Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Dear Release Team: Please unblock package jruby. The upload of 1.5.6-4 includes a patch for CVE-2011-4838 (#686867). The debdiff between this package and the package in wheezy is attached. Thank you, tony unblock jruby/1.5.6-4
diff -Nru jruby-1.5.6/debian/changelog jruby-1.5.6/debian/changelog
--- jruby-1.5.6/debian/changelog 2012-01-16 03:23:20.000000000 +0000
+++ jruby-1.5.6/debian/changelog 2012-09-20 20:38:47.000000000 +0000
@@ -1,3 +1,11 @@
+jruby (1.5.6-4) unstable; urgency=medium
+
+ * Team upload.
+ * Add patch for CVE-2011-4838 (Closes: #686867)
+ - Thanks to Moritz Muehlenhoff
+
+ -- tony mancill <tmancill@debian.org> Thu, 20 Sep 2012 13:36:31 -0700
+
jruby (1.5.6-3) unstable; urgency=low
[Miguel Landaeta]
diff -Nru jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch
--- jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch 1970-01-01 00:00:00.000000000 +0000
+++ jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch 2012-09-20 20:38:47.000000000 +0000
@@ -0,0 +1,132 @@
+--- a/src/org/jruby/RubyHash.java
++++ b/src/org/jruby/RubyHash.java
+@@ -809,7 +809,7 @@
+ oldTable[j] = null;
+ while (entry != null) {
+ RubyHashEntry next = entry.next;
+- entry.hash = entry.key.hashCode(); // update the hash value
++ entry.hash = hashValue(entry.key.hashCode()); // update the hash value
+ int i = bucketIndex(entry.hash, newTable.length);
+ entry.next = newTable[i];
+ newTable[i] = entry;
+--- a/src/org/jruby/Ruby.java
++++ b/src/org/jruby/Ruby.java
+@@ -269,6 +269,8 @@
+ this.beanManager = BeanManagerFactory.create(this, config.isManagementEnabled());
+ this.jitCompiler = new JITCompiler(this);
+ this.parserStats = new ParserStats(this);
++
++ this.hashSeed = this.random.nextInt();
+
+ this.beanManager.register(new Config(this));
+ this.beanManager.register(parserStats);
+@@ -3704,6 +3706,10 @@
+ public Set<Script> getJittedMethods() {
+ return jittedMethods;
+ }
++
++ public int getHashSeed() {
++ return hashSeed;
++ }
+
+ public ExecutorService getExecutor() {
+ return executor;
+@@ -3808,6 +3814,8 @@
+ private long randomSeed = 0;
+ private long randomSeedSequence = 0;
+ private Random random = new Random();
++ /** The runtime-local seed for hash randomization */
++ private int hashSeed = 0;
+
+ private final List<EventHook> eventHooks = new Vector<EventHook>();
+ private boolean hasEventHooks;
+--- a/src/org/jruby/RubyString.java
++++ b/src/org/jruby/RubyString.java
+@@ -91,6 +91,7 @@
+ import org.jruby.runtime.marshal.UnmarshalStream;
+ import org.jruby.util.ByteList;
+ import org.jruby.util.ConvertBytes;
++import org.jruby.util.MurmurHash;
+ import org.jruby.util.Numeric;
+ import org.jruby.util.Pack;
+ import org.jruby.util.Sprintf;
+@@ -1024,11 +1025,11 @@
+ }
+
+ private int strHashCode(Ruby runtime) {
++ int hash = MurmurHash.hash32(value.getUnsafeBytes(), value.getBegin(), value.getRealSize(), runtime.getHashSeed());
+ if (runtime.is1_9()) {
+- return value.hashCode() ^ (value.getEncoding().isAsciiCompatible() && scanForCodeRange() == CR_7BIT ? 0 : value.getEncoding().getIndex());
+- } else {
+- return value.hashCode();
++ hash ^= (value.getEncoding().isAsciiCompatible() && scanForCodeRange() == CR_7BIT ? 0 : value.getEncoding().getIndex());
+ }
++ return hash;
+ }
+
+ @Override
+--- /dev/null
++++ b/src/org/jruby/util/MurmurHash.java
+@@ -0,0 +1,62 @@
++package org.jruby.util;
++
++public class MurmurHash {
++ // Based on Murmurhash 2.0 Java port at http://dmy999.com/article/50/murmurhash-2-java-port
++ // 2011-12-05: Modified by Hiroshi Nakamura <nahi@ruby-lang.org>
++ // - signature change to use offset
++ // hash(byte[] data, int seed) to hash(byte[] src, int offset, int length, int seed)
++ // - extract 'm' and 'r' as murmurhash2.0 constants
++
++ // Ported by Derek Young from the C version (specifically the endian-neutral
++ // version) from:
++ // http://murmurhash.googlepages.com/
++ //
++ // released to the public domain - dmy999@gmail.com
++
++ // 'm' and 'r' are mixing constants generated offline.
++ // They're not really 'magic', they just happen to work well.
++ private static final int MURMUR2_MAGIC = 0x5bd1e995;
++ // CRuby 1.9 uses 16 but original C++ implementation uses 24 with above Magic.
++ private static final int MURMUR2_R = 24;
++
++ @SuppressWarnings("fallthrough")
++ public static int hash32(byte[] src, int offset, int length, int seed) {
++ // Initialize the hash to a 'random' value
++ int h = seed ^ length;
++
++ int i = offset;
++ int len = length;
++ while (len >= 4) {
++ int k = src[i + 0] & 0xFF;
++ k |= (src[i + 1] & 0xFF) << 8;
++ k |= (src[i + 2] & 0xFF) << 16;
++ k |= (src[i + 3] & 0xFF) << 24;
++
++ k *= MURMUR2_MAGIC;
++ k ^= k >>> MURMUR2_R;
++ k *= MURMUR2_MAGIC;
++
++ h *= MURMUR2_MAGIC;
++ h ^= k;
++
++ i += 4;
++ len -= 4;
++ }
++
++ switch (len) {
++ case 3:
++ h ^= (src[i + 2] & 0xFF) << 16;
++ case 2:
++ h ^= (src[i + 1] & 0xFF) << 8;
++ case 1:
++ h ^= (src[i + 0] & 0xFF);
++ h *= MURMUR2_MAGIC;
++ }
++
++ h ^= h >>> 13;
++ h *= MURMUR2_MAGIC;
++ h ^= h >>> 15;
++
++ return h;
++ }
++}
diff -Nru jruby-1.5.6/debian/patches/series jruby-1.5.6/debian/patches/series
--- jruby-1.5.6/debian/patches/series 2012-01-16 03:23:20.000000000 +0000
+++ jruby-1.5.6/debian/patches/series 2012-09-20 20:38:47.000000000 +0000
@@ -5,3 +5,4 @@
0005-ignore-test-failures.patch
0006-do-not-build-InvokeDynamicSupport.java.patch
0007-use-unversioned-jarjar.jar.patch
+0008-CVE-2011-4838.patch
Attachment:
signature.asc
Description: Digital signature