Hi Miguel, I have prepared security updates for Jessie and Stretch. Unfortunately I discovered that jruby in Jessie FTBFS at the moment. This is unrelated to the patches.
Do you know how to resolve that?
generate-method-classes:
_gmc_internal_:
[echo] Generating invokers...
[java] Exception in thread "main" java.lang.ClassFormatError:
Duplicate method name&signature in class file
org/jruby/RubyFixnum$i_method_multi$RUBYINVOKER$to_s
[java] >---at java.lang.ClassLoader.defineClass1(Native Method)
[java] >---at java.lang.ClassLoader.defineClass(ClassLoader.java:803)
[java] >---at
org.jruby.util.JRubyClassLoader.defineClass(JRubyClassLoader.java:39)
[java] >---at
org.jruby.internal.runtime.methods.DumpingInvocationMethodFactory.endClass(DumpingInvocationMethodFactory.java:64)
[java] >---at
org.jruby.internal.runtime.methods.InvocationMethodFactory.getAnnotatedMethodClass(InvocationMethodFactory.java:721)
[java] >---at
org.jruby.anno.InvokerGenerator.main(InvokerGenerator.java:45)
I'm attaching the stretch debdiff to this bug report and push the
patches for Jessie.
Cheers,
Markus
diff -Nru jruby-1.7.26/debian/changelog jruby-1.7.26/debian/changelog --- jruby-1.7.26/debian/changelog 2016-11-12 21:33:13.000000000 +0100 +++ jruby-1.7.26/debian/changelog 2018-04-29 22:24:33.000000000 +0200 @@ -1,3 +1,25 @@ +jruby (1.7.26-1+deb9u1) stretch-security; urgency=high + + * Team upload. + * Fix CVE-2018-1000073: Directory Traversal vulnerability in install_location + function of package.rb that can result in path traversal when writing to a + symlinked basedir outside of the root. + * Fix CVE-2018-1000074: possible Unsafe Object Deserialization Vulnerability + in gem owner. + * Fix CVE-2018-1000075: Strictly interpret octal fields in tar headers to + avoid infinite loop + * Fix CVE-2018-1000076: Raise a security error when there are duplicate + files in a package + * Fix CVE-2018-1000077: Enforce URL validation on spec homepage attribute. + * Fix CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute + when displayed via gem server. + * Fix CVE-2018-1000079: Directory Traversal vulnerability in gem installation + that can result in writing to arbitrary filesystem locations during + installation of malicious gems. + (Closes: #895778) + + -- Markus Koschany <a...@debian.org> Sun, 29 Apr 2018 22:24:33 +0200 + jruby (1.7.26-1) unstable; urgency=medium * Team upload. diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000073.patch jruby-1.7.26/debian/patches/CVE-2018-1000073.patch --- jruby-1.7.26/debian/patches/CVE-2018-1000073.patch 1970-01-01 01:00:00.000000000 +0100 +++ jruby-1.7.26/debian/patches/CVE-2018-1000073.patch 2018-04-29 22:24:33.000000000 +0200 @@ -0,0 +1,23 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 29 Apr 2018 21:29:28 +0200 +Subject: CVE-2018-1000073 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 +Origin: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2 +--- + lib/ruby/shared/rubygems/package.rb | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/ruby/shared/rubygems/package.rb b/lib/ruby/shared/rubygems/package.rb +index e8b8b38..25ac814 100644 +--- a/lib/ruby/shared/rubygems/package.rb ++++ b/lib/ruby/shared/rubygems/package.rb +@@ -405,6 +405,8 @@ EOM + destination_dir = File.expand_path destination_dir + + destination = File.join destination_dir, filename ++ destination = File.realpath destination if ++ File.respond_to? :realpath + destination = File.expand_path destination + + raise Gem::Package::PathError.new(destination, destination_dir) unless diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000074.patch