Hello community, here is the log from the commit of package ruby for openSUSE:11.2 checked in at Fri Mar 4 17:27:03 CET 2011. -------- --- old-versions/11.2/all/ruby/ruby.changes 2009-08-20 21:20:54.000000000 +0200 +++ 11.2/ruby/ruby.changes 2011-03-03 19:00:10.000000000 +0100 @@ -1,0 +2,18 @@ +Thu Mar 3 17:27:23 UTC 2011 - mrueckert@suse.de + +- added patch ruby-1.8.x_accesslog_escape.patch: + properly escape input from the net (bnc#570616) CVE-2009-4492 +- added ruby-1.8.x_exception_tainted_message.patch: + Exception#to_s method can be used to trick $SAFE check, which + makes a untrusted codes to modify arbitrary strings. (bnc#673750) + CVE-2011-1005 +- added ruby-1.8.x_fileutils_symlink_race.patch: + A symlink race condition vulnerability was found in + FileUtils.remove_entry_secure. The vulnerability allows local + users to delete arbitrary files and directories. (bnc#673740) + CVE-2011-1004 +- added patch ruby-1.8.x_webrick_charset_issue.patch: + fix cross site scripting bug in webrick (bnc#600752) + CVE-2010-0541 + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.2/all/ruby Destination is old-versions/11.2/UPDATES/all/ruby calling whatdependson for 11.2-i586 New: ---- ruby-1.8.x_accesslog_escape.patch ruby-1.8.x_exception_tainted_message.patch ruby-1.8.x_fileutils_symlink_race.patch ruby-1.8.x_webrick_charset_issue.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ruby.spec ++++++ --- /var/tmp/diff_new_pack.G0Rk4Y/_old 2011-03-04 17:26:42.000000000 +0100 +++ /var/tmp/diff_new_pack.G0Rk4Y/_new 2011-03-04 17:26:42.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package ruby (Version 1.8.7.p72) +# spec file for package ruby # -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,13 +20,13 @@ Name: ruby Version: 1.8.7.p72 -Release: 6 +Release: 7.<RELEASE5> # %define pkg_version 1.8.7 %define patch_level p72 %define rb_ver %(echo %{pkg_version} | sed -e 's/\.[0-9]\+$//') # -License: GPL v2 or later +License: GPLv2+ Group: Development/Languages/Ruby # BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -62,6 +62,10 @@ Patch6: ruby-pedantic-headers.diff Patch7: ruby-1.8.7-p72_vendor_specific.patch Patch8: ruby-1.8.7-p72_topdir.patch +Patch10: ruby-1.8.x_accesslog_escape.patch +Patch11: ruby-1.8.x_webrick_charset_issue.patch +Patch12: ruby-1.8.x_exception_tainted_message.patch +Patch13: ruby-1.8.x_fileutils_symlink_race.patch # vendor ruby files taken from: # http://svn.macports.org/repository/macports/trunk/dports/lang/ruby/ Source3: site-specific.rb @@ -111,7 +115,7 @@ Yukihiro Matsumoto <matz@netlab.co.jp> %package devel -License: GPL v2 or later +License: GPLv2+ Group: Development/Languages/Ruby Summary: Development files to link against Ruby Requires: %{name} = %{version} @@ -130,7 +134,7 @@ Yukihiro Matsumoto <matz@netlab.co.jp> %package tk -License: GPL v2 or later +License: GPLv2+ Group: Development/Languages/Ruby Summary: TCL/TK bindings for Ruby Requires: %{name} = %{version} @@ -145,7 +149,7 @@ Yukihiro Matsumoto <matz@netlab.co.jp> %package doc-ri -License: GPL v2 or later +License: GPLv2+ Group: Development/Languages/Ruby Summary: Ruby Interactive Documentation Requires: %{name} = %{version} @@ -160,7 +164,7 @@ Yukihiro Matsumoto <matz@netlab.co.jp> %package doc-html -License: GPL v2 or later +License: GPLv2+ Group: Development/Languages/Ruby Summary: This package contains the HTML docs for ruby @@ -174,7 +178,7 @@ Yukihiro Matsumoto <matz@netlab.co.jp> %package examples -License: GPL v2 or later +License: GPLv2+ Group: Development/Languages/Ruby Summary: Example scripts for ruby Requires: %{name} = %{version} @@ -189,7 +193,7 @@ Yukihiro Matsumoto <matz@netlab.co.jp> %package test-suite -License: GPL v2 or later +License: GPLv2+ Group: Development/Languages/Ruby Summary: An Interpreted Object-Oriented Scripting Language @@ -238,6 +242,10 @@ %patch6 %patch7 %patch8 +%patch10 +%patch11 +%patch12 +%patch13 %if 0%{?with_bleak_house} for patch in valgrind configure gc ; do patch -p0 < bleak_house-%{bleak_house_version}/ruby/${patch}.patch ++++++ ruby-1.8.x_accesslog_escape.patch ++++++ Index: lib/webrick/httpstatus.rb =================================================================== --- lib/webrick/httpstatus.rb (revision 26266) +++ lib/webrick/httpstatus.rb (revision 26267) @@ -12,7 +12,17 @@ module HTTPStatus - class Status < StandardError; end + class Status < StandardError + def initialize(message, *rest) + super(AccessLog.escape(message), *rest) + end + class << self + attr_reader :code, :reason_phrase + end + def code() self::class::code end + def reason_phrase() self::class::reason_phrase end + alias to_i code + end class Info < Status; end class Success < Status; end class Redirect < Status; end @@ -68,6 +78,7 @@ CodeToError = {} StatusMessage.each{|code, message| + message.freeze var_name = message.gsub(/[ -]/,'_').upcase err_name = message.gsub(/[ -]/,'') @@ -79,18 +90,12 @@ when 500...600; parent = ServerError end - eval %- - RC_#{var_name} = #{code} - class #{err_name} < #{parent} - def self.code() RC_#{var_name} end - def self.reason_phrase() StatusMessage[code] end - def code() self::class::code end - def reason_phrase() self::class::reason_phrase end - alias to_i code - end - - - - CodeToError[code] = const_get(err_name) + const_set("RC_#{var_name}", code) + err_class = Class.new(parent) + err_class.instance_variable_set(:@code, code) + err_class.instance_variable_set(:@reason_phrase, message) + const_set(err_name, err_class) + CodeToError[code] = err_class } def reason_phrase(code) Index: lib/webrick/httprequest.rb =================================================================== --- lib/webrick/httprequest.rb (revision 26266) +++ lib/webrick/httprequest.rb (revision 26267) @@ -242,11 +242,7 @@ @raw_header << line end end - begin - @header = HTTPUtils::parse_header(@raw_header) - rescue => ex - raise HTTPStatus::BadRequest, ex.message - end + @header = HTTPUtils::parse_header(@raw_header.join) end def parse_uri(str, scheme="http") Index: lib/webrick/httputils.rb =================================================================== --- lib/webrick/httputils.rb (revision 26266) +++ lib/webrick/httputils.rb (revision 26267) @@ -128,11 +128,11 @@ when /^\s+(.*?)\s*\z/om value = $1 unless field - raise "bad header '#{line.inspect}'." + raise HTTPStatus::BadRequest, "bad header '#{line}'." end header[field][-1] << " " << value else - raise "bad header '#{line.inspect}'." + raise HTTPStatus::BadRequest, "bad header '#{line}'." end } header.each{|key, values| Index: lib/webrick/accesslog.rb =================================================================== --- lib/webrick/accesslog.rb (revision 26266) +++ lib/webrick/accesslog.rb (revision 26267) @@ -53,15 +53,23 @@ when ?e, ?i, ?n, ?o raise AccessLogError, "parameter is required for "#{spec}"" unless param - params[spec][param] || "-" + param = params[spec][param] ? escape(param) : "-" when ?t params[spec].strftime(param || CLF_TIME_FORMAT) when ?% "%" else - params[spec] + escape(params[spec].to_s) end } end + + def escape(data) + if data.tainted? + data.gsub(/[[:cntrl:]\]+/) {$&.dump[1...