Wheezy update of ruby-eventmachine?
Dear Ruby and LTS Maintainers,
I plan updating the ruby-eventmachine package in Wheezy LTS to
fix the following security issue:
https://security-tracker.debian.org/tracker/TEMP-0678512-2E167C
Please see the diff to previous version attached.
Changes:
ruby-eventmachine (0.12.10-3+deb7u1) wheezy-security; urgency=medium
.
* Fix remotely triggerable crash due to FD handling
* Add net-tools to build dependencies to let tests run
* Run all tests in tests/ directory
The binary packages for amd64 are also available for testing here:
https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/
I plan updating Jessie's version through jessie-proposed-updates, since
the issue is marked as no-DSA.
Cheers,
Balint
diff -Nru ruby-eventmachine-0.12.10/debian/changelog ruby-eventmachine-0.12.10/debian/changelog
--- ruby-eventmachine-0.12.10/debian/changelog 2012-06-20 16:21:30.000000000 +0200
+++ ruby-eventmachine-0.12.10/debian/changelog 2016-06-27 23:41:31.000000000 +0200
@@ -1,3 +1,11 @@
+ruby-eventmachine (0.12.10-3+deb7u1) wheezy-security; urgency=medium
+
+ * Fix remotely triggerable crash due to FD handling
+ * Add net-tools to build dependencies to let tests run
+ * Run all tests in tests/ directory
+
+ -- Balint Reczey <balint@balintreczey.hu> Mon, 27 Jun 2016 23:35:03 +0200
+
ruby-eventmachine (0.12.10-3) unstable; urgency=low
* Add myself to uploaders.
diff -Nru ruby-eventmachine-0.12.10/debian/control ruby-eventmachine-0.12.10/debian/control
--- ruby-eventmachine-0.12.10/debian/control 2012-06-20 16:21:30.000000000 +0200
+++ ruby-eventmachine-0.12.10/debian/control 2016-06-27 23:41:31.000000000 +0200
@@ -3,7 +3,7 @@
Priority: optional
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Uploaders: Daigo Moriwaki <daigo@debian.org>, Ryan Niebur <ryanryan52@gmail.com>, Laurent Arnoud <laurent@spkdev.net>, Paul van Tilburg <paulvt@debian.org>, Per Andersson <avtobiff@gmail.com>
-Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.2.7~)
+Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.2.7~), net-tools
Standards-Version: 3.9.3
Homepage: http://rubyeventmachine.com/
Vcs-Git: git://git.debian.org/pkg-ruby-extras/ruby-eventmachine.git
diff -Nru ruby-eventmachine-0.12.10/debian/patches/0002-use-ruby-select-api-with-expandable-fd-sets.patch ruby-eventmachine-0.12.10/debian/patches/0002-use-ruby-select-api-with-expandable-fd-sets.patch
--- ruby-eventmachine-0.12.10/debian/patches/0002-use-ruby-select-api-with-expandable-fd-sets.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-eventmachine-0.12.10/debian/patches/0002-use-ruby-select-api-with-expandable-fd-sets.patch 2016-06-27 23:41:31.000000000 +0200
@@ -0,0 +1,158 @@
+From bd881bb291b30bf9de71d6ab45caa69f25707577 Mon Sep 17 00:00:00 2001
+From: Patrick Reynolds <patrick.reynolds@github.com>
+Date: Tue, 11 Mar 2014 16:01:25 -0500
+Subject: [PATCH 2/4] use ruby select api with expandable fd sets
+
+Conflicts:
+ ext/em.cpp
+ ext/em.h
+---
+ ext/em.cpp | 30 +++++++++++++++---------------
+ ext/em.h | 10 +++++-----
+ tests/test_many_fds.rb | 22 ++++++++++++++++++++++
+ 3 files changed, 42 insertions(+), 20 deletions(-)
+ create mode 100644 tests/test_many_fds.rb
+
+--- a/ext/em.cpp
++++ b/ext/em.cpp
+@@ -774,9 +774,9 @@
+ SelectData_t::SelectData_t()
+ {
+ maxsocket = 0;
+- FD_ZERO (&fdreads);
+- FD_ZERO (&fdwrites);
+- FD_ZERO (&fderrors);
++ rb_fd_init (&fdreads);
++ rb_fd_init (&fdwrites);
++ rb_fd_init (&fderrors);
+ }
+
+
+@@ -789,7 +789,7 @@
+ static VALUE _SelectDataSelect (void *v)
+ {
+ SelectData_t *sd = (SelectData_t*)v;
+- sd->nSockets = select (sd->maxsocket+1, &(sd->fdreads), &(sd->fdwrites), &(sd->fderrors), &(sd->tv));
++ sd->nSockets = rb_fd_select (sd->maxsocket+1, &(sd->fdreads), &(sd->fdwrites), &(sd->fderrors), &(sd->tv));
+ return Qnil;
+ }
+ #endif
+@@ -850,9 +850,9 @@
+
+ SelectData_t SelectData;
+ /*
+- fd_set fdreads, fdwrites;
+- FD_ZERO (&fdreads);
+- FD_ZERO (&fdwrites);
++ rb_fdset_t fdreads, fdwrites;
++ rb_fd_init (&fdreads);
++ rb_fd_init (&fdwrites);
+
+ int maxsocket = 0;
+ */
+@@ -862,7 +862,7 @@
+ // running on localhost with a randomly-chosen port. (*Puke*)
+ // Windows has a version of the Unix pipe() library function, but it doesn't
+ // give you back descriptors that are selectable.