jruby-1.7.26/debian/patches/CVE-2018-1000074.patch --- jruby-1.7.26/debian/patches/CVE-2018-1000074.patch 1970-01-01 01:00:00.000000000 +0100 +++ jruby-1.7.26/debian/patches/CVE-2018-1000074.patch 2018-04-29 22:24:33.000000000 +0200 @@ -0,0 +1,23 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 29 Apr 2018 21:11:01 +0200 +Subject: CVE-2018-1000074 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 +Origin: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d +--- + lib/ruby/shared/rubygems/commands/owner_command.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ruby/shared/rubygems/commands/owner_command.rb b/lib/ruby/shared/rubygems/commands/owner_command.rb +index 322bf65..c5416f8 100644 +--- a/lib/ruby/shared/rubygems/commands/owner_command.rb ++++ b/lib/ruby/shared/rubygems/commands/owner_command.rb +@@ -61,7 +61,7 @@ permission to. + end + + with_response response do |resp| +- owners = YAML.load resp.body ++ owners = Gem::SafeYAML.load resp.body + + say "Owners for gem: #{name}" + owners.each do |owner| diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000075.patch jruby-1.7.26/debian/patches/CVE-2018-1000075.patch --- jruby-1.7.26/debian/patches/CVE-2018-1000075.patch 1970-01-01 01:00:00.000000000 +0100 +++ jruby-1.7.26/debian/patches/CVE-2018-1000075.patch 2018-04-29 22:24:33.000000000 +0200 @@ -0,0 +1,85 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 29 Apr 2018 21:34:44 +0200 +Subject: CVE-2018-1000075 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 +Origin: https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83 +--- + lib/ruby/shared/rubygems/package/tar_header.rb | 23 +++++++++++++--------- + .../rubygems/test_gem_package_tar_header.rb | 20 +++++++++++++++++++ + 2 files changed, 34 insertions(+), 9 deletions(-) + +diff --git a/lib/ruby/shared/rubygems/package/tar_header.rb b/lib/ruby/shared/rubygems/package/tar_header.rb +index f9ab13a..9b457ec 100644 +--- a/lib/ruby/shared/rubygems/package/tar_header.rb ++++ b/lib/ruby/shared/rubygems/package/tar_header.rb +@@ -103,25 +103,30 @@ class Gem::Package::TarHeader + fields = header.unpack UNPACK_FORMAT + + new :name => fields.shift, +- :mode => fields.shift.oct, +- :uid => fields.shift.oct, +- :gid => fields.shift.oct, +- :size => fields.shift.oct, +- :mtime => fields.shift.oct, +- :checksum => fields.shift.oct, ++ :mode => strict_oct(fields.shift), ++ :uid => strict_oct(fields.shift), ++ :gid => strict_oct(fields.shift), ++ :size => strict_oct(fields.shift), ++ :mtime => strict_oct(fields.shift), ++ :checksum => strict_oct(fields.shift), + :typeflag => fields.shift, + :linkname => fields.shift, + :magic => fields.shift, +- :version => fields.shift.oct, ++ :version => strict_oct(fields.shift), + :uname => fields.shift, + :gname => fields.shift, +- :devmajor => fields.shift.oct, +- :devminor => fields.shift.oct, ++ :devmajor => strict_oct(fields.shift), ++ :devminor => strict_oct(fields.shift), + :prefix => fields.shift, + + :empty => empty + end + ++ def self.strict_oct(str) ++ return str.oct if str =~ /\A[0-7]*\z/ ++ raise ArgumentError, "#{str.inspect} is not an octal string" ++ end ++ + ## + # Creates a new TarHeader using +vals+ + +diff --git a/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb b/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb +index 5d85543..0ddb440 100644 +--- a/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb ++++ b/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb +@@ -126,5 +126,25 @@ group\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000 + assert_equal '012467', @tar_header.checksum + end + ++ def test_from_bad_octal ++ test_cases = [ ++ "00000006,44\000", # bogus character ++ "00000006789\000", # non-octal digit ++ "+0000001234\000", # positive sign ++ "-0000001000\000", # negative sign ++ "0x000123abc\000", # radix prefix ++ ] ++ ++ test_cases.each do |val| ++ header_s = @tar_header.to_s ++ # overwrite the size field ++ header_s[124, 12] = val ++ io = TempIO.new header_s ++ assert_raises ArgumentError do ++ new_header = Gem::Package::TarHeader.from io ++ end ++ end ++ end ++ + end + diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000076.patch jruby-1.7.26/debian/patches/CVE-2018-1000076.patch --- jruby-1.7.26/debian/patches/CVE-2018-1000076.patch 1970-01-01 01:00:00.000000000 +0100 +++ jruby-1.7.26/debian/patches/CVE-2018-1000076.patch 2018-04-29 22:24:33.000000000 +0200 @@ -0,0 +1,78 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 29 Apr 2018 21:39:35 +0200 +Subject: CVE-2018-1000076 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 +Origin: https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693 +--- + lib/ruby/shared/rubygems/package.rb | 4 ++++ + lib/ruby/shared/rubygems/package/tar_writer.rb | 2 ++ + .../rubygems/test_gem_package_tar_output.rb | 27 ++++++++++++++++++++++ + 3 files changed, 33 insertions(+) + +diff --git a/lib/ruby/shared/rubygems/package.rb b/lib/ruby/shared/rubygems/package.rb +index 25ac814..42b753c 100644 +--- a/lib/ruby/shared/rubygems/package.rb ++++ b/lib/ruby/shared/rubygems/package.rb +@@ -589,6 +589,10 @@ EOM + raise Gem::Package::FormatError.new \ + 'package content (data.tar.gz) is missing', @gem + end ++ ++ if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any? ++ raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})" ++ end + end + + ## +diff --git a/lib/ruby/shared/rubygems/package/tar_writer.rb b/lib/ruby/shared/rubygems/package/tar_writer.rb +index dfd6357..59bb476 100644 +--- a/lib/ruby/shared/rubygems/package/tar_writer.rb ++++ b/lib/ruby/shared/rubygems/package/tar_writer.rb +@@ -195,6 +195,8 @@ class Gem::Package::TarWriter + digest_name == signer.digest_name + end + ++ raise "no #{signer.digest_name} in #{digests.values.compact}" unless signature_digest ++ + if signer.key then + signature = signer.sign signature_digest.digest + +diff --git a/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb b/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb +index ecf25ef..c8b500f 100644 +--- a/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb ++++ b/test/externals/ruby1.9/rubygems/test_gem_package_tar_output.rb +@@ -48,6 +48,33 @@ class TestGemPackageTarOutput < Gem::Package::TarTestCase + gz.close if gz + end + ++ def test_verify_duplicate_file ++ FileUtils.mkdir_p 'lib' ++ FileUtils.touch 'lib/code.rb' ++ ++ build = Gem::Package.new @gem ++ build.spec = @spec ++ build.setup_signer ++ open @gem, 'wb' do |gem_io| ++ Gem::Package::TarWriter.new gem_io do |gem| ++ build.add_metadata gem ++ build.add_contents gem ++ ++ gem.add_file_simple 'a.sig', 0444, 0 ++ gem.add_file_simple 'a.sig', 0444, 0 ++ end ++ end ++ ++ package = Gem::Package.new @gem ++ ++ e = assert_raises Gem::Security::Exception do ++ package.verify ++ end ++ ++ assert_equal 'duplicate files in the package: ("a.sig")', e.message ++ end ++ ++ + if defined? OpenSSL then + def test_self_open_signed + @private_key = File.expand_path('test/rubygems/private_key.pem', @@project_dir) diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000077.patch jruby-1.7.26/debian/patches/CVE-2018-1000077.patch --- jruby-1.7.26/debian/patches/CVE-2018-1000077.patch 