From 9f5278c1120e61181050dc657b493ad11694f06a Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Thu, 4 Oct 2012 21:55:27 +0900 Subject: [PATCH] forgot to add patch... --- ruby-1.9.3-backport-from-trunk-rev37068.patch | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 ruby-1.9.3-backport-from-trunk-rev37068.patch diff --git a/ruby-1.9.3-backport-from-trunk-rev37068.patch b/ruby-1.9.3-backport-from-trunk-rev37068.patch new file mode 100644 index 0000000..81b6b79 --- /dev/null +++ b/ruby-1.9.3-backport-from-trunk-rev37068.patch @@ -0,0 +1,103 @@ +Patch from trunk for CVE-2012-4464, CVE-2012-4466 +Part for test/ruby/test_exception.rb was adjusted for ruby 1.9.3 + +Mamoru Tasaka + +------------------------------------------------------------------------ +r37068 | shugo | 2012-10-03 02:25:10 +0900 (Wed, 03 Oct 2012) | 2 lines + +* error.c (exc_to_s, name_err_to_s, name_err_mesg_to_str): do not + taint messages. +------------------------------------------------------------------------ +Index: error.c +=================================================================== +--- error.c (revision 37067) ++++ error.c (revision 37068) +@@ -635,7 +635,6 @@ + + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + r = rb_String(mesg); +- OBJ_INFECT(r, exc); + return r; + } + +@@ -996,11 +995,7 @@ + + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + StringValue(str); +- if (str != mesg) { +- rb_iv_set(exc, "mesg", mesg = str); +- } +- OBJ_INFECT(mesg, exc); +- return mesg; ++ return str; + } + + /* +@@ -1131,7 +1126,6 @@ + args[2] = d; + mesg = rb_f_sprintf(NAME_ERR_MESG_COUNT, args); + } +- OBJ_INFECT(mesg, obj); + return mesg; + } + +Index: test/ruby/test_exception.rb +=================================================================== +--- test/ruby/test_exception.rb (revision 37067) ++++ test/ruby/test_exception.rb (modified) +@@ -333,4 +333,54 @@ + load(t.path) + end + end ++ ++ def test_to_s_taintness_propagation ++ for exc in [Exception, NameError] ++ m = "abcdefg" ++ e = exc.new(m) ++ e.taint ++ s = e.to_s ++ assert_equal(false, m.tainted?, ++ "#{exc}#to_s should not propagate taintness") ++ assert_equal(false, s.tainted?, ++ "#{exc}#to_s should not propagate taintness") ++ end ++ ++ o = Object.new ++ def o.to_str ++ "foo" ++ end ++ o.taint ++ e = NameError.new(o) ++ s = e.to_s ++ assert_equal(false, s.tainted?) ++ end ++ ++ def test_exception_to_s_should_not_propagate_untrustedness ++ favorite_lang = "Ruby" ++ ++ for exc in [Exception, NameError] ++ assert_raise(SecurityError) do ++ lambda { ++ $SAFE = 4 ++ exc.new(favorite_lang).to_s ++ favorite_lang.replace("Python") ++ }.call ++ end ++ end ++ ++ assert_raise(SecurityError) do ++ lambda { ++ $SAFE = 4 ++ o = Object.new ++ o.singleton_class.send(:define_method, :to_str) { ++ favorite_lang ++ } ++ NameError.new(o).to_s ++ favorite_lang.replace("Python") ++ }.call ++ end ++ ++ assert_equal("Ruby", favorite_lang) ++ end + end