On Sat, Jun 27, 2015 at 10:23:31PM +0200, Christian Hofstaedtler wrote: > Salvatore, > > * Salvatore Bonaccorso <car...@debian.org> [150627 13:57]: > > Source: ruby2.1 > > Version: 2.1.5-1 > > Severity: important > > Tags: security upstream patch fixed-upstream > > > > the following vulnerability was published for ruby2.1. > > > > CVE-2015-3900[0]: > > | RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before > > | 2.4.7 does not validate the hostname when fetching gems or making API > > | request, which allows remote attackers to redirect requests to > > | arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack > > | attack." > > Thank you for bringing this to our attention. I suspect upstream > will upgrade to 2.2.5 (on the ruby 2.1 branch) in the next few days, > and then I'd like to import that, if nobody objects.
upstream didn't do that until now, so I want to upload the attached debdiff to jessie-security. the ruby packages are maintained with patches applied in git, so the metadata is not visible in the debdiff. I applied these two commits, cherry-picked from rubygems upstream (funny enough that they apply cleanly on top of the ruby source): http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=9b945cadc3b157829a60debff1dd5c536644f9b2 http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=61f89c1e7b7ac864d840686aa7824eb04cba5cff Salvatore, please let me know if I can upload to jessie-security. I will make similar uploads to unstable for both ruby2.1 and ruby2.2. -- Antonio Terceiro <terce...@debian.org>
diff -Nru ruby2.1-2.1.5/debian/changelog ruby2.1-2.1.5/debian/changelog
--- ruby2.1-2.1.5/debian/changelog 2015-04-27 11:13:12.000000000 -0300
+++ ruby2.1-2.1.5/debian/changelog 2015-07-29 09:28:42.000000000 -0300
@@ -1,3 +1,10 @@
+ruby2.1 (2.1.5-2+deb8u2) jessie-security; urgency=medium
+
+ * Apply upstream patches to fix Request hijacking vulnerability in Rubygems
+ [CVE-2015-3900] (Closes: #790119)
+
+ -- Antonio Terceiro <terce...@debian.org> Wed, 29 Jul 2015 09:27:24 -0300
+
ruby2.1 (2.1.5-2+deb8u1) jessie-security; urgency=high
* Fix vulnerabiity with overly permissive matching of hostnames in OpenSSL
diff -Nru ruby2.1-2.1.5/debian/patches/debian-changes ruby2.1-2.1.5/debian/patches/debian-changes
--- ruby2.1-2.1.5/debian/patches/debian-changes 2015-04-27 20:52:12.000000000 -0300
+++ ruby2.1-2.1.5/debian/patches/debian-changes 2015-07-29 09:29:12.000000000 -0300
@@ -129,6 +129,23 @@
void rb_str_setter(VALUE, ID, VALUE*);
VALUE rb_str_intern(VALUE);
VALUE rb_sym_to_s(VALUE);
+--- ruby2.1-2.1.5.orig/lib/rubygems/remote_fetcher.rb
++++ ruby2.1-2.1.5/lib/rubygems/remote_fetcher.rb
+@@ -90,7 +90,13 @@ class Gem::RemoteFetcher
+ rescue Resolv::ResolvError
+ uri
+ else
+- URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
++ target = res.target.to_s.strip
++
++ if /\.#{Regexp.quote(host)}\z/ =~ target
++ return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
++ end
++
++ uri
+ end
+ end
+
--- ruby2.1-2.1.5.orig/lib/test/unit/test-unit.gemspec
+++ ruby2.1-2.1.5/lib/test/unit/test-unit.gemspec
@@ -3,6 +3,7 @@
@@ -450,6 +467,69 @@
end
def test_format_string_modified
+--- ruby2.1-2.1.5.orig/test/rubygems/test_gem_remote_fetcher.rb
++++ ruby2.1-2.1.5/test/rubygems/test_gem_remote_fetcher.rb
+@@ -163,6 +163,21 @@ gems:
+ end
+
+ def test_api_endpoint
++ uri = URI.parse "http://example.com/foo";
++ target = MiniTest::Mock.new
++ target.expect :target, "gems.example.com"
++
++ dns = MiniTest::Mock.new
++ dns.expect :getresource, target, [String, Object]
++
++ fetch = Gem::RemoteFetcher.new nil, dns
++ assert_equal URI.parse("http://gems.example.com/foo";), fetch.api_endpoint(uri)
++
++ target.verify
++ dns.verify
++ end
++
++ def test_api_endpoint_ignores_trans_domain_values
+ uri = URI.parse "http://gems.example.com/foo";
+ target = MiniTest::Mock.new
+ target.expect :target, "blah.com"
+@@ -171,7 +186,37 @@ gems:
+ dns.expect :getresource, target, [String, Object]
+
+ fetch = Gem::RemoteFetcher.new nil, dns
+- assert_equal URI.parse("http://blah.com/foo";), fetch.api_endpoint(uri)
++ assert_equal URI.parse("http://gems.example.com/foo";), fetch.api_endpoint(uri)
++
++ target.verify
++ dns.verify
++ end
++
++ def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
++ uri = URI.parse "http://example.com/foo";
++ target = MiniTest::Mock.new
++ target.expect :target, "example.combadguy.com"
++
++ dns = MiniTest::Mock.new
++ dns.expect :getresource, target, [String, Object]
++
++ fetch = Gem::RemoteFetcher.new nil, dns
++ assert_equal URI.parse("http://example.com/foo";), fetch.api_endpoint(uri)
++
++ target.verify
++ dns.verify
++ end
++
++ def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
++ uri = URI.parse "http://example.com/foo";
++ target = MiniTest::Mock.new
++ target.expect :target, "badexample.com"
++
++ dns = MiniTest::Mock.new
++ dns.expect :getresource, target, [String, Object]
++
++ fetch = Gem::RemoteFetcher.new nil, dns
++ assert_equal URI.parse("http://example.com/foo";), fetch.api_endpoint(uri)
+
+ target.verify
+ dns.verify
--- ruby2.1-2.1.5.orig/tool/rbinstall.rb
+++ ruby2.1-2.1.5/tool/rbinstall.rb
@@ -666,7 +666,8 @@ module RbInstall
signature.asc
Description: Digital signature
