Hello community, here is the log from the commit of package ruby for openSUSE:11.3 checked in at Fri Mar 4 17:49:45 CET 2011.
-------- --- old-versions/11.3/all/ruby/ruby.changes 2010-07-02 11:50:18.000000000 +0200 +++ 11.3/ruby/ruby.changes 2011-03-04 17:29:32.000000000 +0100 @@ -1,0 +2,22 @@ +Fri Mar 4 16:07:00 UTC 2011 - [email protected] + +- added ruby-1.8.x_net_http_close_in_rescue.patch + Dont call close on nil in case of on exception. (bnc#655136) + +------------------------------------------------------------------- +Thu Mar 3 17:14:51 UTC 2011 - [email protected] + +- added ruby-1.8.x_exception_tainted_message.patch: + Exception#to_s method can be used to trick $SAFE check, which + makes a untrusted codes to modify arbitrary strings. (bnc#673750) + CVE-2011-1005 +- added ruby-1.8.x_fileutils_symlink_race.patch: + A symlink race condition vulnerability was found in + FileUtils.remove_entry_secure. The vulnerability allows local + users to delete arbitrary files and directories. (bnc#673740) + CVE-2011-1004 +- added patch ruby-1.8.x_webrick_charset_issue.patch: + fix cross site scripting bug in webrick (bnc#600752) + CVE-2010-0541 + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/ruby Destination is old-versions/11.3/UPDATES/all/ruby calling whatdependson for 11.3-i586 New: ---- ruby-1.8.x_exception_tainted_message.patch ruby-1.8.x_fileutils_symlink_race.patch ruby-1.8.x_net_http_close_in_rescue.patch ruby-1.8.x_webrick_charset_issue.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ruby.spec ++++++ --- /var/tmp/diff_new_pack.Fqhemq/_old 2011-03-04 17:49:19.000000000 +0100 +++ /var/tmp/diff_new_pack.Fqhemq/_new 2011-03-04 17:49:19.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package ruby (Version 1.8.7.p249) +# spec file for package ruby # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Name: ruby Version: 1.8.7.p249 -Release: 5 +Release: 8.<RELEASE2> # %define pkg_version 1.8.7 %define patch_level p249 @@ -68,6 +68,10 @@ Patch10: ruby-1.8.x_openssl-1.0.patch Patch11: ruby-1.8.x_openssl-1.0-tests.patch Patch12: ruby-1.8.x_yaml2byte.patch +Patch13: ruby-1.8.x_exception_tainted_message.patch +Patch14: ruby-1.8.x_webrick_charset_issue.patch +Patch15: ruby-1.8.x_fileutils_symlink_race.patch +Patch16: ruby-1.8.x_net_http_close_in_rescue.patch # vendor ruby files taken from: # http://svn.macports.org/repository/macports/trunk/dports/lang/ruby/ Source3: site-specific.rb @@ -253,6 +257,10 @@ %patch10 %patch11 %patch12 +%patch13 +%patch14 +%patch15 +%patch16 %if 0%{?with_bleak_house} for patch in valgrind configure gc ; do patch -p0 < bleak_house-%{bleak_house_version}/ruby/${patch}.patch ++++++ ruby-1.8.x_exception_tainted_message.patch ++++++ r30903 | shyouhei | 2011-02-18 12:05:02 +0100 (Fri, 18 Feb 2011) | 9 lines * error.c (exc_to_s): untainted strings can be tainted via Exception#to_s, which enables attackers to overwrite sane strings. Reported by: Yusuke Endoh <mame at tsg.ne.jp>. * error.c (name_err_to_s): ditto. * test/ruby/test_exception.rb (TestException::test_to_s_taintness_propagation): Test for it. Index: error.c =================================================================== --- error.c (revision 30902) +++ error.c (revision 30903) @@ -403,7 +403,6 @@ VALUE mesg = rb_attr_get(exc, rb_intern("mesg")); if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); return mesg; } @@ -667,10 +666,9 @@ if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); StringValue(str); if (str != mesg) { - rb_iv_set(exc, "mesg", mesg = str); + OBJ_INFECT(str, mesg); } - if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); - return mesg; + return str; } /* Index: test/ruby/test_exception.rb =================================================================== --- test/ruby/test_exception.rb (revision 30902) +++ test/ruby/test_exception.rb (revision 30903) @@ -184,4 +184,26 @@ assert(false) end end + + def test_to_s_taintness_propagation + for exc in [Exception, NameError] + m = "abcdefg" + e = exc.new(m) + e.taint + s = e.to_s + assert_equal(false, m.tainted?, + "#{exc}#to_s should not propagate taintness") + assert_equal(false, s.tainted?, + "#{exc}#to_s should not propagate taintness") + end + + o = Object.new + def o.to_str + "foo" + end + o.taint + e = NameError.new(o) + s = e.to_s + assert_equal(true, s.tainted?) + end end ++++++ ruby-1.8.x_fileutils_symlink_race.patch ++++++ r30905 | shyouhei | 2011-02-18 12:48:02 +0100 (Fri, 18 Feb 2011) | 7 lines merge revision(s) 30896: * lib/fileutils.rb (FileUtils::remove_entry_secure): there is a race condition in the case where the given path is a directory, and some other user can move that directory, and create a symlink while this method is executing. Reported by: Nicholas Jefferson <nicholas at pythonic.com.au> Index: lib/fileutils.rb =================================================================== --- lib/fileutils.rb.orig 2009-06-29 06:21:32.000000000 +0200 +++ lib/fileutils.rb 2011-03-03 18:13:17.026046278 +0100 @@ -657,10 +657,10 @@ module FileUtils # removing directories. This requires the current process is the # owner of the removing whole directory tree, or is the super user (root). # - # WARNING: You must ensure that *ALL* parent directories are not - # world writable. Otherwise this method does not work. - # Only exception is temporary directory like /tmp and /var/tmp, - # whose permission is 1777. + # WARNING: You must ensure that *ALL* parent directories cannot be + # moved by other untrusted users. For example, parent directories + # should not be owned by untrusted users, and should not be world + # writable except when the sticky bit set. # # WARNING: Only the owner of the removing directory tree, or Unix super # user (root) should invoke this method. Otherwise this method does not @@ -703,6 +703,11 @@ module FileUtils end f.chown euid, -1 f.chmod 0700 + unless fu_stat_identical_entry?(st, File.lstat(fullpath)) + # TOC-to-TOU attack? + File.unlink fullpath + return + end } # ---- tree root is frozen ---- root = Entry_.new(path) ++++++ ruby-1.8.x_net_http_close_in_rescue.patch ++++++ ------------------------------------------------------------------------ r29524 | naruse | 2010-10-18 03:23:48 +0200 (Mon, 18 Oct 2010) | 2 lines * lib/net/http.rb (transport_request): @socket may be nil. patched by Egbert Eich [ruby-core:32829] ------------------------------------------------------------------------ Index: lib/net/http.rb =================================================================== --- lib/net/http.rb.orig 2009-11-19 07:32:19.000000000 +0100 +++ lib/net/http.rb 2011-03-04 17:06:02.250249619 +0100 @@ -1057,7 +1057,7 @@ module Net #:nodoc: res rescue => exception D "Conn close because of error #{exception}" - @socket.close unless @socket.closed? + @socket.close if @socket and not @socket.closed? raise exception end ++++++ ruby-1.8.x_webrick_charset_issue.patch ++++++ Sun Aug 15 19:59:58 2010 Yuki Sonoda (Yugui) <[email protected]> * lib/webrick/httpresponse.rb (WEBrick::HTTPResponse#set_error): Fix for possible cross-site scripting (CVE-2010-0541). Found by Apple, reported by Hideki Yamane. Patch by Hirokazu Nishio <nishio.hirokazu AT gmail.com>. Index: lib/webrick/httpresponse.rb =================================================================== --- lib/webrick/httpresponse.rb (revision 29001) +++ lib/webrick/httpresponse.rb (revision 29002) @@ -209,7 +209,7 @@ @keep_alive = false self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR end - @header['content-type'] = "text/html" + @header['content-type'] = "text/html; charset=ISO-8859-1" if respond_to?(:create_error_page) create_error_page() ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
