other untrusted users. For example, parent directories
+ # should not be owned by untrusted users, and should not be world
+ # writable except when the sticky bit set.
#
# WARNING: Only the owner of the removing directory tree, or Unix super
# user (root) should invoke this method. Otherwise this method does not
@@ -703,6 +703,11 @@ module FileUtils
end
f.chown euid, -1
f.chmod 0700
+ unless fu_stat_identical_entry?(st, File.lstat(fullpath))
+ # TOC-to-TOU attack?
+ File.unlink fullpath
+ return
+ end
}
# ---- tree root is frozen ----
root = Entry_.new(path)
++++++ ruby-1.8.x_net_http_close_in_rescue.patch ++++++
------------------------------------------------------------------------
r29524 | naruse | 2010-10-18 03:23:48 +0200 (Mon, 18 Oct 2010) | 2 lines
* lib/net/http.rb (transport_request): @socket may be nil.
patched by Egbert Eich [ruby-core:32829]
------------------------------------------------------------------------
Index: lib/net/http.rb
===================================================================
--- lib/net/http.rb.orig 2009-11-19 07:32:19.000000000 +0100
+++ lib/net/http.rb 2011-03-04 17:06:02.250249619 +0100
@@ -1057,7 +1057,7 @@ module Net #:nodoc:
res
rescue => exception
D "Conn close because of error #{exception}"
- @socket.close unless @socket.closed?
+ @socket.close if @socket and not @socket.closed?
raise exception
end
++++++ ruby-1.8.x_webrick_charset_issue.patch ++++++
Sun Aug 15 19:59:58 2010 Yuki Sonoda (Yugui)