[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#688275: marked as done (unblock: jruby/1.5.6-4)

Your message dated Fri, 21 Sep 2012 06:16:51 +0100
with message-id <1348204611.9484.17.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#688275: unblock: jruby/1.5.6-4
has caused the Debian Bug report #688275,
regarding unblock: jruby/1.5.6-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
688275: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688275
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team:

Please unblock package jruby.  The upload of 1.5.6-4 includes a patch 
for CVE-2011-4838 (#686867).  The debdiff between this package and the
package in wheezy is attached.

Thank you,
tony

unblock jruby/1.5.6-4

diff -Nru jruby-1.5.6/debian/changelog jruby-1.5.6/debian/changelog
--- jruby-1.5.6/debian/changelog	2012-01-16 03:23:20.000000000 +0000
+++ jruby-1.5.6/debian/changelog	2012-09-20 20:38:47.000000000 +0000
@@ -1,3 +1,11 @@
+jruby (1.5.6-4) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch for CVE-2011-4838 (Closes: #686867)
+    - Thanks to Moritz Muehlenhoff
+
+ -- tony mancill <tmancill@debian.org>  Thu, 20 Sep 2012 13:36:31 -0700
+
 jruby (1.5.6-3) unstable; urgency=low
 
   [Miguel Landaeta]
diff -Nru jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch
--- jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch	1970-01-01 00:00:00.000000000 +0000
+++ jruby-1.5.6/debian/patches/0008-CVE-2011-4838.patch	2012-09-20 20:38:47.000000000 +0000
@@ -0,0 +1,132 @@
+--- a/src/org/jruby/RubyHash.java
++++ b/src/org/jruby/RubyHash.java
+@@ -809,7 +809,7 @@
+             oldTable[j] = null;
+             while (entry != null) {
+                 RubyHashEntry next = entry.next;
+-                entry.hash = entry.key.hashCode(); // update the hash value
++                entry.hash = hashValue(entry.key.hashCode()); // update the hash value
+                 int i = bucketIndex(entry.hash, newTable.length);
+                 entry.next = newTable[i];
+                 newTable[i] = entry;
+--- a/src/org/jruby/Ruby.java
++++ b/src/org/jruby/Ruby.java
+@@ -269,6 +269,8 @@
+         this.beanManager        = BeanManagerFactory.create(this, config.isManagementEnabled());
+         this.jitCompiler        = new JITCompiler(this);
+         this.parserStats        = new ParserStats(this);
++
++	this.hashSeed = this.random.nextInt();
+         
+         this.beanManager.register(new Config(this));
+         this.beanManager.register(parserStats);
+@@ -3704,6 +3706,10 @@
+     public Set<Script> getJittedMethods() {
+         return jittedMethods;
+     }
++
++    public int getHashSeed() {
++        return hashSeed;
++    }
+     
+     public ExecutorService getExecutor() {
+         return executor;
+@@ -3808,6 +3814,8 @@
+     private long randomSeed = 0;
+     private long randomSeedSequence = 0;
+     private Random random = new Random();
++    /** The runtime-local seed for hash randomization */
++    private int hashSeed = 0;
+ 
+     private final List<EventHook> eventHooks = new Vector<EventHook>();
+     private boolean hasEventHooks;  
+--- a/src/org/jruby/RubyString.java
++++ b/src/org/jruby/RubyString.java
+@@ -91,6 +91,7 @@
+ import org.jruby.runtime.marshal.UnmarshalStream;
+ import org.jruby.util.ByteList;
+ import org.jruby.util.ConvertBytes;
++import org.jruby.util.MurmurHash;
+ import org.jruby.util.Numeric;
+ import org.jruby.util.Pack;
+ import org.jruby.util.Sprintf;
+@@ -1024,11 +1025,11 @@
+     }
+ 
+     private int strHashCode(Ruby runtime) {
++        int hash = MurmurHash.hash32(value.getUnsafeBytes(), value.getBegin(), value.getRealSize(), runtime.getHashSeed());
+         if (runtime.is1_9()) {
+-            return value.hashCode() ^ (value.getEncoding().isAsciiCompatible() && scanForCodeRange() == CR_7BIT ? 0 : value.getEncoding().getIndex());
+-        } else {
+-            return value.hashCode();
++            hash ^= (value.getEncoding().isAsciiCompatible() && scanForCodeRange() == CR_7BIT ? 0 : value.getEncoding().getIndex());
+         }
++        return hash;
+     }
+ 
+     @Override
+--- /dev/null
++++ b/src/org/jruby/util/MurmurHash.java
+@@ -0,0 +1,62 @@
++package org.jruby.util;
++
++public class MurmurHash {
++    // Based on Murmurhash 2.0 Java port at http://dmy999.com/article/50/murmurhash-2-java-port
++    // 2011-12-05: Modified by Hiroshi Nakamura <nahi@ruby-lang.org>
++    // - signature change to use offset
++    //   hash(byte[] data, int seed) to hash(byte[] src, int offset, int length, int seed)
++    // - extract 'm' and 'r' as murmurhash2.0 constants
++
++    // Ported by Derek Young from the C version (specifically the endian-neutral
++    // version) from:
++    //   http://murmurhash.googlepages.com/
++    //
++    // released to the public domain - dmy999@gmail.com
++
++    // 'm' and 'r' are mixing constants generated offline.
++    // They're not really 'magic', they just happen to work well.
++    private static final int MURMUR2_MAGIC = 0x5bd1e995;
++    // CRuby 1.9 uses 16 but original C++ implementation uses 24 with above Magic.
++    private static final int MURMUR2_R = 24;
++
++    @SuppressWarnings("fallthrough")
++    public static int hash32(byte[] src, int offset, int length, int seed) {
++        // Initialize the hash to a 'random' value
++        int h = seed ^ length;
++
++        int i = offset;
++        int len = length;
++        while (len >= 4) {
++            int k = src[i + 0] & 0xFF;
++            k |= (src[i + 1] & 0xFF) << 8;
++            k |= (src[i + 2] & 0xFF) << 16;
++            k |= (src[i + 3] & 0xFF) << 24;
++
++            k *= MURMUR2_MAGIC;
++            k ^= k >>> MURMUR2_R;
++            k *= MURMUR2_MAGIC;
++
++            h *= MURMUR2_MAGIC;
++            h ^= k;
++
++            i += 4;
++            len -= 4;
++        }
++
++        switch (len) {
++        case 3:
++            h ^= (src[i + 2] & 0xFF) << 16;
++        case 2:
++            h ^= (src[i + 1] & 0xFF) << 8;
++        case 1:
++            h ^= (src[i + 0] & 0xFF);
++            h *= MURMUR2_MAGIC;
++        }
++
++        h ^= h >>> 13;
++        h *= MURMUR2_MAGIC;
++        h ^= h >>> 15;
++
++        return h;
++    }
++}
diff -Nru jruby-1.5.6/debian/patches/series jruby-1.5.6/debian/patches/series
--- jruby-1.5.6/debian/patches/series	2012-01-16 03:23:20.000000000 +0000
+++ jruby-1.5.6/debian/patches/series	2012-09-20 20:38:47.000000000 +0000
@@ -5,3 +5,4 @@
 0005-ignore-test-failures.patch
 0006-do-not-build-InvokeDynamicSupport.java.patch
 0007-use-unversioned-jarjar.jar.patch
+0008-CVE-2011-4838.patch

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On Thu, 2012-09-20 at 20:52 -0700, tony mancill wrote:
> Please unblock package jruby.  The upload of 1.5.6-4 includes a patch 
> for CVE-2011-4838 (#686867).  The debdiff between this package and the
> package in wheezy is attached.

Unblocked; thanks.

Regards,

Adam

--- End Message ---
Reply to: