Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby1.9.1 I've just uploaded ruby1.9.1/1.9.3.194-2 to unstable. It contains a security fix for CVE-2011-1005, which closes Debian bug #689075. Attached you will find a debdiff against the version currently in wheezy. unblock ruby1.9.1/1.9.3.194-2 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog --- ruby1.9.1-1.9.3.194/debian/changelog 2012-06-02 08:10:26.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/changelog 2012-10-06 16:29:43.000000000 -0300 @@ -1,3 +1,12 @@ +ruby1.9.1 (1.9.3.194-2) unstable; urgency=low + + * debian/patches/20120927-cve_2011_1005.patch: patch sent by upstream; + fixes CVE-2011-1005 which was thought of as not affecting the Ruby 1.9.x + series (Closes: #689075). Thanks to Tyler Hicks <tyhicks@canonical.com> + for reporting the issue. + + -- Antonio Terceiro <terceiro@debian.org> Sat, 06 Oct 2012 16:29:42 -0300 + ruby1.9.1 (1.9.3.194-1) unstable; urgency=low [ Lucas Nussbaum ] diff -Nru ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch --- ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch 2012-10-02 10:06:08.000000000 -0300 @@ -0,0 +1,93 @@ +Description: Prevent untainted strings from being incorrectly tainted + This flaw allowed untainted strings to be tainted and modified, even in + safe level 4. +Origin: upstream +--- a/error.c ++++ b/error.c +@@ -569,7 +569,6 @@ exc_to_s(VALUE exc) + + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + r = rb_String(mesg); +- OBJ_INFECT(r, exc); + return r; + } + +@@ -853,11 +852,7 @@ name_err_to_s(VALUE exc) + + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + StringValue(str); +- if (str != mesg) { +- rb_iv_set(exc, "mesg", mesg = str); +- } +- OBJ_INFECT(mesg, exc); +- return mesg; ++ return str; + } + + /* +@@ -988,7 +983,6 @@ name_err_mesg_to_str(VALUE obj) + args[2] = d; + mesg = rb_f_sprintf(NAME_ERR_MESG_COUNT, args); + } +- OBJ_INFECT(mesg, obj); + return mesg; + } + +--- a/test/ruby/test_exception.rb ++++ b/test/ruby/test_exception.rb +@@ -333,4 +333,55 @@ end.join + load(t.path) + end + end ++ ++ def test_to_s_taintness_propagation ++ for exc in [Exception, NameError] ++ m = "abcdefg" ++ e = exc.new(m) ++ e.taint ++ s = e.to_s ++ assert_equal(false, m.tainted?, ++ "#{exc}#to_s should not propagate taintness") ++ assert_equal(false, s.tainted?, ++ "#{exc}#to_s should not propagate taintness") ++ end ++ ++ o = Object.new ++ def o.to_str ++ "foo" ++ end ++ o.taint ++ e = NameError.new(o) ++ s = e.to_s ++ assert_equal(false, s.tainted?) ++ end ++ ++ # CVE-2011-1005 ++ def test_exception_to_s_should_not_propagate_untrustedness ++ favorite_lang = "Ruby" ++ ++ for exc in [Exception, NameError] ++ assert_raise(SecurityError) do ++ lambda { ++ $SAFE = 4 ++ exc.new(favorite_lang).to_s ++ favorite_lang.replace("Python") ++ }.call ++ end ++ end ++ ++ assert_raise(SecurityError) do ++ lambda { ++ $SAFE = 4 ++ o = Object.new ++ o.singleton_class.send(:define_method, :to_str) { ++ favorite_lang ++ } ++ NameError.new(o).to_s ++ favorite_lang.replace("Python") ++ }.call ++ end ++ ++ assert_equal("Ruby", favorite_lang) ++ end + end diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series --- ruby1.9.1-1.9.3.194/debian/patches/series 2012-05-27 19:46:34.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/patches/series 2012-09-30 17:40:56.000000000 -0300 @@ -16,3 +16,4 @@ 110829-hurd_dirent_usage.patch hurd-path-max.diff 20120517-r35434.patch +20120927-cve_2011_1005.patch
Attachment:
signature.asc
Description: Digital signature