Control: tag -1 + patch pending Hello,
I took the liberty to help prepare the relevant uploads in the wheezy branch of the collab-maint git repositories: For ruby1.8: http://anonscm.debian.org/gitweb/?p=collab-maint/ruby1.8.git;a=shortlog;h=refs/heads/wheezy For ruby1.9.1: http://anonscm.debian.org/gitweb/?p=collab-maint/ruby1.9.1.git;a=shortlog;h=refs/heads/wheezy Dear security team, please find attached the diff compared to the respective versions in stable(-security). Is it OK to upload them ? Dear maintainers, please test those updates (they build fine on wheezy/amd64, I checked this) and upload them if you're happy with them. Thank you in advance. Note that for ruby1.8, I prepared the update on top of 1.8.7.358-7.1 which was not in stable but it's a security fix only upload that went to unstable and that should have gone to stable as well. The version is smaller than the current version in unstable so we're fine. Regards, PS: I didn't took care of oldstable. Someone should handle that. -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/
diff --git a/debian/changelog b/debian/changelog index f2bc314..e740e58 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +ruby1.8 (1.8.7.358-7.1+deb7u1) stable-security; urgency=high + + * debian/patches/CVE-2013-4164.patch: New patch to fix + heap overflow in floating point parsing (Closes: #730189) + Thanks to Moritz Muehlenhoff for the patch. + + -- Raphaël Hertzog <b...@kali.org> Fri, 29 Nov 2013 09:02:39 +0100 + +ruby1.8 (1.8.7.358-7.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2013-4073.patch patch. + CVE-2013-4073: Fix hostname check bypassing vulnerability in SSL client. + (Closes: #714541) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 07 Jul 2013 14:10:32 +0200 + ruby1.8 (1.8.7.358-7) unstable; urgency=high [ Salvatore Bonaccorso ] diff --git a/debian/patches/CVE-2013-4073.patch b/debian/patches/CVE-2013-4073.patch new file mode 100644 index 0000000..06bd782 --- /dev/null +++ b/debian/patches/CVE-2013-4073.patch @@ -0,0 +1,81 @@ +Description: Fix hostname check bypassing vulnerability in SSL client + CVE-2013-4073: Hostname identity check did not properly handle + hostnames in the certificate that contain null bytes. +Origin: upstream, https://github.com/ruby/ruby/commit/961bf7496ded3acfe847cf56fa90bbdcfd6e614f, + https://github.com/ruby/ruby/commit/469d4b9389cc2f877f2f17ba248146831d69c66b, + https://bugs.ruby-lang.org/issues/8575 +Bug-Debian: http://bugs.debian.org/714541 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-07-07 +Applied-Upstream: 1.9.3-p448, 1.8.7-p374. + +--- a/ext/openssl/lib/openssl/ssl-internal.rb ++++ b/ext/openssl/lib/openssl/ssl-internal.rb +@@ -90,14 +90,22 @@ + should_verify_common_name = true + cert.extensions.each{|ext| + next if ext.oid != "subjectAltName" +- ext.value.split(/,\s+/).each{|general_name| +- if /\ADNS:(.*)/ =~ general_name ++ ostr = OpenSSL::ASN1.decode(ext.to_der).value.last ++ sequence = OpenSSL::ASN1.decode(ostr.value) ++ sequence.value.each{|san| ++ case san.tag ++ when 2 # dNSName in GeneralName (RFC5280) + should_verify_common_name = false +- reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+") ++ reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+") + return true if /\A#{reg}\z/i =~ hostname +- elsif /\AIP Address:(.*)/ =~ general_name ++ when 7 # iPAddress in GeneralName (RFC5280) + should_verify_common_name = false +- return true if $1 == hostname ++ # follows GENERAL_NAME_print() in x509v3/v3_alt.c ++ if san.value.size == 4 ++ return true if san.value.unpack('C*').join('.') == hostname ++ elsif san.value.size == 16 ++ return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname ++ end + end + } + } +--- a/test/openssl/test_ssl.rb ++++ b/test/openssl/test_ssl.rb +@@ -547,6 +547,36 @@ + ssl.close + } + end ++ ++ def test_verify_certificate_identity$ ++ [true, false].each do |criticality|$ ++ cert = create_null_byte_SAN_certificate(criticality)$ ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com'))$ ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com'))$ ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255'))$ ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1'))$ ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))$ ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))$ ++ end$ ++ end$ ++$ ++ # Create NULL byte SAN certificate$ ++ def create_null_byte_SAN_certificate(critical = false)$ ++ ef = OpenSSL::X509::ExtensionFactory.new$ ++ cert = OpenSSL::X509::Certificate.new$ ++ cert.subject = OpenSSL::X509::Name.parse "/DC=some/DC=site/CN=Some Site"$ ++ ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17', critical)$ ++ ext_asn1 = OpenSSL::ASN1.decode(ext.to_der)$ ++ san_list_der = ext_asn1.value.reduce(nil) { |memo,val| val.tag == 4 ? val.value : memo }$ ++ san_list_asn1 = OpenSSL::ASN1.decode(san_list_der)$ ++ san_list_asn1.value[0].value = 'www.example.com\0.evil.com'$ ++ pos = critical ? 2 : 1$ ++ ext_asn1.value[pos].value = san_list_asn1.to_der$ ++ real_ext = OpenSSL::X509::Extension.new ext_asn1$ ++ cert.add_extension(real_ext)$ ++ cert$ ++ end$ ++$ + end + + end diff --git a/debian/patches/CVE-2013-4164.patch b/debian/patches/CVE-2013-4164.patch new file mode 100644 index 0000000..52050d5 --- /dev/null +++ b/debian/patches/CVE-2013-4164.patch @@ -0,0 +1,63 @@ +Description: Fix Heap Overflow in Floating Point Parsing + This vulnerability is tracked with CVE-2013-4164. + . + https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ +Origin: backport, https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43776/diff + https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43782/diff +Bug-Debian: http://bugs.debian.org/730189 +Forwarded: not-needed +Applied-Upstream: 1.9.3-p484, 2.0.0-p353 +Last-Update: 2013-11-29 + +diff -Naur ruby1.8-1.8.7.358.orig/util.c ruby1.8-1.8.7.358/util.c +--- ruby1.8-1.8.7.358.orig/util.c 2010-11-22 08:21:34.000000000 +0100 ++++ ruby1.8-1.8.7.358/util.c 2013-11-25 14:05:32.808002236 +0100 +@@ -892,6 +892,11 @@ + #else + #define MALLOC malloc + #endif ++#ifdef FREE ++extern void FREE(void*); ++#else ++#define FREE free ++#endif + + #ifndef Omit_Private_Memory + #ifndef PRIVATE_MEM +@@ -1176,7 +1181,7 @@ + #endif + + ACQUIRE_DTOA_LOCK(0); +- if ((rv = freelist[k]) != 0) { ++ if (k <= Kmax && (rv = freelist[k]) != 0) { + freelist[k] = rv->next; + } + else { +@@ -1186,7 +1191,7 @@ + #else + len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) + /sizeof(double); +- if (pmem_next - private_mem + len <= PRIVATE_mem) { ++ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { + rv = (Bigint*)pmem_next; + pmem_next += len; + } +@@ -1205,6 +1210,10 @@ + Bfree(Bigint *v) + { + if (v) { ++ if (v->k > Kmax) { ++ FREE(v); ++ return; ++ } + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; +@@ -2200,6 +2209,7 @@ + for (; c >= '0' && c <= '9'; c = *++s) { + have_dig: + nz++; ++ if (nf > DBL_DIG * 4) continue; + if (c -= '0') { + nf += nz; + for (i = 1; i < nz; i++) diff --git a/debian/patches/series b/debian/patches/series index e8c5cdd..73ca95e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -15,3 +15,5 @@ tcltk-no-rpath.patch use-ldflags.patch CVE-2012-4481.patch CVE-2013-1821.patch +CVE-2013-4073.patch +CVE-2013-4164.patch
diff --git a/debian/changelog b/debian/changelog index f14e8c7..b08d0a9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ruby1.9.1 (1.9.3.194-8.1+deb7u2) stable-security; urgency=low + + * debian/patches/CVE-2013-4164.patch: add upstream patch to fix heap + overflow in floating point parsing. Closes: #730178 + + -- Raphaël Hertzog <b...@kali.org> Fri, 29 Nov 2013 07:36:01 +0000 + ruby1.9.1 (1.9.3.194-8.1+deb7u1) stable-security; urgency=low * debian/patches/CVE-2013-2065.patch: add upstream patch to fix object taint diff --git a/debian/patches/CVE-2013-4164.patch b/debian/patches/CVE-2013-4164.patch new file mode 100644 index 0000000..3da0868 --- /dev/null +++ b/debian/patches/CVE-2013-4164.patch @@ -0,0 +1,80 @@ +Description: Fix Heap Overflow in Floating Point Parsing + This vulnerability is tracked with CVE-2013-4164. + . + https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ +Origin: upstream, https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43776/diff +Bug-Debian: http://bugs.debian.org/730178 +Forwarded: not-needed +Applied-Upstream: 1.9.3-p484, 2.0.0-p353 +Last-Update: 2013-11-29 + +--- a/util.c ++++ b/util.c +@@ -852,6 +852,11 @@ extern void *MALLOC(size_t); + #else + #define MALLOC malloc + #endif ++#ifdef FREE ++extern void FREE(void*); ++#else ++#define FREE free ++#endif + + #ifndef Omit_Private_Memory + #ifndef PRIVATE_MEM +@@ -1142,7 +1147,7 @@ Balloc(int k) + #endif + + ACQUIRE_DTOA_LOCK(0); +- if ((rv = freelist[k]) != 0) { ++ if (k <= Kmax && (rv = freelist[k]) != 0) { + freelist[k] = rv->next; + } + else { +@@ -1152,7 +1157,7 @@ Balloc(int k) + #else + len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) + /sizeof(double); +- if (pmem_next - private_mem + len <= PRIVATE_mem) { ++ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { + rv = (Bigint*)pmem_next; + pmem_next += len; + } +@@ -1171,6 +1176,10 @@ static void + Bfree(Bigint *v) + { + if (v) { ++ if (v->k > Kmax) { ++ FREE(v); ++ return; ++ } + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; +@@ -2231,6 +2240,7 @@ break2: + for (; c >= '0' && c <= '9'; c = *++s) { + have_dig: + nz++; ++ if (nf > DBL_DIG * 4) continue; + if (c -= '0') { + nf += nz; + for (i = 1; i < nz; i++) +--- a/test/ruby/test_float.rb ++++ b/test/ruby/test_float.rb +@@ -519,4 +519,16 @@ class TestFloat < Test::Unit::TestCase + sleep(0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1) + end + end ++ ++ def test_long_string ++ assert_normal_exit(<<-'end;') ++ assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9) ++ end; ++ end ++ ++ def test_long_string ++ assert_normal_exit(<<-'end;') ++ assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9) ++ end; ++ end + end diff --git a/debian/patches/series b/debian/patches/series index e729ac6..0a77d81 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -24,3 +24,4 @@ CVE-2013-0269.patch CVE-2013-1821.patch CVE-2013-2065.patch CVE-2013-4073.patch +CVE-2013-4164.patch
