Fix unsafe object deserialization in RubyGems (CVE-2017-0903).

* ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization -vulnerability.patch Resolves: CVE-2017-0903
2017-10-31 12:18:53 +01:00 · 2017-10-31 12:18:53 +01:00 · 31265d7a88
commit 31265d7a88
parent 89f3ea9d4a
2 changed files with 166 additions and 1 deletions
--- a/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch
+++ b/ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch
@ -0,0 +1,156 @@
+From 1281e56682692859e726e24fff30e44aac6f948b Mon Sep 17 00:00:00 2001
+From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Wed, 11 Oct 2017 13:48:14 +0000
+Subject: [PATCH] merge revision(s) 60149: [Backport #14003]
+
+	Merge rubygems-2.6.14 changes.
+
+	  It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
+
+git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@60168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
+---
+ lib/rubygems.rb               |  5 +++--
+ lib/rubygems/config_file.rb   |  2 +-
+ lib/rubygems/package.rb       |  2 +-
+ lib/rubygems/package/old.rb   |  2 +-
+ lib/rubygems/safe_yaml.rb     | 48 +++++++++++++++++++++++++++++++++++++++++++
+ lib/rubygems/specification.rb |  2 +-
+ 6 files changed, 55 insertions(+), 6 deletions(-)
+ create mode 100644 lib/rubygems/safe_yaml.rb
+
+diff --git a/lib/rubygems.rb b/lib/rubygems.rb
+index 55aa85b8b2bd..0685bcb3c629 100644
+--- a/lib/rubygems.rb
+++ b/lib/rubygems.rb
+@@ -10,7 +10,7 @@
+ require 'thread'
+ 
+ module Gem
+-  VERSION = "2.6.13"
+  VERSION = "2.6.14"
+ end
+ 
+ # Must be first since it unloads the prelude from 1.9.2
+@@ -675,7 +675,7 @@ def self.load_yaml
+ 
+     unless test_syck
+       begin
+-        gem 'psych', '>= 1.2.1'
+        gem 'psych', '>= 2.0.0'
+       rescue Gem::LoadError
+         # It's OK if the user does not have the psych gem installed.  We will
+         # attempt to require the stdlib version
+@@ -699,6 +699,7 @@ def self.load_yaml
+     end
+ 
+     require 'yaml'
+    require 'rubygems/safe_yaml'
+ 
+     # If we're supposed to be using syck, then we may have to force
+     # activate it via the YAML::ENGINE API.
+diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
+index c95d7dd1f14e..63583b361615 100644
+--- a/lib/rubygems/config_file.rb
+++ b/lib/rubygems/config_file.rb
+@@ -345,7 +345,7 @@ def load_file(filename)
+     return {} unless filename and File.exist? filename
+ 
+     begin
+-      content = YAML.load(File.read(filename))
+      content = Gem::SafeYAML.load(File.read(filename))
+       unless content.kind_of? Hash
+         warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
+         return {}
+diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
+index c36e71d800a2..77811ed5ecaa 100644
+--- a/lib/rubygems/package.rb
+++ b/lib/rubygems/package.rb
+@@ -468,7 +468,7 @@ def read_checksums gem
+ 
+     @checksums = gem.seek 'checksums.yaml.gz' do |entry|
+       Zlib::GzipReader.wrap entry do |gz_io|
+-        YAML.load gz_io.read
+        Gem::SafeYAML.safe_load gz_io.read
+       end
+     end
+   end
+diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb
+index 5e722baa3540..071f7141ab78 100644
+--- a/lib/rubygems/package/old.rb
+++ b/lib/rubygems/package/old.rb
+@@ -101,7 +101,7 @@ def file_list io # :nodoc:
+       header << line
+     end
+ 
+-    YAML.load header
+    Gem::SafeYAML.safe_load header
+   end
+ 
+   ##
+diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
+new file mode 100644
+index 000000000000..b98cfaa5e60d
+--- /dev/null
+++ b/lib/rubygems/safe_yaml.rb
+@@ -0,0 +1,48 @@
+module Gem
+
+  ###
+  # This module is used for safely loading YAML specs from a gem.  The
+  # `safe_load` method defined on this module is specifically designed for
+  # loading Gem specifications.  For loading other YAML safely, please see
+  # Psych.safe_load
+
+  module SafeYAML
+    WHITELISTED_CLASSES = %w(
+      Symbol
+      Time
+      Date
+      Gem::Dependency
+      Gem::Platform
+      Gem::Requirement
+      Gem::Specification
+      Gem::Version
+      Gem::Version::Requirement
+      YAML::Syck::DefaultKey
+      Syck::DefaultKey
+    )
+
+    WHITELISTED_SYMBOLS = %w(
+      development
+      runtime
+    )
+
+    if ::YAML.respond_to? :safe_load
+      def self.safe_load input
+        ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
+      end
+
+      def self.load input
+        ::YAML.safe_load(input, [::Symbol])
+      end
+    else
+      warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
+      def self.safe_load input, *args
+        ::YAML.load input
+      end
+
+      def self.load input
+        ::YAML.load input
+      end
+    end
+  end
+end
+diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
+index 88e320c05ac9..40e3a70d476c 100644
+--- a/lib/rubygems/specification.rb
+++ b/lib/rubygems/specification.rb
+@@ -1101,7 +1101,7 @@ def self.from_yaml(input)
+     Gem.load_yaml
+ 
+     input = normalize_yaml_input input
+-    spec = YAML.load input
+    spec = Gem::SafeYAML.safe_load input
+ 
+     if spec && spec.class == FalseClass then
+       raise Gem::EndOfYAMLException
--- a/ruby.spec
+++ b/ruby.spec
@ -32,7 +32,7 @@
 %global rubygems_dir %{_datadir}/rubygems

 # Bundled libraries versions
-%global rubygems_version 2.6.13
+%global rubygems_version 2.6.14
 %global molinillo_version 0.5.7

 # TODO: The IRB has strange versioning. Keep the Ruby's versioning ATM.
@ -140,6 +140,10 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch
 # hardening features of glibc (rhbz#1361037).
 # https://bugs.ruby-lang.org/issues/12666
 Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch
+# CVE-2017-0903: Fix unsafe object deserialization through YAML formatted gem
+# specifications.
+# https://bugs.ruby-lang.org/issues/14003
+Patch10: ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch

 Requires: %{?scl_prefix}%{pkg_name}-libs%{?_isa} = %{version}-%{release}
 Requires: %{?scl_prefix}ruby(rubygems) >= %{rubygems_version}
@ -514,6 +518,7 @@ rm -rf ext/fiddle/libffi*
 %patch6 -p1
 %patch7 -p1
 %patch9 -p1
+%patch10 -p1

 # Allow to use autoconf 2.63.
 sed -i '/AC_PREREQ/ s/(.*)/(2.62)/' configure.in
@ -1057,6 +1062,10 @@ make check TESTS="-v $DISABLE_TESTS"
  * Remove Patch10: ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch;
      subsumed
  Resolves: rhbz#1506785
+- Fix unsafe object deserialization in RubyGems (CVE-2017-0903).
+  * ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization
+      -vulnerability.patch
+  Resolves: CVE-2017-0903

 * Tue Jan 17 2017 Vít Ondruch <vondruch@redhat.com> - 2.4.0-75
 - Apply patch fixing rubygem-mongo build failures.