diff --git a/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch b/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch new file mode 100644 index 0000000..a7272f0 --- /dev/null +++ b/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch @@ -0,0 +1,156 @@ +From 1281e56682692859e726e24fff30e44aac6f948b Mon Sep 17 00:00:00 2001 +From: nagachika +Date: Wed, 11 Oct 2017 13:48:14 +0000 +Subject: [PATCH] merge revision(s) 60149: [Backport #14003] + + Merge rubygems-2.6.14 changes. + + It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@60168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e +--- + lib/rubygems.rb | 5 +++-- + lib/rubygems/config_file.rb | 2 +- + lib/rubygems/package.rb | 2 +- + lib/rubygems/package/old.rb | 2 +- + lib/rubygems/safe_yaml.rb | 48 +++++++++++++++++++++++++++++++++++++++++++ + lib/rubygems/specification.rb | 2 +- + 6 files changed, 55 insertions(+), 6 deletions(-) + create mode 100644 lib/rubygems/safe_yaml.rb + +diff --git a/lib/rubygems.rb b/lib/rubygems.rb +index 55aa85b8b2bd..0685bcb3c629 100644 +--- a/lib/rubygems.rb ++++ b/lib/rubygems.rb +@@ -10,7 +10,7 @@ + require 'thread' + + module Gem +- VERSION = "2.6.13" ++ VERSION = "2.6.14" + end + + # Must be first since it unloads the prelude from 1.9.2 +@@ -675,7 +675,7 @@ def self.load_yaml + + unless test_syck + begin +- gem 'psych', '>= 1.2.1' ++ gem 'psych', '>= 2.0.0' + rescue Gem::LoadError + # It's OK if the user does not have the psych gem installed. We will + # attempt to require the stdlib version +@@ -699,6 +699,7 @@ def self.load_yaml + end + + require 'yaml' ++ require 'rubygems/safe_yaml' + + # If we're supposed to be using syck, then we may have to force + # activate it via the YAML::ENGINE API. +diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb +index c95d7dd1f14e..63583b361615 100644 +--- a/lib/rubygems/config_file.rb ++++ b/lib/rubygems/config_file.rb +@@ -345,7 +345,7 @@ def load_file(filename) + return {} unless filename and File.exist? filename + + begin +- content = YAML.load(File.read(filename)) ++ content = Gem::SafeYAML.load(File.read(filename)) + unless content.kind_of? Hash + warn "Failed to load #{filename} because it doesn't contain valid YAML hash" + return {} +diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb +index c36e71d800a2..77811ed5ecaa 100644 +--- a/lib/rubygems/package.rb ++++ b/lib/rubygems/package.rb +@@ -468,7 +468,7 @@ def read_checksums gem + + @checksums = gem.seek 'checksums.yaml.gz' do |entry| + Zlib::GzipReader.wrap entry do |gz_io| +- YAML.load gz_io.read ++ Gem::SafeYAML.safe_load gz_io.read + end + end + end +diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb +index 5e722baa3540..071f7141ab78 100644 +--- a/lib/rubygems/package/old.rb ++++ b/lib/rubygems/package/old.rb +@@ -101,7 +101,7 @@ def file_list io # :nodoc: + header << line + end + +- YAML.load header ++ Gem::SafeYAML.safe_load header + end + + ## +diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb +new file mode 100644 +index 000000000000..b98cfaa5e60d +--- /dev/null ++++ b/lib/rubygems/safe_yaml.rb +@@ -0,0 +1,48 @@ ++module Gem ++ ++ ### ++ # This module is used for safely loading YAML specs from a gem. The ++ # `safe_load` method defined on this module is specifically designed for ++ # loading Gem specifications. For loading other YAML safely, please see ++ # Psych.safe_load ++ ++ module SafeYAML ++ WHITELISTED_CLASSES = %w( ++ Symbol ++ Time ++ Date ++ Gem::Dependency ++ Gem::Platform ++ Gem::Requirement ++ Gem::Specification ++ Gem::Version ++ Gem::Version::Requirement ++ YAML::Syck::DefaultKey ++ Syck::DefaultKey ++ ) ++ ++ WHITELISTED_SYMBOLS = %w( ++ development ++ runtime ++ ) ++ ++ if ::YAML.respond_to? :safe_load ++ def self.safe_load input ++ ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true) ++ end ++ ++ def self.load input ++ ::YAML.safe_load(input, [::Symbol]) ++ end ++ else ++ warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." ++ def self.safe_load input, *args ++ ::YAML.load input ++ end ++ ++ def self.load input ++ ::YAML.load input ++ end ++ end ++ end ++end +diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb +index 88e320c05ac9..40e3a70d476c 100644 +--- a/lib/rubygems/specification.rb ++++ b/lib/rubygems/specification.rb +@@ -1101,7 +1101,7 @@ def self.from_yaml(input) + Gem.load_yaml + + input = normalize_yaml_input input +- spec = YAML.load input ++ spec = Gem::SafeYAML.safe_load input + + if spec && spec.class == FalseClass then + raise Gem::EndOfYAMLException diff --git a/ruby.spec b/ruby.spec index 5a26104..9c083d3 100644 --- a/ruby.spec +++ b/ruby.spec @@ -32,7 +32,7 @@ %global rubygems_dir %{_datadir}/rubygems # Bundled libraries versions -%global rubygems_version 2.6.13 +%global rubygems_version 2.6.14 %global molinillo_version 0.5.7 # TODO: The IRB has strange versioning. Keep the Ruby's versioning ATM. @@ -140,6 +140,10 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch # hardening features of glibc (rhbz#1361037). # https://bugs.ruby-lang.org/issues/12666 Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch +# CVE-2017-0903: Fix unsafe object deserialization through YAML formatted gem +# specifications. +# https://bugs.ruby-lang.org/issues/14003 +Patch10: ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch Requires: %{?scl_prefix}%{pkg_name}-libs%{?_isa} = %{version}-%{release} Requires: %{?scl_prefix}ruby(rubygems) >= %{rubygems_version} @@ -514,6 +518,7 @@ rm -rf ext/fiddle/libffi* %patch6 -p1 %patch7 -p1 %patch9 -p1 +%patch10 -p1 # Allow to use autoconf 2.63. sed -i '/AC_PREREQ/ s/(.*)/(2.62)/' configure.in @@ -1057,6 +1062,10 @@ make check TESTS="-v $DISABLE_TESTS" * Remove Patch10: ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch; subsumed Resolves: rhbz#1506785 +- Fix unsafe object deserialization in RubyGems (CVE-2017-0903). + * ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization + -vulnerability.patch + Resolves: CVE-2017-0903 * Tue Jan 17 2017 Vít Ondruch - 2.4.0-75 - Apply patch fixing rubygem-mongo build failures.