1970-01-01 01:00:00.000000000 +0100 +++ jruby-1.7.26/debian/patches/CVE-2018-1000077.patch 2018-04-29 22:24:33.000000000 +0200 @@ -0,0 +1,68 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 29 Apr 2018 21:41:01 +0200 +Subject: CVE-2018-1000077 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 +Origin: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964 +--- + lib/ruby/shared/rubygems/specification.rb | 15 +++++++++++---- + test/externals/ruby1.9/rubygems/test_gem_specification.rb | 13 +++++++++++++ + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/lib/ruby/shared/rubygems/specification.rb b/lib/ruby/shared/rubygems/specification.rb +index eb89c4c..2ef709a 100644 +--- a/lib/ruby/shared/rubygems/specification.rb ++++ b/lib/ruby/shared/rubygems/specification.rb +@@ -13,6 +13,7 @@ require 'rubygems/deprecate' + require 'rubygems/basic_specification' + require 'rubygems/stub_specification' + require 'rubygems/util/stringio' ++require 'uri' + + ## + # The Specification class contains the information for a Gem. Typically +@@ -2601,10 +2602,16 @@ http://opensource.org/licenses/alphabetical + raise Gem::InvalidSpecificationException, "#{lazy} is not a summary" + end + +- if homepage and not homepage.empty? and +- homepage !~ /\A[a-z][a-z\d+.-]*:/i then +- raise Gem::InvalidSpecificationException, +- "\"#{homepage}\" is not a URI" ++ # Make sure a homepage is valid HTTP/HTTPS URI ++ if homepage and not homepage.empty? ++ begin ++ homepage_uri = URI.parse(homepage) ++ unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class ++ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI" ++ end ++ rescue URI::InvalidURIError ++ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a URI" ++ end + end + + # Warnings +diff --git a/test/externals/ruby1.9/rubygems/test_gem_specification.rb b/test/externals/ruby1.9/rubygems/test_gem_specification.rb +index aa648c9..5541f7f 100644 +--- a/test/externals/ruby1.9/rubygems/test_gem_specification.rb ++++ b/test/externals/ruby1.9/rubygems/test_gem_specification.rb +@@ -1454,6 +1454,19 @@ end + end + + assert_equal '"over at my cool site" is not a URI', e.message ++ ++ @a1.homepage = 'ftp://rubygems.org' ++ ++ e = assert_raises Gem::InvalidSpecificationException do ++ @a1.validate ++ end ++ ++ assert_equal '"ftp://rubygems.org"; is not a URI', e.message ++ ++ @a1.homepage = 'http://rubygems.org' ++ ++ assert_equal true, @a1.validate ++ + end + end + diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000078.patch jruby-1.7.26/debian/patches/CVE-2018-1000078.patch --- jruby-1.7.26/debian/patches/CVE-2018-1000078.patch 1970-01-01 01:00:00.000000000 +0100 +++ jruby-1.7.26/debian/patches/CVE-2018-1000078.patch 2018-04-29 22:24:33.000000000 +0200 @@ -0,0 +1,23 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 29 Apr 2018 21:41:43 +0200 +Subject: CVE-2018-1000078 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 +Origin: https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb +--- + lib/ruby/shared/rubygems/server.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ruby/shared/rubygems/server.rb b/lib/ruby/shared/rubygems/server.rb +index 7655be2..aa9604d 100644 +--- a/lib/ruby/shared/rubygems/server.rb ++++ b/lib/ruby/shared/rubygems/server.rb +@@ -634,7 +634,7 @@ div.method-source-code pre { color: #ffdead; overflow: hidden; } + "only_one_executable" => (executables && executables.size == 1), + "full_name" => spec.full_name, + "has_deps" => !deps.empty?, +- "homepage" => spec.homepage, ++ "homepage" => (URI.parse(spec.homepage).is_a?