Your message dated Sun, 05 May 2019 11:51:40 +0000
with message-id <[email protected]>
and subject line unblock jruby
has caused the Debian Bug report #928391,
regarding unblock: jruby/9.1.17.0-2.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928391: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928391
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi Release Team,
Please unblock package jruby
While looking at security issues which were adressed in stable but not
yet in buster, I noticed there was as well CVE-2018-1000073, #925986.
Whilst the issue is marked as buster-can-defer, and there are actually
more open CVEs yet for jruby itself in buster, I opted to cherry-pick
the fix for CVE-2018-1000073 to have avoiding a regression from stretch
-> buster after release on that regard.
+jruby (9.1.17.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Directory traversal vulnerability in install_location (CVE-2018-1000073)
+ (Closes: #925986)
+
+ -- Salvatore Bonaccorso <[email protected]> Wed, 01 May 2019 11:25:03 +0200
Still there are open CVEs for buster, cf.
https://security-tracker.debian.org/tracker/source-package/jruby but
they are then likewise as well still open for stretch.
unblock jruby/9.1.17.0-2.1
Regards,
Salvatore
diff -Nru jruby-9.1.17.0/debian/changelog jruby-9.1.17.0/debian/changelog
--- jruby-9.1.17.0/debian/changelog 2019-02-26 10:24:15.000000000 +0100
+++ jruby-9.1.17.0/debian/changelog 2019-05-01 11:25:03.000000000 +0200
@@ -1,3 +1,11 @@
+jruby (9.1.17.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Directory traversal vulnerability in install_location (CVE-2018-1000073)
+ (Closes: #925986)
+
+ -- Salvatore Bonaccorso <[email protected]> Wed, 01 May 2019 11:25:03 +0200
+
jruby (9.1.17.0-2) unstable; urgency=medium
* Annotate the javax.annotation.Generated patch.
diff -Nru jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch
jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch
--- jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch 1970-01-01
01:00:00.000000000 +0100
+++ jruby-9.1.17.0/debian/patches/0017-CVE-2018-1000073.patch 2019-05-01
11:23:43.000000000 +0200
@@ -0,0 +1,25 @@
+From: Jonathan Claudius <[email protected]>
+Date: Wed, 7 Feb 2018 23:54:52 -0500
+Subject: Non-working patch for deducing symlinked base-dirs
+Origin:
https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
+Bug-Debian-Security:
https://security-tracker.debian.org/tracker/CVE-2018-1000073
+Bug-Debian: https://bugs.debian.org/925986
+
+---
+
+diff --git a/lib/ruby/stdlib/rubygems/package.rb
b/lib/ruby/stdlib/rubygems/package.rb
+index dede959981e7..cb9c74a0fc07 100644
+--- a/lib/ruby/stdlib/rubygems/package.rb
++++ b/lib/ruby/stdlib/rubygems/package.rb
+@@ -421,6 +421,8 @@ EOM
+ destination_dir = File.expand_path destination_dir
+
+ destination = File.join destination_dir, filename
++ destination = File.realpath destination if
++ File.respond_to? :realpath
+ destination = File.expand_path destination
+
+ raise Gem::Package::PathError.new(destination, destination_dir) unless
+--
+2.20.1
+
diff -Nru jruby-9.1.17.0/debian/patches/series
jruby-9.1.17.0/debian/patches/series
--- jruby-9.1.17.0/debian/patches/series 2019-02-26 10:24:15.000000000
+0100
+++ jruby-9.1.17.0/debian/patches/series 2019-05-01 11:23:50.000000000
+0200
@@ -12,3 +12,4 @@
0014-FELIX-5430.patch
0015-javax-annotation-Generated.patch
0016-Disable-SkinnyMethodAdapter-test.patch
+0017-CVE-2018-1000073.patch
--- End Message ---
--- Begin Message ---
Unblocked jruby.
--- End Message ---