-1]}.untaint + else + data + end + end end end ++++++ ruby-1.8.x_exception_tainted_message.patch ++++++ r30903 | shyouhei | 2011-02-18 12:05:02 +0100 (Fri, 18 Feb 2011) | 9 lines * error.c (exc_to_s): untainted strings can be tainted via Exception#to_s, which enables attackers to overwrite sane strings. Reported by: Yusuke Endoh <mame at tsg.ne.jp>. * error.c (name_err_to_s): ditto. * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): Test for it. Index: error.c =================================================================== --- error.c (revision 30902) +++ error.c (revision 30903) @@ -403,7 +403,6 @@ VALUE mesg = rb_attr_get(exc, rb_intern("mesg")); if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); return mesg; } @@ -667,10 +666,9 @@ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); StringValue(str); if (str != mesg) { - rb_iv_set(exc, "mesg", mesg = str); + OBJ_INFECT(str, mesg); } - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); - return mesg; + return str; } /* Index: test/ruby/test_exception.rb =================================================================== --- test/ruby/test_exception.rb (revision 30902) +++ test/ruby/test_exception.rb (revision 30903) @@ -184,4 +184,26 @@ assert(false) end end + + def test_to_s_taintness_propagation + for exc in [Exception, NameError] + m = "abcdefg" + e = exc.new(m) + e.taint + s = e.to_s + assert_equal(false, m.tainted?, + "#{exc}#to_s should not propagate taintness") + assert_equal(false, s.tainted?, + "#{exc}#to_s should not propagate taintness") + end + + o = Object.new + def o.to_str + "foo" + end + o.taint + e = NameError.new(o) + s = e.to_s + assert_equal(true, s.tainted?) + end end ++++++ ruby-1.8.x_fileutils_symlink_race.patch ++++++ r30905 | shyouhei | 2011-02-18 12:48:02 +0100 (Fri, 18 Feb 2011) | 7 lines merge revision(s) 30896: * lib/fileutils.rb (FileUtils::remove_entry_secure): there is a race condition in the case where the given path is a directory, and some other user can move that directory, and create a symlink while this method is executing. Reported by: Nicholas Jefferson <nicholas at pythonic.com.au> Index: lib/fileutils.rb =================================================================== --- lib/fileutils.rb (revision 30904) +++ lib/fileutils.rb (revision 30905) @@ -668,10 +668,10 @@ # removing directories. This requires the current process is the # owner of the removing whole directory tree, or is the super user (root). # - # WARNING: You must ensure that *ALL* parent directories are not - # world writable. Otherwise this method does not work. - # Only exception is temporary directory like /tmp and /var/tmp, - # whose permission is 1777. + # WARNING: You must ensure that *ALL* parent directories cannot be + # moved by other untrusted users. For example, parent directories + # should not be owned by untrusted users, and should not be world + # writable except when the sticky bit set. # # WARNING: Only the owner of the removing directory tree, or Unix super # user (root) should invoke this method. Otherwise this method does not @@ -714,6 +714,11 @@ end f.chown euid, -1 f.chmod 0700 + unless fu_stat_identical_entry?(st, File.lstat(fullpath)) + # TOC-to-TOU attack? + File.unlink fullpath + return + end } # ---- tree root is frozen ---- root = Entry_.new(path) ++++++ ruby-1.8.x_webrick_charset_issue.patch ++++++ Sun Aug 15 19:59:58 2010 Yuki Sonoda (Yugui) <yugui@yugui.jp> * lib/webrick/httpresponse.rb (WEBrick::HTTPResponse#set_error): Fix for possible cross-site scripting (CVE-2010-0541). Found by Apple, reported by Hideki Yamane. Patch by Hirokazu Nishio <nishio.hirokazu AT gmail.com>. Index: lib/webrick/httpresponse.rb =================================================================== --- lib/webrick/httpresponse.rb (revision 29001) +++ lib/webrick/httpresponse.rb (revision 29002) @@ -209,7 +209,7 @@ @keep_alive = false self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR end - @header['content-type'] = "text/html" + @header['content-type'] = "text/html; charset=ISO-8859-1" if respond_to?(:create_error_page) create_error_page() ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org