(URI::HTTP) || URI.parse(spec.homepage).is_a?(URI::HTTPS)) ? spec.homepage : ".", + "name" => spec.name, + "rdoc_installed" => Gem::RDoc.new(spec).rdoc_installed?, + "ri_installed" => Gem::RDoc.new(spec).ri_installed?, diff -Nru jruby-1.7.26/debian/patches/CVE-2018-1000079.patch jruby-1.7.26/debian/patches/CVE-2018-1000079.patch --- jruby-1.7.26/debian/patches/CVE-2018-1000079.patch 1970-01-01 01:00:00.000000000 +0100 +++ jruby-1.7.26/debian/patches/CVE-2018-1000079.patch 2018-04-29 22:24:33.000000000 +0200 @@ -0,0 +1,82 @@ +From: Markus Koschany <a...@debian.org> +Date: Sun, 29 Apr 2018 21:56:44 +0200 +Subject: CVE-2018-1000079 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 +Origin: https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099 +Origin: https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759 +--- + lib/ruby/shared/rubygems/package.rb | 35 +++++++++++++++++++++++++++++------ + 1 file changed, 29 insertions(+), 6 deletions(-) + +diff --git a/lib/ruby/shared/rubygems/package.rb b/lib/ruby/shared/rubygems/package.rb +index 42b753c..8e5c295 100644 +--- a/lib/ruby/shared/rubygems/package.rb ++++ b/lib/ruby/shared/rubygems/package.rb +@@ -364,7 +364,7 @@ EOM + File.dirname destination + end + +- FileUtils.mkdir_p mkdir, mkdir_options ++ mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name + + open destination, 'wb' do |out| + out.write entry.read +@@ -400,22 +400,35 @@ EOM + raise Gem::Package::PathError.new(filename, destination_dir) if + filename.start_with? '/' + +- destination_dir = File.realpath destination_dir if +- File.respond_to? :realpath ++ destination_dir = realpath destination_dir + destination_dir = File.expand_path destination_dir + + destination = File.join destination_dir, filename +- destination = File.realpath destination if +- File.respond_to? :realpath + destination = File.expand_path destination + + raise Gem::Package::PathError.new(destination, destination_dir) unless +- destination.start_with? destination_dir ++ destination.start_with? destination_dir + '/' + + destination.untaint + destination + end + ++ def mkdir_p_safe mkdir, mkdir_options, destination_dir, file_name ++ destination_dir = realpath File.expand_path(destination_dir) ++ parts = mkdir.split(File::SEPARATOR) ++ parts.reduce do |path, basename| ++ path = realpath path unless path == "" ++ path = File.expand_path(path + File::SEPARATOR + basename) ++ lstat = File.lstat path rescue nil ++ if !lstat || !lstat.directory? ++ unless path.start_with? destination_dir and (FileUtils.mkdir path, mkdir_options rescue false) ++ raise Gem::Package::PathError.new(file_name, destination_dir) ++ end ++ end ++ path ++ end ++ end ++ + ## + # Loads a Gem::Specification from the TarEntry +entry+ + +@@ -606,6 +619,16 @@ EOM + raise Gem::Package::FormatError.new(e.message, entry.full_name) + end + ++ if File.respond_to? :realpath ++ def realpath file ++ File.realpath file ++ end ++ else ++ def realpath file ++ file ++ end ++ end ++ + end + + require 'rubygems/package/digest_io' diff -Nru jruby-1.7.26/debian/patches/series jruby-1.7.26/debian/patches/series --- jruby-1.7.26/debian/patches/series 2016-11-12 21:27:48.000000000 +0100 +++ jruby-1.7.26/debian/patches/series 2018-04-29 22:24:33.000000000 +0200 @@ -8,3 +8,10 @@ 0010-Disable-maven-invoker-plugin.patch 0011-Snakeyaml-1.17-compatibility.patch 0012-Disable-outdated-specs.patch +CVE-2018-1000073.patch +CVE-2018-1000074.patch +CVE-2018-1000075.patch +CVE-2018-1000076.patch +CVE-2018-1000077.patch +CVE-2018-1000078.patch +CVE-2018-1000079.patch
signature.asc
Description: OpenPGP digital signature