+- FD_SET (LoopBreakerReader, &(SelectData.fdreads));
++ rb_fd_set (LoopBreakerReader, &(SelectData.fdreads));
+ if (SelectData.maxsocket < LoopBreakerReader)
+ SelectData.maxsocket = LoopBreakerReader;
+
+@@ -877,15 +877,15 @@
+ assert (sd != INVALID_SOCKET);
+
+ if (ed->SelectForRead())
+- FD_SET (sd, &(SelectData.fdreads));
++ rb_fd_set (sd, &(SelectData.fdreads));
+ if (ed->SelectForWrite())
+- FD_SET (sd, &(SelectData.fdwrites));
++ rb_fd_set (sd, &(SelectData.fdwrites));
+
+ #ifdef OS_WIN32
+ /* 21Sep09: on windows, a non-blocking connect() that fails does not come up as writable.
+ Instead, it is added to the error set. See http://www.mail-archive.com/openssl-users@openssl.org/msg58500.html
+ */
+- FD_SET (sd, &(SelectData.fderrors));
++ rb_fd_set (sd, &(SelectData.fderrors));
+ #endif
+
+ if (SelectData.maxsocket < sd)
+@@ -920,15 +920,15 @@
+ continue;
+ assert (sd != INVALID_SOCKET);
+
+- if (FD_ISSET (sd, &(SelectData.fdwrites)))
++ if (rb_fd_isset (sd, &(SelectData.fdwrites)))
+ ed->Write();
+- if (FD_ISSET (sd, &(SelectData.fdreads)))
++ if (rb_fd_isset (sd, &(SelectData.fdreads)))
+ ed->Read();
+- if (FD_ISSET (sd, &(SelectData.fderrors)))
++ if (rb_fd_isset (sd, &(SelectData.fderrors)))
+ ed->HandleError();
+ }
+
+- if (FD_ISSET (LoopBreakerReader, &(SelectData.fdreads)))
++ if (rb_fd_isset (LoopBreakerReader, &(SelectData.fdreads)))
+ _ReadLoopBreaker();
+ }
+ else if (s < 0) {
+--- a/ext/em.h
++++ b/ext/em.h
+@@ -32,7 +32,7 @@
+
+ #ifdef BUILD_FOR_RUBY
+ #include <ruby.h>
+- #define EmSelect rb_thread_select
++ #define EmSelect rb_thread_fd_select
+
+ #if defined(HAVE_RBTRAP)
+ #include <rubysig.h>
+@@ -54,7 +54,7 @@
+ #define RUBY_UBF_IO RB_UBF_DFL
+ #endif
+ #else
+- #define EmSelect select
++ #define EmSelect rb_fd_select
+ #endif
+
+ class EventableDescriptor;
+@@ -227,9 +227,9 @@
+ int _Select();
+
+ int maxsocket;
+- fd_set fdreads;
+- fd_set fdwrites;
+- fd_set fderrors;
++ rb_fdset_t fdreads;
++ rb_fdset_t fdwrites;
++ rb_fdset_t fderrors;
+ timeval tv;
+ int nSockets;
+ };
+--- /dev/null
++++ b/tests/test_many_fds.rb
+@@ -0,0 +1,22 @@
++require 'em_test_helper'
++require 'socket'
++
++class TestManyFDs < Test::Unit::TestCase
++ def setup
++ @port = next_port
++ end
++
++ def test_connection_class_cache
++ mod = Module.new
++ a = nil
++ Process.setrlimit(Process::RLIMIT_NOFILE,4096);
++ EM.run {
++ EM.start_server '127.0.0.1', @port, mod
++ 1100.times do
++ a = EM.connect '127.0.0.1', @port, mod
++ assert_kind_of EM::Connection, a
++ end
++ EM.stop
++ }
++ end
++end
diff -Nru ruby-eventmachine-0.12.10/debian/patches/0003-add-stubs-with-warnings-for-1.8.7-and-1.9.0.patch ruby-eventmachine-0.12.10/debian/patches/0003-add-stubs-with-warnings-for-1.8.7-and-1.9.0.patch
