Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Hello, I intend to upload a new upstream version of ruby2.1 with the attached debdiff to unstable. It contains fixes for 2 bugs: - Fixes CVE-2014-8090 Another Denial of Service XML Expansion (Closes: #770932) - Fixes build on SPARC (Closes: #769731) Even though it's a new upstream release: - the changes are minimal and are restricted to the above bugs, plus minimal build system changes and portability fixes. - a large part of the debdiff is changelog entries, a version bump, and test suite additions. - having this version in jessie will ease the stable maintainance effort by deviating as little as possible from upstream. Please let me know if you agree with me uploading this. unblock ruby2.1/2.1.5-1 -- System Information: Debian Release: jessie/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
diff --git a/ChangeLog b/ChangeLog index 19dbbd0..fe76d3d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,50 @@ +Thu Nov 13 22:32:34 2014 CHIKANAGA Tomoyuki <nagachika@ruby-lang.org> + + * lib/rexml/document.rb: add REXML::Document#document. + reported by Tomas Hoger <thoger@redhat.com> and patched by nahi. + +Thu Nov 6 22:57:43 2014 Naohisa Goto <ngotogenome@gmail.com> + + * bignum.c (absint_numwords_generic): set an array element after + definition of a variable to fix compile error with older version + of fcc (Fujitsu C Compiler) 5.6 on Solaris 10 on Sparc. + [Bug #10350] [ruby-dev:48608] + +Thu Nov 6 22:36:55 2014 Naohisa Goto <ngotogenome@gmail.com> + + * compile.c (compile_data_alloc): add padding when strict alignment + is required for memory access. Currently, the padding is enabled + only when the CPU is 32-bit SPARC and the compiler is GCC. + [Bug #9681] [ruby-core:61715] + + * compile.c (STRICT_ALIGNMENT): defined if strict alignment is required + + * compile.c (ALIGNMENT_SIZE, ALIGNMENT_SIZE_MASK, PADDING_SIZE_MAX): + new macros for alignemnt word size, bit mask, max size of padding. + + * compile.c (calc_padding): new function to calculate padding size. + +Wed Nov 5 00:18:22 2014 Nobuyoshi Nakada <nobu@ruby-lang.org> + + * configure.in (__builtin_setjmp): disable with gcc/clang earlier + than 4.3 on Mac OS X. [ruby-core:65174] [Bug #10272] + +Wed Nov 5 00:01:04 2014 Tanaka Akira <akr@fsij.org> + + * bignum.c (bary_mul_balance_with_mulfunc): Fix free work area + location. + [ruby-dev:48723] [Bug #10464] + [ruby-core:66044] [Bug #10465] + Reported by Kohji Nishihama. + +Tue Oct 28 22:30:21 2014 NARUSE, Yui <naruse@ruby-lang.org> + + * configure.in: remove apple-gcc4.2 from CC candidates. + +火 10 28 22:19:44 2014 CHIKANAGA Tomoyuki <nagachika@ruby-lang.org> + + * version.h (RUBY_VERSION): bump RUBY_VERSION to 2.1.5. + Mon Oct 27 20:20:14 2014 NAKAMURA Usaku <usa@ruby-lang.org> * lib/rexml/entity.rb: keep the entity size within the limitation. diff --git a/bignum.c b/bignum.c index b499c0b..27d8d8a 100644 --- a/bignum.c +++ b/bignum.c @@ -1650,7 +1650,7 @@ bary_mul_balance_with_mulfunc(BDIGIT *zds, size_t zn, const BDIGIT *xds, size_t } tds = zds + n; MEMCPY(wds, zds + n, BDIGIT, xn); - mulfunc(tds, tn, xds, xn, yds + n, r, wds-xn, wn-xn); + mulfunc(tds, tn, xds, xn, yds + n, r, wds+xn, wn-xn); bary_add(zds + n, tn, zds + n, tn, wds, xn); @@ -3294,7 +3294,7 @@ absint_numwords_generic(size_t