Fix unsafe object deserialization in RubyGems (CVE-2017-0903).

* ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization
      -vulnerability.patch

Resolves: CVE-2017-0903
This commit is contained in:
Vít Ondruch 2017-10-31 12:18:53 +01:00
parent 89f3ea9d4a
commit 31265d7a88
2 changed files with 166 additions and 1 deletions

View File

@ -0,0 +1,156 @@
From 1281e56682692859e726e24fff30e44aac6f948b Mon Sep 17 00:00:00 2001
From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 11 Oct 2017 13:48:14 +0000
Subject: [PATCH] merge revision(s) 60149: [Backport #14003]
Merge rubygems-2.6.14 changes.
It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@60168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
lib/rubygems.rb | 5 +++--
lib/rubygems/config_file.rb | 2 +-
lib/rubygems/package.rb | 2 +-
lib/rubygems/package/old.rb | 2 +-
lib/rubygems/safe_yaml.rb | 48 +++++++++++++++++++++++++++++++++++++++++++
lib/rubygems/specification.rb | 2 +-
6 files changed, 55 insertions(+), 6 deletions(-)
create mode 100644 lib/rubygems/safe_yaml.rb
diff --git a/lib/rubygems.rb b/lib/rubygems.rb
index 55aa85b8b2bd..0685bcb3c629 100644
--- a/lib/rubygems.rb
+++ b/lib/rubygems.rb
@@ -10,7 +10,7 @@
require 'thread'
module Gem
- VERSION = "2.6.13"
+ VERSION = "2.6.14"
end
# Must be first since it unloads the prelude from 1.9.2
@@ -675,7 +675,7 @@ def self.load_yaml
unless test_syck
begin
- gem 'psych', '>= 1.2.1'
+ gem 'psych', '>= 2.0.0'
rescue Gem::LoadError
# It's OK if the user does not have the psych gem installed. We will
# attempt to require the stdlib version
@@ -699,6 +699,7 @@ def self.load_yaml
end
require 'yaml'
+ require 'rubygems/safe_yaml'
# If we're supposed to be using syck, then we may have to force
# activate it via the YAML::ENGINE API.
diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
index c95d7dd1f14e..63583b361615 100644
--- a/lib/rubygems/config_file.rb
+++ b/lib/rubygems/config_file.rb
@@ -345,7 +345,7 @@ def load_file(filename)
return {} unless filename and File.exist? filename
begin
- content = YAML.load(File.read(filename))
+ content = Gem::SafeYAML.load(File.read(filename))
unless content.kind_of? Hash
warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
return {}
diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
index c36e71d800a2..77811ed5ecaa 100644
--- a/lib/rubygems/package.rb
+++ b/lib/rubygems/package.rb
@@ -468,7 +468,7 @@ def read_checksums gem
@checksums = gem.seek 'checksums.yaml.gz' do |entry|
Zlib::GzipReader.wrap entry do |gz_io|
- YAML.load gz_io.read
+ Gem::SafeYAML.safe_load gz_io.read
end
end
end
diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb
index 5e722baa3540..071f7141ab78 100644
--- a/lib/rubygems/package/old.rb
+++ b/lib/rubygems/package/old.rb
@@ -101,7 +101,7 @@ def file_list io # :nodoc:
header << line
end
- YAML.load header
+ Gem::SafeYAML.safe_load header
end
##
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
new file mode 100644
index 000000000000..b98cfaa5e60d
--- /dev/null
+++ b/lib/rubygems/safe_yaml.rb
@@ -0,0 +1,48 @@
+module Gem
+
+ ###
+ # This module is used for safely loading YAML specs from a gem. The
+ # `safe_load` method defined on this module is specifically designed for
+ # loading Gem specifications. For loading other YAML safely, please see
+ # Psych.safe_load
+
+ module SafeYAML
+ WHITELISTED_CLASSES = %w(
+ Symbol
+ Time
+ Date
+ Gem::Dependency
+ Gem::Platform
+ Gem::Requirement
+ Gem::Specification
+ Gem::Version
+ Gem::Version::Requirement
+ YAML::Syck::DefaultKey
+ Syck::DefaultKey
+ )
+
+ WHITELISTED_SYMBOLS = %w(
+ development
+ runtime
+ )
+
+ if ::YAML.respond_to? :safe_load
+ def self.safe_load input
+ ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
+ end
+
+ def self.load input
+ ::YAML.safe_load(input, [::Symbol])
+ end
+ else
+ warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
+ def self.safe_load input, *args
+ ::YAML.load input
+ end
+
+ def self.load input
+ ::YAML.load input
+ end
+ end
+ end
+end
diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
index 88e320c05ac9..40e3a70d476c 100644
--- a/lib/rubygems/specification.rb
+++ b/lib/rubygems/specification.rb
@@ -1101,7 +1101,7 @@ def self.from_yaml(input)
Gem.load_yaml
input = normalize_yaml_input input
- spec = YAML.load input
+ spec = Gem::SafeYAML.safe_load input
if spec && spec.class == FalseClass then
raise Gem::EndOfYAMLException

View File

@ -32,7 +32,7 @@
%global rubygems_dir %{_datadir}/rubygems
# Bundled libraries versions
%global rubygems_version 2.6.13
%global rubygems_version 2.6.14
%global molinillo_version 0.5.7
# TODO: The IRB has strange versioning. Keep the Ruby's versioning ATM.
@ -140,6 +140,10 @@ Patch7: ruby-2.2.3-Generate-preludes-using-miniruby.patch
# hardening features of glibc (rhbz#1361037).
# https://bugs.ruby-lang.org/issues/12666
Patch9: ruby-2.3.1-Rely-on-ldd-to-detect-glibc.patch
# CVE-2017-0903: Fix unsafe object deserialization through YAML formatted gem
# specifications.
# https://bugs.ruby-lang.org/issues/14003
Patch10: ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization-vulnerability.patch
Requires: %{?scl_prefix}%{pkg_name}-libs%{?_isa} = %{version}-%{release}
Requires: %{?scl_prefix}ruby(rubygems) >= %{rubygems_version}
@ -514,6 +518,7 @@ rm -rf ext/fiddle/libffi*
%patch6 -p1
%patch7 -p1
%patch9 -p1
%patch10 -p1
# Allow to use autoconf 2.63.
sed -i '/AC_PREREQ/ s/(.*)/(2.62)/' configure.in
@ -1057,6 +1062,10 @@ make check TESTS="-v $DISABLE_TESTS"
* Remove Patch10: ruby-2.4.0-vm_insnhelper.c-block-argument-at-tailcall.patch;
subsumed
Resolves: rhbz#1506785
- Fix unsafe object deserialization in RubyGems (CVE-2017-0903).
* ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization
-vulnerability.patch
Resolves: CVE-2017-0903
* Tue Jan 17 2017 Vít Ondruch <vondruch@redhat.com> - 2.4.0-75
- Apply patch fixing rubygem-mongo build failures.