Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Dear Release Team: Please unblock package jruby. The upload of 1.5.6-4 includes a patch for CVE-2011-4838 (#686867). The debdiff between this package and the package in wheezy is attached. Thank you, tony unblock jruby/1.5.6-4
diff -Nru jruby-1.5.6/debian/changelog jruby-1.5.6/debian/changelog --- jruby-1.5.6/debian/changelog 2012-01-16 03:23:20.000000000 +0000 +++ jruby-1.5.6/debian/changelog 2012-09-20 20:38:47.000000000 +0000 @@ -1,3 +1,11 @@ +jruby (1.5.6-4) unstable; urgency=medium + + * Team upload. + * Add patch for CVE-2011-4838 (Closes: #686867) + - Thanks to Moritz Muehlenhoff + + -- tony mancill <tmancill@debian.org> Thu, 20 Sep 2012 13:36:31 -0700 + jruby (1.5.6-3) unstable; urgency=low [Miguel Landaeta] diff -Nru jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch --- jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch 1970-01-01 00:00:00.000000000 +0000 +++ jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch 2012-09-20 20:38:47.000000000 +0000 @@ -0,0 +1,132 @@ +--- a/src/org/jruby/RubyHash.java ++++ b/src/org/jruby/RubyHash.java +@@ -809,7 +809,7 @@ + oldTable[j] = null; + while (entry != null) { + RubyHashEntry next = entry.next; +- entry.hash = entry.key.hashCode(); // update the hash value ++ entry.hash = hashValue(entry.key.hashCode()); // update the hash value + int i = bucketIndex(entry.hash, newTable.length); + entry.next = newTable[i]; + newTable[i] = entry; +--- a/src/org/jruby/Ruby.java ++++ b/src/org/jruby/Ruby.java +@@ -269,6 +269,8 @@ + this.beanManager = BeanManagerFactory.create(this, config.isManagementEnabled()); + this.jitCompiler = new JITCompiler(this); + this.parserStats = new ParserStats(this); ++ ++ this.hashSeed = this.random.nextInt(); + + this.beanManager.register(new Config(this)); + this.beanManager.register(parserStats); +@@ -3704,6 +3706,10 @@ + public Set<Script> getJittedMethods() { + return jittedMethods; + } ++ ++ public int getHashSeed() { ++ return hashSeed; ++ } + + public ExecutorService getExecutor() { + return executor; +@@ -3808,6 +3814,8 @@ + private long randomSeed = 0; + private long randomSeedSequence = 0; + private Random random = new Random(); ++ /** The runtime-local seed for hash randomization */ ++ private int hashSeed = 0; + + private final List<EventHook> eventHooks = new Vector<EventHook>(); + private boolean hasEventHooks; +--- a/src/org/jruby/RubyString.java ++++ b/src/org/jruby/RubyString.java +@@ -91,6 +91,7 @@ + import org.jruby.runtime.marshal.UnmarshalStream; + import org.jruby.util.ByteList; + import org.jruby.util.ConvertBytes; ++import org.jruby.util.MurmurHash; + import org.jruby.util.Numeric; + import org.jruby.util.Pack; + import org.jruby.util.Sprintf; +@@ -1024,11 +1025,11 @@ + } + + private int strHashCode(Ruby runtime) { ++ int hash = MurmurHash.hash32(value.getUnsafeBytes(), value.getBegin(), value.getRealSize(), runtime.getHashSeed()); + if (runtime.is1_9()) { +- return value.hashCode() ^ (value.getEncoding().isAsciiCompatible() && scanForCodeRange() == CR_7BIT ? 0 : value.getEncoding().getIndex()); +- } else { +- return value.hashCode(); ++ hash ^= (value.getEncoding().isAsciiCompatible() && scanForCodeRange() == CR_7BIT ? 0 : value.getEncoding().getIndex()); + } ++ return hash; + } + + @Override +--- /dev/null ++++ b/src/org/jruby/util/MurmurHash.java +@@ -0,0 +1,62 @@ ++package org.jruby.util; ++ ++public class MurmurHash { ++ // Based on Murmurhash 2.0 Java port at http://dmy999.com/article/50/murmurhash-2-java-port ++ // 2011-12-05: Modified by Hiroshi Nakamura <nahi@ruby-lang.org> ++ // - signature change to use offset ++ // hash(byte[] data, int seed) to hash(byte[] src, int offset, int length, int seed) ++ // - extract 'm' and 'r' as murmurhash2.0 constants ++ ++ // Ported by Derek Young from the C version (specifically the endian-neutral ++ // version) from: ++ // http://murmurhash.googlepages.com/ ++ // ++ // released to the public domain - dmy999@gmail.com ++ ++ // 'm' and 'r' are mixing constants generated offline. ++ // They're not really 'magic', they just happen to work well. ++ private static final int MURMUR2_MAGIC = 0x5bd1e995; ++ // CRuby 1.9 uses 16 but original C++ implementation uses 24 with above Magic. ++ private static final int MURMUR2_R = 24; ++ ++ @SuppressWarnings("fallthrough") ++ public static int hash32(byte[] src, int offset, int length, int seed) { ++ // Initialize the hash to a 'random' value ++ int h = seed ^ length; ++ ++ int i = offset; ++ int len = length; ++ while (len >= 4) { ++ int k = src[i + 0] & 0xFF; ++ k |= (src[i + 1] & 0xFF) << 8; ++ k |= (src[i + 2] & 0xFF) << 16; ++ k |= (src[i + 3] & 0xFF) << 24; ++ ++ k *= MURMUR2_MAGIC; ++ k ^= k >>> MURMUR2_R; ++ k *= MURMUR2_MAGIC; ++ ++ h *= MURMUR2_MAGIC; ++ h ^= k; ++ ++ i += 4; ++ len -= 4; ++ } ++ ++ switch (len) { ++ case 3: ++ h ^= (src[i + 2] & 0xFF) << 16; ++ case 2: ++ h ^= (src[i + 1] & 0xFF) << 8; ++ case 1: ++ h ^= (src[i + 0] & 0xFF); ++ h *= MURMUR2_MAGIC; ++ } ++ ++ h ^= h >>> 13; ++ h *= MURMUR2_MAGIC; ++ h ^= h >>> 15; ++ ++ return h; ++ } ++} diff -Nru jruby-1.5.6/debian/patches/series jruby-1.5.6/debian/patches/series --- jruby-1.5.6/debian/patches/series 2012-01-16 03:23:20.000000000 +0000 +++ jruby-1.5.6/debian/patches/series 2012-09-20 20:38:47.000000000 +0000 @@ -5,3 +5,4 @@ 0005-ignore-test-failures.patch 0006-do-not-build-InvokeDynamicSupport.java.patch 0007-use-unversioned-jarjar.jar.patch +0008-CVE-2011-4838.patch
Attachment:
signature.asc
Description: Digital signature