From d9ae0772ec7c51267d11298a8523332bf3f0992e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 30 Jul 2019 07:18:19 -0400
Subject: [PATCH] import ruby-2.5.3-104.module+el8.0.0+3250+4b7d6d43

---
 ...-to-lead-to-arbitrary-code-execution.patch | 168 ++++++++++++++++++
 SPECS/ruby.spec                               |  11 +-
 2 files changed, 178 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/ruby-2.5.4-fix-malicious-gem-to-lead-to-arbitrary-code-execution.patch

diff --git a/SOURCES/ruby-2.5.4-fix-malicious-gem-to-lead-to-arbitrary-code-execution.patch b/SOURCES/ruby-2.5.4-fix-malicious-gem-to-lead-to-arbitrary-code-execution.patch
new file mode 100644
index 0000000..ca63318
--- /dev/null
+++ b/SOURCES/ruby-2.5.4-fix-malicious-gem-to-lead-to-arbitrary-code-execution.patch
@@ -0,0 +1,168 @@
+diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb
+index ee5fedeb64..a3f9571cf3 100644
+--- a/lib/rubygems/installer.rb
++++ b/lib/rubygems/installer.rb
+@@ -707,9 +707,26 @@ def verify_gem_home(unpack = false) # :nodoc:
+       unpack or File.writable?(gem_home)
+   end
+ 
+-  def verify_spec_name
+-    return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
+-    raise Gem::InstallError, "#{spec} has an invalid name"
++  def verify_spec
++    unless spec.name =~ Gem::Specification::VALID_NAME_PATTERN
++      raise Gem::InstallError, "#{spec} has an invalid name"
++    end
++
++    if spec.raw_require_paths.any?{|path| path =~ /\R/ }
++      raise Gem::InstallError, "#{spec} has an invalid require_paths"
++    end
++
++    if spec.extensions.any?{|ext| ext =~ /\R/ }
++      raise Gem::InstallError, "#{spec} has an invalid extensions"
++    end
++
++    if spec.specification_version.to_s =~ /\R/
++      raise Gem::InstallError, "#{spec} has an invalid specification_version"
++    end
++
++    if spec.dependencies.any? {|dep| dep.type =~ /\R/ || dep.name =~ /\R/ }
++      raise Gem::InstallError, "#{spec} has an invalid dependencies"
++    end
+   end
+ 
+   ##
+@@ -836,9 +853,11 @@ def dir
+   def pre_install_checks
+     verify_gem_home options[:unpack]
+ 
+-    ensure_loadable_spec
++    # The name and require_paths must be verified first, since it could contain
++    # ruby code that would be eval'ed in #ensure_loadable_spec
++    verify_spec
+ 
+-    verify_spec_name
++    ensure_loadable_spec
+ 
+     if options[:install_as_default]
+       Gem.ensure_default_gem_subdirectories gem_home
+diff --git a/test/rubygems/test_gem_installer.rb b/test/rubygems/test_gem_installer.rb
+index 93b0482407..7f414d495d 100644
+--- a/test/rubygems/test_gem_installer.rb
++++ b/test/rubygems/test_gem_installer.rb
+@@ -1474,6 +1474,112 @@ def spec.validate; end
+     end
+   end
+ 
++  def test_pre_install_checks_malicious_name_before_eval
++    spec = util_spec "malicious\n::Object.const_set(:FROM_EVAL, true)#", '1'
++    def spec.full_name # so the spec is buildable
++      "malicious-1"
++    end
++    def spec.validate(*args); end
++
++    util_build_gem spec
++
++    gem = File.join(@gemhome, 'cache', spec.file_name)
++
++    use_ui @ui do
++      @installer = Gem::Installer.at gem
++      e = assert_raises Gem::InstallError do
++        @installer.pre_install_checks
++      end
++      assert_equal "#<Gem::Specification name=malicious\n::Object.const_set(:FROM_EVAL, true)# version=1> has an invalid name", e.message
++    end
++    refute defined?(::Object::FROM_EVAL)
++  end
++
++  def test_pre_install_checks_malicious_require_paths_before_eval
++    spec = util_spec "malicious", '1'
++    def spec.full_name # so the spec is buildable
++      "malicious-1"
++    end
++    def spec.validate(*args); end
++    spec.require_paths = ["malicious\n``"]
++
++    util_build_gem spec
++
++    gem = File.join(@gemhome, 'cache', spec.file_name)
++
++    use_ui @ui do
++      @installer = Gem::Installer.at gem
++      e = assert_raises Gem::InstallError do
++        @installer.pre_install_checks
++      end
++      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid require_paths", e.message
++    end
++  end
++
++  def test_pre_install_checks_malicious_extensions_before_eval
++    spec = util_spec "malicious", '1'
++    def spec.full_name # so the spec is buildable
++      "malicious-1"
++    end
++    def spec.validate(*args); end
++    spec.extensions = ["malicious\n``"]
++
++    util_build_gem spec
++
++    gem = File.join(@gemhome, 'cache', spec.file_name)
++
++    use_ui @ui do
++      @installer = Gem::Installer.at gem
++      e = assert_raises Gem::InstallError do
++        @installer.pre_install_checks
++      end
++      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid extensions", e.message
++    end
++  end
++
++  def test_pre_install_checks_malicious_specification_version_before_eval
++    spec = util_spec "malicious", '1'
++    def spec.full_name # so the spec is buildable
++      "malicious-1"
++    end
++    def spec.validate(*args); end
++    spec.specification_version = "malicious\n``"
++
++    util_build_gem spec
++
++    gem = File.join(@gemhome, 'cache', spec.file_name)
++
++    use_ui @ui do
++      @installer = Gem::Installer.at gem
++      e = assert_raises Gem::InstallError do
++        @installer.pre_install_checks
++      end
++      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid specification_version", e.message
++    end
++  end
++
++  def test_pre_install_checks_malicious_dependencies_before_eval
++    spec = util_spec "malicious", '1'
++    def spec.full_name # so the spec is buildable
++      "malicious-1"
++    end
++    def spec.validate(*args); end
++    spec.add_dependency "b\nfoo", '> 5'
++
++    util_build_gem spec
++
++    gem = File.join(@gemhome, 'cache', spec.file_name)
++
++    use_ui @ui do
++      @installer = Gem::Installer.at gem
++      @installer.ignore_dependencies = true
++      e = assert_raises Gem::InstallError do
++        @installer.pre_install_checks
++      end
++      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid dependencies", e.message
++    end
++  end
++
+   def test_shebang
+     util_make_exec @spec, "#!/usr/bin/ruby"
+ 
+-- 
+2.21.0
+
diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec
index b59b6ea..5b20cf4 100644
--- a/SPECS/ruby.spec
+++ b/SPECS/ruby.spec
@@ -21,7 +21,7 @@
 %endif
 