numbytes, int nlz_bits_in_msbyte, size_t word_num static const BDIGIT char_bit[1] = { CHAR_BIT }; BDIGIT numbytes_bary[bdigit_roomof(sizeof(numbytes))]; BDIGIT val_numbits_bary[bdigit_roomof(sizeof(numbytes) + 1)]; - BDIGIT nlz_bits_in_msbyte_bary[1] = { nlz_bits_in_msbyte }; + BDIGIT nlz_bits_in_msbyte_bary[1]; BDIGIT word_numbits_bary[bdigit_roomof(sizeof(word_numbits))]; BDIGIT div_bary[numberof(val_numbits_bary) + BIGDIVREM_EXTRA_WORDS]; BDIGIT mod_bary[numberof(word_numbits_bary)]; @@ -3304,6 +3304,8 @@ absint_numwords_generic(size_t numbytes, int nlz_bits_in_msbyte, size_t word_num int sign; size_t numwords; + nlz_bits_in_msbyte_bary[0] = nlz_bits_in_msbyte; + /* * val_numbits = numbytes * CHAR_BIT - nlz_bits_in_msbyte * div, mod = val_numbits.divmod(word_numbits) diff --git a/compile.c b/compile.c index a76c93b..099c280 100644 --- a/compile.c +++ b/compile.c @@ -583,18 +583,72 @@ rb_iseq_translate_threaded_code(rb_iseq_t *iseq) /* definition of data structure for compiler */ /*********************************************/ +/* + * On 32-bit SPARC, GCC by default generates SPARC V7 code that may require + * 8-byte word alignment. On the other hand, Oracle Solaris Studio seems to + * generate SPARCV8PLUS code with unaligned memory accesss instructions. + * That is why the STRICT_ALIGNMENT is defined only with GCC. + */ +#if defined(__sparc) && SIZEOF_VOIDP == 4 && defined(__GNUC__) + #define STRICT_ALIGNMENT +#endif + +#ifdef STRICT_ALIGNMENT + #if defined(HAVE_TRUE_LONG_LONG) && SIZEOF_LONG_LONG > SIZEOF_VALUE + #define ALIGNMENT_SIZE SIZEOF_LONG_LONG + #else + #define ALIGNMENT_SIZE SIZEOF_VALUE + #endif + #define PADDING_SIZE_MAX ((size_t)((ALIGNMENT_SIZE) - 1)) + #define ALIGNMENT_SIZE_MASK PADDING_SIZE_MAX + /* Note: ALIGNMENT_SIZE == (2 ** N) is expected. */ +#else + #define PADDING_SIZE_MAX 0 +#endif /* STRICT_ALIGNMENT */ + +#ifdef STRICT_ALIGNMENT +/* calculate padding size for aligned memory access */ +static size_t +calc_padding(void *ptr, size_t size) +{ + size_t mis; + size_t padding = 0; + + mis = (size_t)ptr & ALIGNMENT_SIZE_MASK; + if (mis > 0) { + padding = ALIGNMENT_SIZE - mis; + } +/* + * On 32-bit sparc or equivalents, when a single VALUE is requested + * and padding == sizeof(VALUE), it is clear that no padding is needed. + */ +#if ALIGNMENT_SIZE > SIZEOF_VALUE + if (size == sizeof(VALUE) && padding == sizeof(VALUE)) { + padding = 0; + } +#endif + + return padding; +} +#endif /* STRICT_ALIGNMENT */ + static void * compile_data_alloc(rb_iseq_t *iseq, size_t size) { void *ptr = 0; struct iseq_compile_data_storage *storage = iseq->compile_data->storage_current; +#ifdef STRICT_ALIGNMENT + size_t padding = calc_padding((void *)&storage->buff[storage->pos], size); +#else + const size_t padding = 0; /* expected to be optimized by compiler */ +#endif /* STRICT_ALIGNMENT */ - if (storage->pos + size > storage->size) { + if (storage->pos + size + padding > storage->size) { unsigned long alloc_size = storage->size * 2; retry: - if (alloc_size < size) { + if (alloc_size < size + PADDING_SIZE_MAX) { alloc_size *= 2; goto retry; } @@ -606,8 +660,15 @@ compile_data_alloc(rb_iseq_t *iseq, size_t size) storage->pos = 0; storage->size = alloc_size; storage->buff = (char *)(&storage->buff + 1); +#ifdef STRICT_ALIGNMENT + padding = calc_padding((void *)&storage->buff[storage->pos], size); +#endif /* STRICT_ALIGNMENT */ } +#ifdef STRICT_ALIGNMENT + storage->pos += (int)padding; +#endif /* STRICT_ALIGNMENT */ + ptr = (void *)&storage->buff[storage->pos]; storage->pos += size; return ptr; diff --git a/configure.in b/configure.in index bb1ab8a..5968bbd 100644 --- a/configure.in +++ b/configure.in @@ -423,7 +423,7 @@ fi RUBY_NACL AS_CASE(["$host_os:$build_os"], [darwin*:darwin*], [ - AC_CHECK_TOOLS(CC, [gcc-4.2 clang gcc cc]) + AC_CHECK_TOOLS(CC, [clang gcc cc]) # Following Apple deployed clang are broken # clang version 1.0 (http://llvm.org/svn/llvm-project/cfe/tags/Apple/clang-23 exported) # Apple clang version 2.0 (tags/Apple/clang-137) (based on LLVM 2.9svn) @@ -453,7 +453,9 @@ if test "$GCC" = yes; then linker_flag=-Wl, : ${optflags=-O3} gcc_major=`echo =__GNUC__ | $CC -E -xc - | sed '/^=/!d;s///'` + gcc_minor=`echo =__GNUC_MINOR__ | $CC -E -xc - | sed '/^=/!d;s///'` test -n "$gcc_major" || gcc_major=0 + test -n "$gcc_minor" || gcc_minor=0 # RUBY_APPEND_OPTIONS(XCFLAGS, ["-include ruby/config.h" "-include ruby/missing.h"]) else linker_flag= @@ -956,6 +958,9 @@ AS_CASE(["$target_os"], ac_cv_type_getgroups=gid_t # getgroups() on Rosetta fills garbage ac_cv_lib_crypt_crypt=no ac_cv_func_fdatasync=no # Mac OS X wrongly reports it has fdatasync() + if test $gcc_major -lt 4 -o \( $gcc_major -eq 4 -a $gcc_minor -lt 3 \); then + ac_cv_func___builtin_setjmp=no + fi AC_CACHE_CHECK(for broken crypt with 8bit chars, rb_cv_broken_crypt, [AC_TRY_RUN([ #include <stdio.h> diff --git a/debian/changelog b/debian/changelog index 2b1a85f..e0f68ba 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +ruby2.1 (2.1.5-1) unstable; urgency=medium + + * New upstream release + - Fixes CVE-2014-8090 Another Denial of Service XML Expansion + (Closes: #770932) + - Fixes build on SPARC (Closes: #769731) + + -- Antonio Terceiro <terceiro@debian.org> Sat, 29 Nov 2014 12:30:39 -0200 + ruby2.1 (2.1.4-1) unstable; urgency=high * New upstream version diff --git a/lib/rexml/document.rb b/lib/rexml/document.rb index 1e18263..f92eb62 100644 --- a/lib/rexml/document.rb +++ b/lib/rexml/document.rb @@ -278,6 +278,10 @@ module REXML end end + def document + self + end + private def build( source ) Parsers::TreeParser.new( source, self ).parse diff --git a/lib/rexml/entity.rb b/lib/rexml/entity.rb index f447202..3a35ec6 100644 --- a/lib/rexml/entity.rb +++ b/lib/rexml/entity.rb @@ -157,6 +157,7 @@ module REXML # This is a set of entity constants -- the ones defined in the XML # specification. These are +gt+, +lt+, +amp+, +quot+ and +apos+. + # CAUTION: these entities does not have parent and document module EntityConst # +>+ GT = Entity.new( 'gt', '>' ) diff --git a/test/rexml/test_document.rb b/test/rexml/test_document.rb index efdcf66..c5ac057 100644 --- a/test/rexml/test_document.rb +++ b/test/rexml/test_document.rb @@ -47,7 +47,23 @@ EOF </member> EOF - XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF + XML_WITH_NESTED_EMPTY_ENTITY = <<EOF +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE member [ + <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> + <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;"> + <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;"> + <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;"> + <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;"> + <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;"> + <!ENTITY g ""> +]> +<member> +&a; +</member> +EOF + + XML_WITH_NESTED_PARAMETER_ENTITY = <<EOF <!DOCTYPE root [ <!ENTITY % a "BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM.BOOM."> <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;"> @@ -61,6 +77,20 @@ EOF <cd></cd> EOF + XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY = <<EOF +<!DOCTYPE root [ + <!ENTITY % a ""> + <!ENTITY % b "%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;%a;"> + <!ENTITY % c "%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;%b;"> + <!ENTITY % d "%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;%c;"> + <!ENTITY % e "%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;%d;"> + <!ENTITY % f "%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;%e;"> + <!ENTITY % g "%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;%f;"> + <!ENTITY test "test %g;"> +]> +<cd></cd> +EOF + XML_WITH_4_ENTITY_EXPANSION = <<EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE member [ @@ -87,6 +117,18 @@ EOF end assert_equal(101, doc.entity_expansion_count) + doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY) + assert_raise(RuntimeError) do + doc.root.children.first.value + end + REXML::Security.entity_expansion_limit = 100 + assert_equal(100, REXML::Security.entity_expansion_limit) + doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY) + assert_raise(RuntimeError) do + doc.root.children.first.value + end + assert_equal(101, doc.entity_expansion_count) + REXML::Security.entity_expansion_limit = 4 doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION) assert_equal("\na\na a\n<\n", doc.root.children.first.value) @@ -108,6 +150,15 @@ EOF assert_raise(REXML::ParseException) do REXML::Document.new(XML_WITH_NESTED_PARAMETER_ENTITY) end + + assert_raise(REXML::ParseException) do + REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY) + end + REXML::Security.entity_expansion_limit = 100 + assert_equal(100, REXML::Security.entity_expansion_limit) + assert_raise(REXML::ParseException) do + REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY) + end ensure REXML::Security.entity_expansion_limit = 10000 end diff --git a/test/ruby/envutil.rb b/test/ruby/envutil.rb index fa13089..a6a9f70 100644 --- a/test/ruby/envutil.rb +++ b/test/ruby/envutil.rb @@ -192,7 +192,7 @@ module EnvUtil log = File.read(name) rescue next if /\AProcess:\s+#{cmd} \[#{pid}\]$/ =~ log File.unlink(name) - File.unlink("#{path}/.#{File.basename(name)}.plist") + File.unlink("#{path}/.#{File.basename(name)}.plist") rescue nil return log end end diff --git a/version.h b/version.h index 794e0d6..fbb3fa9 100644 --- a/version.h +++ b/version.h @@ -1,10 +1,10 @@ -#define RUBY_VERSION "2.1.4" -#define RUBY_RELEASE_DATE "2014-10-27" -#define RUBY_PATCHLEVEL 265 +#define RUBY_VERSION "2.1.5" +#define RUBY_RELEASE_DATE "2014-11-13" +#define RUBY_PATCHLEVEL 273 #define RUBY_RELEASE_YEAR 2014 -#define RUBY_RELEASE_MONTH 10 -#define RUBY_RELEASE_DAY 27 +#define RUBY_RELEASE_MONTH 11 +#define RUBY_RELEASE_DAY 13 #include "ruby/version.h"
Attachment:
signature.asc
Description: Digital signature