31265d7a88
* ruby-2.4.3-CVE-2017-0903-Fix-unsafe-object-deserialization
-vulnerability.patch
Resolves: CVE-2017-0903
157 lines
4.6 KiB
Diff
157 lines
4.6 KiB
Diff
From 1281e56682692859e726e24fff30e44aac6f948b Mon Sep 17 00:00:00 2001
|
|
From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
|
Date: Wed, 11 Oct 2017 13:48:14 +0000
|
|
Subject: [PATCH] merge revision(s) 60149: [Backport #14003]
|
|
|
|
Merge rubygems-2.6.14 changes.
|
|
|
|
It fixed http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
|
|
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@60168 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
---
|
|
lib/rubygems.rb | 5 +++--
|
|
lib/rubygems/config_file.rb | 2 +-
|
|
lib/rubygems/package.rb | 2 +-
|
|
lib/rubygems/package/old.rb | 2 +-
|
|
lib/rubygems/safe_yaml.rb | 48 +++++++++++++++++++++++++++++++++++++++++++
|
|
lib/rubygems/specification.rb | 2 +-
|
|
6 files changed, 55 insertions(+), 6 deletions(-)
|
|
create mode 100644 lib/rubygems/safe_yaml.rb
|
|
|
|
diff --git a/lib/rubygems.rb b/lib/rubygems.rb
|
|
index 55aa85b8b2bd..0685bcb3c629 100644
|
|
--- a/lib/rubygems.rb
|
|
+++ b/lib/rubygems.rb
|
|
@@ -10,7 +10,7 @@
|
|
require 'thread'
|
|
|
|
module Gem
|
|
- VERSION = "2.6.13"
|
|
+ VERSION = "2.6.14"
|
|
end
|
|
|
|
# Must be first since it unloads the prelude from 1.9.2
|
|
@@ -675,7 +675,7 @@ def self.load_yaml
|
|
|
|
unless test_syck
|
|
begin
|
|
- gem 'psych', '>= 1.2.1'
|
|
+ gem 'psych', '>= 2.0.0'
|
|
rescue Gem::LoadError
|
|
# It's OK if the user does not have the psych gem installed. We will
|
|
# attempt to require the stdlib version
|
|
@@ -699,6 +699,7 @@ def self.load_yaml
|
|
end
|
|
|
|
require 'yaml'
|
|
+ require 'rubygems/safe_yaml'
|
|
|
|
# If we're supposed to be using syck, then we may have to force
|
|
# activate it via the YAML::ENGINE API.
|
|
diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
|
|
index c95d7dd1f14e..63583b361615 100644
|
|
--- a/lib/rubygems/config_file.rb
|
|
+++ b/lib/rubygems/config_file.rb
|
|
@@ -345,7 +345,7 @@ def load_file(filename)
|
|
return {} unless filename and File.exist? filename
|
|
|
|
begin
|
|
- content = YAML.load(File.read(filename))
|
|
+ content = Gem::SafeYAML.load(File.read(filename))
|
|
unless content.kind_of? Hash
|
|
warn "Failed to load #{filename} because it doesn't contain valid YAML hash"
|
|
return {}
|
|
diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
|
|
index c36e71d800a2..77811ed5ecaa 100644
|
|
--- a/lib/rubygems/package.rb
|
|
+++ b/lib/rubygems/package.rb
|
|
@@ -468,7 +468,7 @@ def read_checksums gem
|
|
|
|
@checksums = gem.seek 'checksums.yaml.gz' do |entry|
|
|
Zlib::GzipReader.wrap entry do |gz_io|
|
|
- YAML.load gz_io.read
|
|
+ Gem::SafeYAML.safe_load gz_io.read
|
|
end
|
|
end
|
|
end
|
|
diff --git a/lib/rubygems/package/old.rb b/lib/rubygems/package/old.rb
|
|
index 5e722baa3540..071f7141ab78 100644
|
|
--- a/lib/rubygems/package/old.rb
|
|
+++ b/lib/rubygems/package/old.rb
|
|
@@ -101,7 +101,7 @@ def file_list io # :nodoc:
|
|
header << line
|
|
end
|
|
|
|
- YAML.load header
|
|
+ Gem::SafeYAML.safe_load header
|
|
end
|
|
|
|
##
|
|
diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb
|
|
new file mode 100644
|
|
index 000000000000..b98cfaa5e60d
|
|
--- /dev/null
|
|
+++ b/lib/rubygems/safe_yaml.rb
|
|
@@ -0,0 +1,48 @@
|
|
+module Gem
|
|
+
|
|
+ ###
|
|
+ # This module is used for safely loading YAML specs from a gem. The
|
|
+ # `safe_load` method defined on this module is specifically designed for
|
|
+ # loading Gem specifications. For loading other YAML safely, please see
|
|
+ # Psych.safe_load
|
|
+
|
|
+ module SafeYAML
|
|
+ WHITELISTED_CLASSES = %w(
|
|
+ Symbol
|
|
+ Time
|
|
+ Date
|
|
+ Gem::Dependency
|
|
+ Gem::Platform
|
|
+ Gem::Requirement
|
|
+ Gem::Specification
|
|
+ Gem::Version
|
|
+ Gem::Version::Requirement
|
|
+ YAML::Syck::DefaultKey
|
|
+ Syck::DefaultKey
|
|
+ )
|
|
+
|
|
+ WHITELISTED_SYMBOLS = %w(
|
|
+ development
|
|
+ runtime
|
|
+ )
|
|
+
|
|
+ if ::YAML.respond_to? :safe_load
|
|
+ def self.safe_load input
|
|
+ ::YAML.safe_load(input, WHITELISTED_CLASSES, WHITELISTED_SYMBOLS, true)
|
|
+ end
|
|
+
|
|
+ def self.load input
|
|
+ ::YAML.safe_load(input, [::Symbol])
|
|
+ end
|
|
+ else
|
|
+ warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
|
|
+ def self.safe_load input, *args
|
|
+ ::YAML.load input
|
|
+ end
|
|
+
|
|
+ def self.load input
|
|
+ ::YAML.load input
|
|
+ end
|
|
+ end
|
|
+ end
|
|
+end
|
|
diff --git a/lib/rubygems/specification.rb b/lib/rubygems/specification.rb
|
|
index 88e320c05ac9..40e3a70d476c 100644
|
|
--- a/lib/rubygems/specification.rb
|
|
+++ b/lib/rubygems/specification.rb
|
|
@@ -1101,7 +1101,7 @@ def self.from_yaml(input)
|
|
Gem.load_yaml
|
|
|
|
input = normalize_yaml_input input
|
|
- spec = YAML.load input
|
|
+ spec = Gem::SafeYAML.safe_load input
|
|
|
|
if spec && spec.class == FalseClass then
|
|
raise Gem::EndOfYAMLException
|