Bug#928391: unblock: jruby/9.1.17.0-2.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi Release Team,
Please unblock package jruby
While looking at security issues which were adressed in stable but not
yet in buster, I noticed there was as well CVE-2018-1000073, #925986.
Whilst the issue is marked as buster-can-defer, and there are actually
more open CVEs yet for jruby itself in buster, I opted to cherry-pick
the fix for CVE-2018-1000073 to have avoiding a regression from stretch
-> buster after release on that regard.
+jruby (9.1.17.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Directory traversal vulnerability in install_location (CVE-2018-1000073)
+ (Closes: #925986)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 01 May 2019 11:25:03 +0200
Still there are open CVEs for buster, cf.
https://security-tracker.debian.org/tracker/source-package/jruby but
they are then likewise as well still open for stretch.
unblock jruby/9.1.17.0-2.1
Regards,
Salvatore
diff -Nru jruby-9.1.17.0/debian/changelog jruby-9.1.17.0/debian/changelog
--- jruby-9.1.17.0/debian/changelog 2019-02-26 10:24:15.000000000 +0100
+++ jruby-9.1.17.0/debian/changelog 2019-05-01 11:25:03.000000000 +0200
@@ -1,3 +1,11 @@
+jruby (9.1.17.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Directory traversal vulnerability in install_location (CVE-2018-1000073)
+ (Closes: #925986)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Wed, 01 May 2019 11:25:03 +0200
+
jruby (9.1.17.0-2) unstable; urgency=medium
* Annotate the javax.annotation.Generated patch.
diff -Nru jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch
--- jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch 1970-01-01 01:00:00.000000000 +0100
+++ jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch 2019-05-01 11:23:43.000000000 +0200
@@ -0,0 +1,25 @@
+From: Jonathan Claudius <jclaudius@mozilla.com>
+Date: Wed, 7 Feb 2018 23:54:52 -0500
+Subject: Non-working patch for deducing symlinked base-dirs
+Origin: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000073
+Bug-Debian: https://bugs.debian.org/925986
+
+---
+
+diff --git a/lib/ruby/stdlib/rubygems/package.rb b/lib/ruby/stdlib/rubygems/package.rb
+index dede959981e7..cb9c74a0fc07 100644
+--- a/lib/ruby/stdlib/rubygems/package.rb
++++ b/lib/ruby/stdlib/rubygems/package.rb
+@@ -421,6 +421,8 @@ EOM
+ destination_dir = File.expand_path destination_dir
+
+ destination = File.join destination_dir, filename
++ destination = File.realpath destination if
++ File.respond_to? :realpath
+ destination = File.expand_path destination
+
+ raise Gem::Package::PathError.new(destination, destination_dir) unless
+--
+2.20.1
+
diff -Nru jruby-9.1.17.0/debian/patches/series jruby-9.1.17.0/debian/patches/series
--- jruby-9.1.17.0/debian/patches/series 2019-02-26 10:24:15.000000000 +0100
+++ jruby-9.1.17.0/debian/patches/series 2019-05-01 11:23:50.000000000 +0200
@@ -12,3 +12,4 @@
0014-FELIX-5430.patch
0015-javax-annotation-Generated.patch
0016-Disable-SkinnyMethodAdapter-test.patch
+0017-CVE-2018-1000073.patch
Reply to: