Fix unsafe object deserialization in RubyGems (CVE-2017-0903).
* ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization -vulnerability.patch Resolves: CVE-2017-0903
This commit is contained in:
parent
89f3ea9d4a
commit
31265d7a88
@ -0,0 +1,156 @@
|
|||||||
|
From 1281e56682692859e726e24fff30e44aac6f948b Mon Sep 17 00:00:00 2001
|
||||||
|
From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
||||||
|
Date: Wed, 11 Oct 2017 13:48:14 +0000
|
||||||
|
Subject: [PATCH] merge revision(s) 60149: [Backport #14003]
|
||||||
|
|
||||||
|
Merge rubygems-2.6.14 changes.
|
||||||
|
|
||||||
|
It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
|
||||||
|
|
||||||
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@60168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
||||||
|
---
|
||||||
|
lib/rubygems.rb | 5 +++--
|
||||||
|
lib/rubygems/config_file.rb | 2 +-
|
||||||
|
lib/rubygems/package.rb | 2 +-
|
||||||
|
lib/rubygems/package/old.rb | 2 +-
|
||||||
|
lib/rubygems/safe_yaml.rb | 48 +++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
lib/rubygems/specification.rb | 2 +-
|
||||||
|
6 files changed, 55 insertions(+), 6 deletions(-)
|
||||||
|
create mode 100644 lib/rubygems/safe_yaml.rb
|
||||||
|
|
||||||
|
diff --git a/lib/rubygems.rb b/lib/rubygems.rb
|
||||||
|
index 55aa85b8b2bd..0685bcb3c629 100644
|
||||||
|
--- a/lib/rubygems.rb
|
||||||
|
+++ b/lib/rubygems.rb
|
||||||
|
@@ -10,7 +10,7 @@
|
||||||
|
require 'thread'
|
||||||
|
|
||||||
|
module Gem
|
||||||
|
- VERSION = "2.6.13"
|
||||||
|
+ VERSION = "2.6.14"
|
||||||
|
end
|
||||||
|
|
||||||
|
# Must be first since it unloads the prelude from 1.9.2
|
||||||
|
@@ -675,7 +675,7 @@ def self.load_yaml
|
||||||
|
|
||||||
|
unless test_syck
|
||||||
|
begin
|
||||||
|
- gem 'psych', '>= 1.2.1'
|
||||||
|
+ gem 'psych', '>= 2.0.0'
|
||||||
|
rescue Gem::LoadError
|
||||||
|
# It's OK if the user does not have the psych gem installed. We will
|
||||||
|
# attempt to require the stdlib version
|
||||||
|
@@ -699,6 +699,7 @@ def self.load_yaml
|
||||||
|
end
|
||||||
|
|
||||||
|
require 'yaml'
|
||||||
|
+ require 'rubygems/safe_yaml'
|
||||||
|
|
||||||
|
# If we're supposed to be using syck, then we may have to force
|
||||||
|
# activate it via the YAML::ENGINE API.
|
||||||
|
diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
|
||||||
|
index c95d7dd1f14e..63583b361615 100644
|
||||||
|
--- a/lib/rubygems/config_file.rb
|
||||||
|
+++ b/lib/rubygems/config_file.rb
|
||||||
|
@@ -345,7 +345,7 @@ def load_file(filename)
|
||||||
|
return {} unless filename and File.exist? filename
|
||||||
|
|
||||||
|
begin
|
||||||
|
- content = YAML.load(File.read(filename))
|
||||||
|
+ content = Gem::SafeYAML.load(File.read(filename))
|
||||||
|
unless content.kind_of? Hash
|
||||||
|
warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
|
||||||
|
return {}
|
||||||
|
diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
|
||||||
|
index c36e71d800a2..77811ed5ecaa 100644
|
||||||
|
--- a/lib/rubygems/package.rb
|
||||||
|
+++ b/lib/rubygems/package.rb
|
||||||
|
@@ -468,7 +468,7 @@ def read_checksums gem
|
||||||
|
|
||||||
|
@checksums = gem.seek 'checksums.yaml.gz' do |entry|
|
||||||
|
Zlib::GzipReader.wrap entry do |gz_io|
|
||||||
|
- YAML.load gz_io.read
|
||||||
|
+ Gem::SafeYAML.safe_load gz_io.read
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb
|
||||||
|
index 5e722baa3540..071f7141ab78 100644
|
||||||
|
--- a/lib/rubygems/package/old.rb
|
||||||
|
+++ b/lib/rubygems/package/old.rb
|
||||||
|
@@ -101,7 +101,7 @@ def file_list io # :nodoc:
|
||||||
|
header << line
|
||||||
|
end
|
||||||
|
|
||||||
|
- YAML.load header
|
||||||
|
+ Gem::SafeYAML.safe_load header
|
||||||
|
end
|
||||||
|
|
||||||
|
##
|
||||||
|
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000000..b98cfaa5e60d
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/lib/rubygems/safe_yaml.rb
|
||||||
|
@@ -0,0 +1,48 @@
|
||||||
|
+module Gem
|
||||||
|
+
|
||||||
|
+ ###
|
||||||
|
+ # This module is used for safely loading YAML specs from a gem. The
|
||||||
|
+ # `safe_load` method defined on this module is specifically designed for
|
||||||
|
+ # loading Gem specifications. For loading other YAML safely, please see
|
||||||
|
+ # Psych.safe_load
|
||||||
|
+
|
||||||
|
+ module SafeYAML
|
||||||
|
+ WHITELISTED_CLASSES = %w(
|
||||||
|
+ Symbol
|
||||||
|
+ Time
|
||||||
|
+ Date
|
||||||
|
+ Gem::Dependency
|
||||||
|
+ Gem::Platform
|
||||||
|
+ Gem::Requirement
|
||||||
|
+ Gem::Specification
|
||||||
|
+ Gem::Version
|
||||||
|
+ Gem::Version::Requirement
|
||||||
|
+ YAML::Syck::DefaultKey
|
||||||
|
+ Syck::DefaultKey
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ WHITELISTED_SYMBOLS = %w(
|
||||||
|
+ development
|
||||||
|
+ runtime
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ if ::YAML.respond_to? :safe_load
|
||||||
|
+ def self.safe_load input
|
||||||
|
+ ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
+ def self.load input
|
||||||
|
+ ::YAML.safe_load(input, [::Symbol])
|
||||||
|
+ end
|
||||||
|
+ else
|
||||||
|
+ warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
|
||||||
|
+ def self.safe_load input, *args
|
||||||
|
+ ::YAML.load input
|
||||||
|
+ end
|
||||||
|
+
|
||||||
|
+ def self.load input
|
||||||
|
+ ::YAML.load input
|
||||||
|
+ end
|
||||||
|
+ end
|
||||||
|
+ end
|
||||||
|
+end
|
||||||
|
diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
|
||||||
|
index 88e320c05ac9..40e3a70d476c 100644
|
||||||
|
--- a/lib/rubygems/specification.rb
|
||||||
|
+++ b/lib/rubygems/specification.rb
|
||||||
|
@@ -1101,7 +1101,7 @@ def self.from_yaml(input)
|
||||||
|
Gem.load_yaml
|
||||||
|
|
||||||
|
input = normalize_yaml_input input
|
||||||
|
- spec = YAML.load input
|
||||||
|
+ spec = Gem::SafeYAML.safe_load input
|
||||||
|
|
||||||
|
if spec && spec.class == FalseClass then
|
||||||
|
raise Gem::EndOfYAMLException
|
11
ruby.spec
11
ruby.spec
@ -32,7 +32,7 @@
|
|||||||
%global rubygems_dir %{_datadir}/rubygems
|
%global rubygems_dir %{_datadir}/rubygems
|
||||||
|
|
||||||
# Bundled libraries versions
|
# Bundled libraries versions
|
||||||
%global rubygems_version 2.6.13
|
%global rubygems_version 2.6.14
|
||||||
%global molinillo_version 0.5.7
|
%global molinillo_version 0.5.7
|
||||||
|
|
||||||
# TODO: The IRB has strange versioning. Keep the Ruby's versioning ATM.
|
# TODO: The IRB has strange versioning. Keep the Ruby's versioning ATM.
|
||||||
@ -140,6 +140,10 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch
|
|||||||
# hardening features of glibc (rhbz#1361037).
|
# hardening features of glibc (rhbz#1361037).
|
||||||
# https://bugs.ruby-lang.org/issues/12666
|
# https://bugs.ruby-lang.org/issues/12666
|
||||||
Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch
|
Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch
|
||||||
|
# CVE-2017-0903: Fix unsafe object deserialization through YAML formatted gem
|
||||||
|
# specifications.
|
||||||
|
# https://bugs.ruby-lang.org/issues/14003
|
||||||
|
Patch10: ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch
|
||||||
|
|
||||||
Requires: %{?scl_prefix}%{pkg_name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{?scl_prefix}%{pkg_name}-libs%{?_isa} = %{version}-%{release}
|
||||||
Requires: %{?scl_prefix}ruby(rubygems) >= %{rubygems_version}
|
Requires: %{?scl_prefix}ruby(rubygems) >= %{rubygems_version}
|
||||||
@ -514,6 +518,7 @@ rm -rf ext/fiddle/libffi*
|
|||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
|
|
||||||
# Allow to use autoconf 2.63.
|
# Allow to use autoconf 2.63.
|
||||||
sed -i '/AC_PREREQ/ s/(.*)/(2.62)/' configure.in
|
sed -i '/AC_PREREQ/ s/(.*)/(2.62)/' configure.in
|
||||||
@ -1057,6 +1062,10 @@ make check TESTS="-v $DISABLE_TESTS"
|
|||||||
* Remove Patch10: ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch;
|
* Remove Patch10: ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch;
|
||||||
subsumed
|
subsumed
|
||||||
Resolves: rhbz#1506785
|
Resolves: rhbz#1506785
|
||||||
|
- Fix unsafe object deserialization in RubyGems (CVE-2017-0903).
|
||||||
|
* ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization
|
||||||
|
-vulnerability.patch
|
||||||
|
Resolves: CVE-2017-0903
|
||||||
|
|
||||||
* Tue Jan 17 2017 Vít Ondruch <vondruch@redhat.com> - 2.4.0-75
|
* Tue Jan 17 2017 Vít Ondruch <vondruch@redhat.com> - 2.4.0-75
|
||||||
- Apply patch fixing rubygem-mongo build failures.
|
- Apply patch fixing rubygem-mongo build failures.
|
||||||
|
Loading…
Reference in New Issue
Block a user