Bug#928391: marked as done (unblock: jruby/9.1.17.0-2.1)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#928391: marked as done (unblock: jruby/9.1.17.0-2.1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 05 May 2019 11:54:08 +0000
Message-id: <[🔎] handler.928391.D928391.155705710213961.ackdone@bugs.debian.org>
Reply-to: 928391@bugs.debian.org
References: <E1hNFgC-0008Hw-IY@respighi.debian.org> <[🔎] 155689245085.5638.4755265727789174738.reportbug@lorien.valinor.li>

Your message dated Sun, 05 May 2019 11:51:40 +0000
with message-id <E1hNFgC-0008Hw-IY@respighi.debian.org>
and subject line unblock jruby
has caused the Debian Bug report #928391,
regarding unblock: jruby/9.1.17.0-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928391
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: jruby/9.1.17.0-2.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 03 May 2019 16:07:30 +0200
Message-id: <[🔎] 155689245085.5638.4755265727789174738.reportbug@lorien.valinor.li>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

Please unblock package jruby

While looking at security issues which were adressed in stable but not
yet in buster, I noticed there was as well CVE-2018-1000073, #925986.
Whilst the issue is marked as buster-can-defer, and there are actually
more open CVEs yet for jruby itself in buster, I opted to cherry-pick
the fix for CVE-2018-1000073 to have avoiding a regression from stretch
-> buster after release on that regard.

+jruby (9.1.17.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Directory traversal vulnerability in install_location (CVE-2018-1000073)
+    (Closes: #925986)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 01 May 2019 11:25:03 +0200

Still there are open CVEs for buster, cf.
https://security-tracker.debian.org/tracker/source-package/jruby but
they are then likewise as well still open for stretch.

unblock jruby/9.1.17.0-2.1

Regards,
Salvatore

diff -Nru jruby-9.1.17.0/debian/changelog jruby-9.1.17.0/debian/changelog
--- jruby-9.1.17.0/debian/changelog	2019-02-26 10:24:15.000000000 +0100
+++ jruby-9.1.17.0/debian/changelog	2019-05-01 11:25:03.000000000 +0200
@@ -1,3 +1,11 @@
+jruby (9.1.17.0-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Directory traversal vulnerability in install_location (CVE-2018-1000073)
+    (Closes: #925986)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 01 May 2019 11:25:03 +0200
+
 jruby (9.1.17.0-2) unstable; urgency=medium
 
   * Annotate the javax.annotation.Generated patch.
diff -Nru jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch
--- jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch	1970-01-01 01:00:00.000000000 +0100
+++ jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch	2019-05-01 11:23:43.000000000 +0200
@@ -0,0 +1,25 @@
+From: Jonathan Claudius <jclaudius@mozilla.com>
+Date: Wed, 7 Feb 2018 23:54:52 -0500
+Subject: Non-working patch for deducing symlinked base-dirs
+Origin: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1000073
+Bug-Debian: https://bugs.debian.org/925986
+
+---
+
+diff --git a/lib/ruby/stdlib/rubygems/package.rb b/lib/ruby/stdlib/rubygems/package.rb
+index dede959981e7..cb9c74a0fc07 100644
+--- a/lib/ruby/stdlib/rubygems/package.rb
++++ b/lib/ruby/stdlib/rubygems/package.rb
+@@ -421,6 +421,8 @@ EOM
+     destination_dir = File.expand_path destination_dir
+ 
+     destination = File.join destination_dir, filename
++    destination = File.realpath destination if
++      File.respond_to? :realpath
+     destination = File.expand_path destination
+ 
+     raise Gem::Package::PathError.new(destination, destination_dir) unless
+-- 
+2.20.1
+
diff -Nru jruby-9.1.17.0/debian/patches/series jruby-9.1.17.0/debian/patches/series
--- jruby-9.1.17.0/debian/patches/series	2019-02-26 10:24:15.000000000 +0100
+++ jruby-9.1.17.0/debian/patches/series	2019-05-01 11:23:50.000000000 +0200
@@ -12,3 +12,4 @@
 0014-FELIX-5430.patch
 0015-javax-annotation-Generated.patch
 0016-Disable-SkinnyMethodAdapter-test.patch
+0017-CVE-2018-1000073.patch

--- End Message ---

--- Begin Message ---

To: 928391-done@bugs.debian.org

Subject: unblock jruby

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Sun, 05 May 2019 11:51:40 +0000

Message-id: <E1hNFgC-0008Hw-IY@respighi.debian.org>
Unblocked jruby.
--- End Message ---

Reply to:

References:
- Bug#928391: unblock: jruby/9.1.17.0-2.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#928385: marked as done (unblock: python-molotov/1.6-4)
Next by Date: Bug#927858: marked as done (unblock: vulkan-loader/1.1.101.0-2)
Previous by thread: Bug#928391: unblock: jruby/9.1.17.0-2.1
Next by thread: Bug#928395: unblock: apt/1.8.1
Index(es):
- Date
- Thread