Control: tags 925986 + patch Control: tags 925986 + pending
Dear maintainer, I've prepared an NMU for jruby (versioned as 9.1.17.0-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. The reason for this NMU although there are more open unfixed CVEs is that we are in line with stretch. CVE-2018-1000073 was fixed in stretch but not for buster, so that would mean in any case a regression from stretch to buster. Regards, Salvatore
diff -Nru jruby-9.1.17.0/debian/changelog jruby-9.1.17.0/debian/changelog --- jruby-9.1.17.0/debian/changelog 2019-02-26 10:24:15.000000000 +0100 +++ jruby-9.1.17.0/debian/changelog 2019-05-01 11:25:03.000000000 +0200 @@ -1,3 +1,11 @@ +jruby (9.1.17.0-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Directory traversal vulnerability in install_location (CVE-2018-1000073) + (Closes: #925986) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 01 May 2019 11:25:03 +0200 + jruby (9.1.17.0-2) unstable; urgency=medium * Annotate the javax.annotation.Generated patch. diff -Nru jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch --- jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch 1970-01-01 01:00:00.000000000 +0100 +++ jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch 2019-05-01 11:23:43.000000000 +0200 @@ -0,0 +1,25 @@ +From: Jonathan Claudius <jclaud...@mozilla.com> +Date: Wed, 7 Feb 2018 23:54:52 -0500 +Subject: Non-working patch for deducing symlinked base-dirs +Origin: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000073 +Bug-Debian: https://bugs.debian.org/925986 + +--- + +diff --git a/lib/ruby/stdlib/rubygems/package.rb b/lib/ruby/stdlib/rubygems/package.rb +index dede959981e7..cb9c74a0fc07 100644 +--- a/lib/ruby/stdlib/rubygems/package.rb ++++ b/lib/ruby/stdlib/rubygems/package.rb +@@ -421,6 +421,8 @@ EOM + destination_dir = File.expand_path destination_dir + + destination = File.join destination_dir, filename ++ destination = File.realpath destination if ++ File.respond_to? :realpath + destination = File.expand_path destination + + raise Gem::Package::PathError.new(destination, destination_dir) unless +-- +2.20.1 + diff -Nru jruby-9.1.17.0/debian/patches/series jruby-9.1.17.0/debian/patches/series --- jruby-9.1.17.0/debian/patches/series 2019-02-26 10:24:15.000000000 +0100 +++ jruby-9.1.17.0/debian/patches/series 2019-05-01 11:23:50.000000000 +0200 @@ -12,3 +12,4 @@ 0014-FELIX-5430.patch 0015-javax-annotation-Generated.patch 0016-Disable-SkinnyMethodAdapter-test.patch +0017-CVE-2018-1000073.patch