 
-%global release 103
+%global release 104
 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}}
 
 # The RubyGems library has to stay out of Ruby directory three, since the
@@ -154,6 +154,10 @@ Patch25: ruby-2.6.0-Update-for-tzdata-2018f.patch
 # https://bugs.ruby-lang.org/issues/15502
 # https://github.com/ruby/ruby/commit/6f9b40ea53d8f3fb2a5b1c7ac55c207d42c77ef4
 Patch11: ruby-2.6.0-Try-to-update-cert.patch
+# CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
+# https://bugzilla.redhat.com/show_bug.cgi?id=1692520
+# https://github.com/rubygems/rubygems/commit/8e61a52f49c9530706cd73d2f1edc10f097e591f
+Patch26: ruby-2.5.4-fix-malicious-gem-to-lead-to-arbitrary-code-execution.patch
 
 # Fix some OpenSSL 1.1.1 test failures.
 # https://github.com/ruby/ruby/commit/1dfc377ae3b174b043d3f0ed36de57b0296b34d0
@@ -555,6 +559,7 @@ rm -rf ext/fiddle/libffi*
 %patch23 -p1
 %patch24 -p1
 %patch25 -p1
+%patch26 -p1
 
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@@ -1105,6 +1110,10 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
 %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec
 
 %changelog
+* Tue May 07 2019 Jun Aruga <jaruga@redhat.com> - 2.5.3-104
+- Prohibit arbitrary code execution when installing a malicious gem.
+  Resolves: CVE-2019-8324
+
 * Fri Jan 11 2019 Jun Aruga <jaruga@redhat.com> - 2.5.3-103
 - Refresh expired certificates to fix FTBFS.