Bug#794090: marked as done (jessie-pu: package ruby2.1/2.1.5-2+deb8u2)

Sat, 05 Sep 2015 06:39:14 -0700 

Your message dated Sat, 05 Sep 2015 14:31:07 +0100
with message-id <[email protected]>
and subject line Closing p-u bugs for 8.2
has caused the Debian Bug report #794090,
regarding jessie-pu: package ruby2.1/2.1.5-2+deb8u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
794090: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794090
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu

Hi, I would like to upload the attached diff as a stable update for
ruby2.1, fixing a minor security bug that didn't qualify for a DSA.

Te following patches were cherry-picked from upstream:

http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=9b945cadc3b157829a60debff1dd5c536644f9b2
http://anonscm.debian.org/cgit/collab-maint/ruby.git/commit/?h=debian/jessie&id=61f89c1e7b7ac864d840686aa7824eb04cba5cff

-- System Information:
Debian Release: stretch/sid
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), 
(1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Antonio Terceiro <[email protected]>

diff --git a/debian/changelog b/debian/changelog
index 933e6ab..13a9637 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high
+
+  * Apply upstream patches to fix Request hijacking vulnerability in Rubygems
+    [CVE-2015-3900] (Closes: #790119)
+
+ -- Antonio Terceiro <[email protected]>  Wed, 29 Jul 2015 09:27:24 -0300
+
 ruby2.1 (2.1.5-2+deb8u1) jessie-security; urgency=high
 
   * Fix vulnerabiity with overly permissive matching of hostnames in OpenSSL
diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb
index 58991ca..ed2e171 100644
--- a/lib/rubygems/remote_fetcher.rb
+++ b/lib/rubygems/remote_fetcher.rb
@@ -90,7 +90,13 @@ class Gem::RemoteFetcher
     rescue Resolv::ResolvError
       uri
     else
-      URI.parse "#{uri.scheme}://#{res.target}#{uri.path}"
+      target = res.target.to_s.strip
+
+      if /\.#{Regexp.quote(host)}\z/ =~ target
+        return URI.parse "#{uri.scheme}://#{target}#{uri.path}"
+      end
+
+      uri
     end
   end
 
diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb
index 79f3a58..626797f 100644
--- a/test/rubygems/test_gem_remote_fetcher.rb
+++ b/test/rubygems/test_gem_remote_fetcher.rb
@@ -163,6 +163,21 @@ gems:
   end
 
   def test_api_endpoint
+    uri = URI.parse "http://example.com/foo";
+    target = MiniTest::Mock.new
+    target.expect :target, "gems.example.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://gems.example.com/foo";), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values
     uri = URI.parse "http://gems.example.com/foo";
     target = MiniTest::Mock.new
     target.expect :target, "blah.com"
@@ -171,7 +186,37 @@ gems:
     dns.expect :getresource, target, [String, Object]
 
     fetch = Gem::RemoteFetcher.new nil, dns
-    assert_equal URI.parse("http://blah.com/foo";), fetch.api_endpoint(uri)
+    assert_equal URI.parse("http://gems.example.com/foo";), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values_that_starts_with_original
+    uri = URI.parse "http://example.com/foo";
+    target = MiniTest::Mock.new
+    target.expect :target, "example.combadguy.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo";), fetch.api_endpoint(uri)
+
+    target.verify
+    dns.verify
+  end
+
+  def test_api_endpoint_ignores_trans_domain_values_that_end_with_original
+    uri = URI.parse "http://example.com/foo";
+    target = MiniTest::Mock.new
+    target.expect :target, "badexample.com"
+
+    dns = MiniTest::Mock.new
+    dns.expect :getresource, target, [String, Object]
+
+    fetch = Gem::RemoteFetcher.new nil, dns
+    assert_equal URI.parse("http://example.com/foo";), fetch.api_endpoint(uri)
 
     target.verify
     dns.verify

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Version: 8.2

Hi,

These bugs correspond to updates which were included in the 8.2 point
release.

Regards,

Adam

--- End Message ---

Reply via email to