import ruby-2.5.3-104.module+el8.0.0+3250+4b7d6d43

2019-07-30 07:18:19 -04:00 · 2019-07-30 07:18:19 -04:00 · d9ae0772ec
parent 830173a218
commit d9ae0772ec
2 changed files with 178 additions and 1 deletions
--- a/SOURCES/ruby-2.5.4-fix-malicious-gem-to-lead-to-arbitrary-code-execution.patch
+++ b/SOURCES/ruby-2.5.4-fix-malicious-gem-to-lead-to-arbitrary-code-execution.patch
@ -0,0 +1,168 @@
+diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb
+index ee5fedeb64..a3f9571cf3 100644
+--- a/lib/rubygems/installer.rb
+++ b/lib/rubygems/installer.rb
+@@ -707,9 +707,26 @@ def verify_gem_home(unpack = false) # :nodoc:
+       unpack or File.writable?(gem_home)
+   end
+ 
+-  def verify_spec_name
+-    return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
+-    raise Gem::InstallError, "#{spec} has an invalid name"
+  def verify_spec
+    unless spec.name =~ Gem::Specification::VALID_NAME_PATTERN
+      raise Gem::InstallError, "#{spec} has an invalid name"
+    end
+
+    if spec.raw_require_paths.any?{|path| path =~ /\R/ }
+      raise Gem::InstallError, "#{spec} has an invalid require_paths"
+    end
+
+    if spec.extensions.any?{|ext| ext =~ /\R/ }
+      raise Gem::InstallError, "#{spec} has an invalid extensions"
+    end
+
+    if spec.specification_version.to_s =~ /\R/
+      raise Gem::InstallError, "#{spec} has an invalid specification_version"
+    end
+
+    if spec.dependencies.any? {|dep| dep.type =~ /\R/ || dep.name =~ /\R/ }
+      raise Gem::InstallError, "#{spec} has an invalid dependencies"
+    end
+   end
+ 
+   ##
+@@ -836,9 +853,11 @@ def dir
+   def pre_install_checks
+     verify_gem_home options[:unpack]
+ 
+-    ensure_loadable_spec
+    # The name and require_paths must be verified first, since it could contain
+    # ruby code that would be eval'ed in #ensure_loadable_spec
+    verify_spec
+ 
+-    verify_spec_name
+    ensure_loadable_spec
+ 
+     if options[:install_as_default]
+       Gem.ensure_default_gem_subdirectories gem_home
+diff --git a/test/rubygems/test_gem_installer.rb b/test/rubygems/test_gem_installer.rb
+index 93b0482407..7f414d495d 100644
+--- a/test/rubygems/test_gem_installer.rb
+++ b/test/rubygems/test_gem_installer.rb
+@@ -1474,6 +1474,112 @@ def spec.validate; end
+     end
+   end
+ 
+  def test_pre_install_checks_malicious_name_before_eval
+    spec = util_spec "malicious\n::Object.const_set(:FROM_EVAL, true)#", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious\n::Object.const_set(:FROM_EVAL, true)# version=1> has an invalid name", e.message
+    end
+    refute defined?(::Object::FROM_EVAL)
+  end
+
+  def test_pre_install_checks_malicious_require_paths_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.require_paths = ["malicious\n``"]
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid require_paths", e.message
+    end
+  end
+
+  def test_pre_install_checks_malicious_extensions_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.extensions = ["malicious\n``"]
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid extensions", e.message
+    end
+  end
+
+  def test_pre_install_checks_malicious_specification_version_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.specification_version = "malicious\n``"
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid specification_version", e.message
+    end
+  end
+
+  def test_pre_install_checks_malicious_dependencies_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.add_dependency "b\nfoo", '> 5'
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      @installer.ignore_dependencies = true
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid dependencies", e.message
+    end
+  end
+
+   def test_shebang
+     util_make_exec @spec, "#!/usr/bin/ruby"
+ 
+-- 
+2.21.0
+
--- a/SPECS/ruby.spec
+++ b/SPECS/ruby.spec
@ -21,7 +21,7 @@
 %endif


-%global release 103
+%global release 104
 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}

 # The RubyGems library has to stay out of Ruby directory three, since the
@ -154,6 +154,10 @@ Patch25: ruby-2.6.0-Update-for-tzdata-2018f.patch
 # https://bugs.ruby-lang.org/issues/15502
 # https://github.com/ruby/ruby/commit/6f9b40ea53d8f3fb2a5b1c7ac55c207d42c77ef4
 Patch11: ruby-2.6.0-Try-to-update-cert.patch
+# CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
+# https://bugzilla.redhat.com/show_bug.cgi?id=1692520
+# https://github.com/rubygems/rubygems/commit/8e61a52f49c9530706cd73d2f1edc10f097e591f
+Patch26: ruby-2.5.4-fix-malicious-gem-to-lead-to-arbitrary-code-execution.patch

 # Fix some OpenSSL 1.1.1 test failures.
 # https://github.com/ruby/ruby/commit/1dfc377ae3b174b043d3f0ed36de57b0296b34d0
@ -555,6 +559,7 @@ rm -rf ext/fiddle/libffi*
 %patch23 -p1
 %patch24 -p1
 %patch25 -p1
+%patch26 -p1

 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1105,6 +1110,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
 %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec

 %changelog
+* Tue May 07 2019 Jun Aruga <jaruga@redhat.com> - 2.5.3-104
+- Prohibit arbitrary code execution when installing a malicious gem.
+  Resolves: CVE-2019-8324
+
 * Fri Jan 11 2019 Jun Aruga <jaruga@redhat.com> - 2.5.3-103
 - Refresh expired certificates to fix FTBFS.