Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, I would like to upload the attached diff as a stable update for ruby2.1, fixing a minor security bug that didn't qualify for a DSA. Te following patches were cherry-picked from upstream: http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=9b945cadc3b157829a60debff1dd5c536644f9b2 http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=61f89c1e7b7ac864d840686aa7824eb04cba5cff -- System Information: Debian Release: stretch/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Antonio Terceiro <terceiro@debian.org>
diff --git a/debian/changelog b/debian/changelog index 933e6ab..13a9637 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high + + * Apply upstream patches to fix Request hijacking vulnerability in Rubygems + [CVE-2015-3900] (Closes: #790119) + + -- Antonio Terceiro <terceiro@debian.org> Wed, 29 Jul 2015 09:27:24 -0300 + ruby2.1 (2.1.5-2+deb8u1) jessie-security; urgency=high * Fix vulnerabiity with overly permissive matching of hostnames in OpenSSL diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb index 58991ca..ed2e171 100644 --- a/lib/rubygems/remote_fetcher.rb +++ b/lib/rubygems/remote_fetcher.rb @@ -90,7 +90,13 @@ class Gem::RemoteFetcher rescue Resolv::ResolvError uri else - URI.parse "#{uri.scheme}://#{res.target}#{uri.path}" + target = res.target.to_s.strip + + if /\.#{Regexp.quote(host)}\z/ =~ target + return URI.parse "#{uri.scheme}://#{target}#{uri.path}" + end + + uri end end diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb index 79f3a58..626797f 100644 --- a/test/rubygems/test_gem_remote_fetcher.rb +++ b/test/rubygems/test_gem_remote_fetcher.rb @@ -163,6 +163,21 @@ gems: end def test_api_endpoint + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "gems.example.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + + def test_api_endpoint_ignores_trans_domain_values uri = URI.parse "http://gems.example.com/foo" target = MiniTest::Mock.new target.expect :target, "blah.com" @@ -171,7 +186,37 @@ gems: dns.expect :getresource, target, [String, Object] fetch = Gem::RemoteFetcher.new nil, dns - assert_equal URI.parse("http://blah.com/foo"), fetch.api_endpoint(uri) + assert_equal URI.parse("http://gems.example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + + def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "example.combadguy.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) + + target.verify + dns.verify + end + + def test_api_endpoint_ignores_trans_domain_values_that_end_with_original + uri = URI.parse "http://example.com/foo" + target = MiniTest::Mock.new + target.expect :target, "badexample.com" + + dns = MiniTest::Mock.new + dns.expect :getresource, target, [String, Object] + + fetch = Gem::RemoteFetcher.new nil, dns + assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri) target.verify dns.verify
Attachment:
signature.asc
Description: Digital signature