Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, I would like to upload the attached diff as a stable update for ruby2.1, fixing a minor security bug that didn't qualify for a DSA. Te following patches were cherry-picked from upstream: http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=9b945cadc3b157829a60debff1dd5c536644f9b2 http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=61f89c1e7b7ac864d840686aa7824eb04cba5cff -- System Information: Debian Release: stretch/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Antonio Terceiro <terceiro@debian.org>
diff --git a/debian/changelog b/debian/changelog
index 933e6ab..13a9637 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high
+
+ * Apply upstream patches to fix Request hijacking vulnerability in Rubygems
+ [CVE-2015-3900] (Closes: #790119)
+
+ -- Antonio Terceiro <terceiro@debian.org> Wed, 29 Jul 2015 09:27:24 -0300
+
ruby2.1 (2.1.5-2+deb8u1) jessie-security; urgency=high
* Fix vulnerabiity with overly permissive matching of hostnames in OpenSSL
diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb
index 58991ca..ed2e171 100644
--- a/lib/rubygems/remote_fetcher.rb
+++ b/lib/rubygems/remote_fetcher.rb
@@ -90,7 +90,13 @@ class Gem::RemoteFetcher
rescue Resolv::ResolvError
uri
else
- URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
+ target = res.target.to_s.strip
+
+ if /\.#{Regexp.quote(host)}\z/ =~ target
+ return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+ end
+
+ uri
end
end
diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb
index 79f3a58..626797f 100644
--- a/test/rubygems/test_gem_remote_fetcher.rb
+++ b/test/rubygems/test_gem_remote_fetcher.rb
@@ -163,6 +163,21 @@ gems:
end
def test_api_endpoint
+ uri = URI.parse "http://example.com/foo";
+ target = MiniTest::Mock.new
+ target.expect :target, "gems.example.com"
+
+ dns = MiniTest::Mock.new
+ dns.expect :getresource, target, [String, Object]
+
+ fetch = Gem::RemoteFetcher.new nil, dns
+ assert_equal URI.parse("http://gems.example.com/foo";), fetch.api_endpoint(uri)
+
+ target.verify
+ dns.verify
+ end
+
+ def test_api_endpoint_ignores_trans_domain_values
uri = URI.parse "http://gems.example.com/foo";
target = MiniTest::Mock.new
target.expect :target, "blah.com"
@@ -171,7 +186,37 @@ gems:
dns.expect :getresource, target, [String, Object]
fetch = Gem::RemoteFetcher.new nil, dns
- assert_equal URI.parse("http://blah.com/foo";), fetch.api_endpoint(uri)
+ assert_equal URI.parse("http://gems.example.com/foo";), fetch.api_endpoint(uri)
+
+ target.verify
+ dns.verify
+ end
+
+ def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
+ uri = URI.parse "http://example.com/foo";
+ target = MiniTest::Mock.new
+ target.expect :target, "example.combadguy.com"
+
+ dns = MiniTest::Mock.new
+ dns.expect :getresource, target, [String, Object]
+
+ fetch = Gem::RemoteFetcher.new nil, dns
+ assert_equal URI.parse("http://example.com/foo";), fetch.api_endpoint(uri)
+
+ target.verify
+ dns.verify
+ end
+
+ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
+ uri = URI.parse "http://example.com/foo";
+ target = MiniTest::Mock.new
+ target.expect :target, "badexample.com"
+
+ dns = MiniTest::Mock.new
+ dns.expect :getresource, target, [String, Object]
+
+ fetch = Gem::RemoteFetcher.new nil, dns
+ assert_equal URI.parse("http://example.com/foo";), fetch.api_endpoint(uri)
target.verify
dns.verify
Attachment:
signature.asc
Description: Digital signature