--- ruby-eventmachine-0.12.10/debian/patches/0003-add-stubs-with-warnings-for-1.8.7-and-1.9.0.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-eventmachine-0.12.10/debian/patches/0003-add-stubs-with-warnings-for-1.8.7-and-1.9.0.patch 2016-06-27 23:41:31.000000000 +0200
@@ -0,0 +1,40 @@
+From 0313f9e909f8c307563826e0e363cfdbf5ff3372 Mon Sep 17 00:00:00 2001
+From: Patrick Reynolds <patrick.reynolds@github.com>
+Date: Wed, 12 Mar 2014 00:15:41 -0500
+Subject: [PATCH 3/4] add stubs with warnings for 1.8.7 and 1.9.0
+
+Conflicts:
+ ext/em.h
+---
+ ext/em.h | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/ext/em.h
++++ b/ext/em.h
+@@ -60,6 +60,26 @@
+ class EventableDescriptor;
+ class InotifyDescriptor;
+
++#ifndef rb_fd_max
++#define fd_check(n) (((n) < FD_SETSIZE) ? 1 : 0*fprintf(stderr, "fd %d too large for select\n", (n)))
++typedef fd_set rb_fdset_t;
++#define rb_fd_zero(f) FD_ZERO(f)
++#define rb_fd_set(n, f) do { if (fd_check(n)) FD_SET((n), (f)); } while(0)
++#define rb_fd_clr(n, f) do { if (fd_check(n)) FD_CLR((n), (f)); } while(0)
++#define rb_fd_isset(n, f) (fd_check(n) ? FD_ISSET((n), (f)) : 0)
++#define rb_fd_copy(d, s, n) (*(d) = *(s))
++#define rb_fd_dup(d, s) (*(d) = *(s))
++#define rb_fd_resize(n, f) ((void)(f))
++#define rb_fd_ptr(f) (f)
++#define rb_fd_init(f) FD_ZERO(f)
++#define rb_fd_init_copy(d, s) (*(d) = *(s))
++#define rb_fd_term(f) ((void)(f))
++#define rb_fd_max(f) FD_SETSIZE
++#define rb_fd_select(n, rfds, wfds, efds, timeout) \
++ select(fd_check((n)-1) ? (n) : FD_SETSIZE, (rfds), (wfds), (efds), (timeout))
++#define rb_thread_fd_select(n, rfds, wfds, efds, timeout) \
++ rb_thread_select(fd_check((n)-1) ? (n) : FD_SETSIZE, (rfds), (wfds), (efds), (timeout))
++#endif
+
+ /********************
+ class EventMachine_t
diff -Nru ruby-eventmachine-0.12.10/debian/patches/0004-add-comment-about-where-the-macros-came-from.patch ruby-eventmachine-0.12.10/debian/patches/0004-add-comment-about-where-the-macros-came-from.patch
--- ruby-eventmachine-0.12.10/debian/patches/0004-add-comment-about-where-the-macros-came-from.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-eventmachine-0.12.10/debian/patches/0004-add-comment-about-where-the-macros-came-from.patch 2016-06-27 23:41:31.000000000 +0200
@@ -0,0 +1,21 @@
+From 05b66f11c27e2df9e9e2d7ff75f0f42d258856d7 Mon Sep 17 00:00:00 2001
+From: Patrick Reynolds <patrick.reynolds@github.com>
+Date: Wed, 21 Jan 2015 22:34:43 -0600
+Subject: [PATCH 4/4] add comment about where the macros came from
+
+---
+ ext/em.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/ext/em.h
++++ b/ext/em.h
+@@ -62,6 +62,9 @@
+
+ #ifndef rb_fd_max
+ #define fd_check(n) (((n) < FD_SETSIZE) ? 1 : 0*fprintf(stderr, "fd %d too large for select\n", (n)))
++// These definitions are cribbed from include/ruby/intern.h in Ruby 1.9.3,
++// with this change: any macros that read or write the nth element of an
++// fdset first call fd_check to make sure n is in bounds.
