Bug#689839: unblock: ruby1.9.1/1.9.3.194-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#689839: unblock: ruby1.9.1/1.9.3.194-2
From: Antonio Terceiro <terceiro@debian.org>
Date: Sat, 6 Oct 2012 18:17:00 -0300
Message-id: <[🔎] 20121006211700.GA11480@debian.org>
Reply-to: Antonio Terceiro <terceiro@debian.org>, 689839@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby1.9.1

I've just uploaded ruby1.9.1/1.9.3.194-2 to unstable. It contains a
security fix for CVE-2011-1005, which closes Debian bug #689075.

Attached you will find a debdiff against the version currently in
wheezy.

unblock ruby1.9.1/1.9.3.194-2

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog
--- ruby1.9.1-1.9.3.194/debian/changelog	2012-06-02 08:10:26.000000000 -0300
+++ ruby1.9.1-1.9.3.194/debian/changelog	2012-10-06 16:29:43.000000000 -0300
@@ -1,3 +1,12 @@
+ruby1.9.1 (1.9.3.194-2) unstable; urgency=low
+
+  * debian/patches/20120927-cve_2011_1005.patch: patch sent by upstream;
+    fixes CVE-2011-1005 which was thought of as not affecting the Ruby 1.9.x
+    series (Closes: #689075). Thanks to Tyler Hicks <tyhicks@canonical.com>
+    for reporting the issue.
+
+ -- Antonio Terceiro <terceiro@debian.org>  Sat, 06 Oct 2012 16:29:42 -0300
+
 ruby1.9.1 (1.9.3.194-1) unstable; urgency=low
 
   [ Lucas Nussbaum ]
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch
--- ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby1.9.1-1.9.3.194/debian/patches/20120927-cve_2011_1005.patch	2012-10-02 10:06:08.000000000 -0300
@@ -0,0 +1,93 @@
+Description: Prevent untainted strings from being incorrectly tainted
+ This flaw allowed untainted strings to be tainted and modified, even in
+ safe level 4.
+Origin: upstream
+--- a/error.c
++++ b/error.c
+@@ -569,7 +569,6 @@ exc_to_s(VALUE exc)
+ 
+     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
+     r = rb_String(mesg);
+-    OBJ_INFECT(r, exc);
+     return r;
+ }
+ 
+@@ -853,11 +852,7 @@ name_err_to_s(VALUE exc)
+ 
+     if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc));
+     StringValue(str);
+-    if (str != mesg) {
+-	rb_iv_set(exc, "mesg", mesg = str);
+-    }
+-    OBJ_INFECT(mesg, exc);
+-    return mesg;
++    return str;
+ }
+ 
+ /*
+@@ -988,7 +983,6 @@ name_err_mesg_to_str(VALUE obj)
+ 	args[2] = d;
+ 	mesg = rb_f_sprintf(NAME_ERR_MESG_COUNT, args);
+     }
+-    OBJ_INFECT(mesg, obj);
+     return mesg;
+ }
+ 
+--- a/test/ruby/test_exception.rb
++++ b/test/ruby/test_exception.rb
+@@ -333,4 +333,55 @@ end.join
+       load(t.path)
+     end
+   end
++
++  def test_to_s_taintness_propagation
++    for exc in [Exception, NameError]
++      m = "abcdefg"
++      e = exc.new(m)
++      e.taint
++      s = e.to_s
++      assert_equal(false, m.tainted?,
++                   "#{exc}#to_s should not propagate taintness")
++      assert_equal(false, s.tainted?,
++                   "#{exc}#to_s should not propagate taintness")
++    end
++    
++    o = Object.new
++    def o.to_str
++      "foo"
++    end
++    o.taint
++    e = NameError.new(o)
++    s = e.to_s
++    assert_equal(false, s.tainted?)
++  end
++
++  # CVE-2011-1005
++  def test_exception_to_s_should_not_propagate_untrustedness
++    favorite_lang = "Ruby"
++
++    for exc in [Exception, NameError]
++      assert_raise(SecurityError) do
++        lambda {
++          $SAFE = 4
++          exc.new(favorite_lang).to_s
++          favorite_lang.replace("Python")
++        }.call
++      end
++    end
++
++    assert_raise(SecurityError) do
++      lambda {
++        $SAFE = 4
++        o = Object.new
++        o.singleton_class.send(:define_method, :to_str) {
++          favorite_lang
++        }
++        NameError.new(o).to_s
++        favorite_lang.replace("Python")
++      }.call
++    end
++
++    assert_equal("Ruby", favorite_lang)
++  end
+ end
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series
--- ruby1.9.1-1.9.3.194/debian/patches/series	2012-05-27 19:46:34.000000000 -0300
+++ ruby1.9.1-1.9.3.194/debian/patches/series	2012-09-30 17:40:56.000000000 -0300
@@ -16,3 +16,4 @@
 110829-hurd_dirent_usage.patch
 hurd-path-max.diff
 20120517-r35434.patch
+20120927-cve_2011_1005.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#689839: marked as done (unblock: ruby1.9.1/1.9.3.194-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: unblock gnuradio 3.6.1-1
Next by Date: Bug#689825: unblock: pymongo/2.2-2
Previous by thread: Processed: Re: Bug#689825: unblock: pymongo/2.2-2
Next by thread: Bug#689839: marked as done (unblock: ruby1.9.1/1.9.3.194-2)
Index(es):
- Date
- Thread