+ typedef fd_set rb_fdset_t;
+ #define rb_fd_zero(f) FD_ZERO(f)
+ #define rb_fd_set(n, f) do { if (fd_check(n)) FD_SET((n), (f)); } while(0)
diff -Nru ruby-eventmachine-0.12.10/debian/patches/0005-Back-port-em_test_helper.rb-for-test_many_fds.rb.patch ruby-eventmachine-0.12.10/debian/patches/0005-Back-port-em_test_helper.rb-for-test_many_fds.rb.patch
--- ruby-eventmachine-0.12.10/debian/patches/0005-Back-port-em_test_helper.rb-for-test_many_fds.rb.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-eventmachine-0.12.10/debian/patches/0005-Back-port-em_test_helper.rb-for-test_many_fds.rb.patch 2016-06-27 23:41:31.000000000 +0200
@@ -0,0 +1,173 @@
+From d5eec7b64c42edce688ef1d60e9900d66848b35f Mon Sep 17 00:00:00 2001
+From: Balint Reczey <balint@balintreczey.hu>
+Date: Mon, 27 Jun 2016 22:48:38 +0200
+Subject: [PATCH 5/5] Back-port em_test_helper.rb for test_many_fds.rb
+
+---
+ tests/em_test_helper.rb | 154 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 154 insertions(+)
+ create mode 100644 tests/em_test_helper.rb
+
+diff --git a/tests/em_test_helper.rb b/tests/em_test_helper.rb
+new file mode 100644
+index 0000000..20a3e59
+--- /dev/null
++++ b/tests/em_test_helper.rb
+@@ -0,0 +1,154 @@
++require 'em/pure_ruby' if ENV['EM_PURE_RUBY']
++require 'eventmachine'
++require 'test/unit'
++require 'rbconfig'
++require 'socket'
++
++puts "EM Library Type: #{EM.library_type}"
++
++class Test::Unit::TestCase
++ class EMTestTimeout < StandardError ; end
++
++ def setup_timeout(timeout = TIMEOUT_INTERVAL)
++ EM.schedule {
++ EM.add_timer(timeout) {
++ raise EMTestTimeout, "Test was cancelled after #{timeout} seconds."
++ }
++ }
++ end
++
++ def port_in_use?(port, host="127.0.0.1")
++ s = TCPSocket.new(host, port)
++ s.close
++ s
++ rescue Errno::ECONNREFUSED
++ false
++ end
++
++ def next_port
++ @@port ||= 9000
++ begin
++ @@port += 1
++ end while port_in_use?(@@port)
++
++ @@port
++ end
++
++ # Returns true if the host have a localhost 127.0.0.1 IPv4.
++ def self.local_ipv4?
++ return @@has_local_ipv4 if defined?(@@has_local_ipv4)
++ begin
++ get_my_ipv4_address "127.0.0.1"
++ @@has_local_ipv4 = true
++ rescue
++ @@has_local_ipv4 = false
++ end
++ end
++
++ # Returns true if the host have a public IPv4 and stores it in
++ # @@public_ipv4.
++ def self.public_ipv4?
++ return @@has_public_ipv4 if defined?(@@has_public_ipv4)
++ begin
++ @@public_ipv4 = get_my_ipv4_address "1.2.3.4"
++ @@has_public_ipv4 = true
++ rescue
++ @@has_public_ipv4 = false
++ end
++ end
++
++ # Returns true if the host have a localhost ::1 IPv6.
++ def self.local_ipv6?
++ return @@has_local_ipv6 if defined?(@@has_local_ipv6)
++ begin
++ get_my_ipv6_address "::1"
++ @@has_local_ipv6 = true
++ rescue
++ @@has_local_ipv6 = false
++ end
++ end
++
++ # Returns true if the host have a public IPv6 and stores it in
++ # @@public_ipv6.
++ def self.public_ipv6?
++ return @@has_public_ipv6 if defined?(@@has_public_ipv6)
++ begin
++ @@public_ipv6 = get_my_ipv6_address "2001::1"
++ @@has_public_ipv6 = true
++ rescue
++ @@has_public_ipv6 = false
++ end
++ end
++
++ # Returns an array with the localhost addresses (IPv4 and/or IPv6).
++ def local_ips
++ return @@local_ips if defined?(@@local_ips)
++ @@local_ips = []
++ @@local_ips << "127.0.0.1" if self.class.local_ipv4?
++ @@local_ips << "::1" if self.class.local_ipv6?
++ @@local_ips
++ end
++
++ def exception_class
++ jruby? ? NativeException : RuntimeError
++ end
++
++ module PlatformHelper
++ # http://blog.emptyway.com/2009/11/03/proper-way-to-detect-windows-platform-in-ruby/
++ def windows?
++ RbConfig::CONFIG['host_os'] =~ /mswin|mingw/
++ end
++
++ def solaris?
++ RUBY_PLATFORM =~ /solaris/
++ end
++
++ # http://stackoverflow.com/questions/1342535/how-can-i-tell-if-im-running-from-jruby-vs-ruby/1685970#1685970
++ def jruby?
++ defined? JRUBY_VERSION
++ end
++
++ def rbx?
++ defined?(RUBY_ENGINE) && RUBY_ENGINE == 'rbx'
++ end
++ end
++
++ include PlatformHelper
++ extend PlatformHelper
++
++ # Tests run significantly slower on windows. YMMV
++ TIMEOUT_INTERVAL = windows? ? 1 : 0.25
++
++ def silent
++ backup, $VERBOSE = $VERBOSE, nil
++ begin
++ yield
++ ensure
++ $VERBOSE = backup
++ end
++ end
++
++
++ private
++
++ def self.get_my_ipv4_address ip
++ orig, Socket.do_not_reverse_lookup = Socket.do_not_reverse_lookup, true # turn off reverse DNS resolution temporarily
++ UDPSocket.open(Socket::AF_INET) do |s|
++ s.connect ip, 1
++ s.addr.last
++ end
++ ensure
++ Socket.do_not_reverse_lookup = orig
++ end
++
++ def self.get_my_ipv6_address ip
++ orig, Socket.do_not_reverse_lookup = Socket.do_not_reverse_lookup, true # turn off reverse DNS resolution temporarily
++ UDPSocket.open(Socket::AF_INET6) do |s|
++ s.connect ip, 1
++ s.addr.last
++ end
++ ensure
++ Socket.do_not_reverse_lookup = orig
++ end
++
++end
+--
+2.1.4
+
diff -Nru ruby-eventmachine-0.12.10/debian/patches/series ruby-eventmachine-0.12.10/debian/patches/series
--- ruby-eventmachine-0.12.10/debian/patches/series 2012-06-13 18:08:47.000000000 +0200
+++ ruby-eventmachine-0.12.10/debian/patches/series 2016-06-27 23:41:31.000000000 +0200
@@ -1 +1,5 @@
0001-Format-error-strings-safely.patch
+0002-use-ruby-select-api-with-expandable-fd-sets.patch
+0003-add-stubs-with-warnings-for-1.8.7-and-1.9.0.patch
+0004-add-comment-about-where-the-macros-came-from.patch
+0005-Back-port-em_test_helper.rb-for-test_many_fds.rb.patch
diff -Nru ruby-eventmachine-0.12.10/debian/ruby-tests.rb ruby-eventmachine-0.12.10/debian/ruby-tests.rb
--- ruby-eventmachine-0.12.10/debian/ruby-tests.rb 2012-02-02 23:57:06.000000000 +0100
+++ ruby-eventmachine-0.12.10/debian/ruby-tests.rb 2016-06-27 23:41:31.000000000 +0200
@@ -1 +1,12 @@
-system("#{ENV['RUBY_TEST_BIN']} ./tests/test_*.rb") or raise
+EXCLUDED_TESTS=["tests/test_process_watch.rb",
+ "tests/test_processes.rb",
+ "tests/test_ssl_args.rb",
+ "tests/test_ssl_methods.rb",
+ "tests/test_ssl_verify.rb"
+ ]
+(Dir["tests/test_*.rb"]-EXCLUDED_TESTS).each do |f|
+ puts "*** running #{f} ***"
+ begin
+ system("#{ENV['RUBY_TEST_BIN']} -Itests #{f}") || exit($?.exitstatus)
+ end
+end
Reply to: