Bug#686867: jruby: CVE-2011-4838
On Wed, 19 Sep 2012 21:16:51 -0700 tony mancill tmanc...@debian.org wrote: Thank you for attaching the patch. I have it applying cleanly and am in the process of preparing an upload. However, currently the jruby package is FTBFS due to an issue with one of its build-deps, nailgun, which is installing a bad symlink. $ ls -al /usr/share/java/nailgun* -rw-r--r-- 1 root root 25607 Jul 18 22:54 /usr/share/java/nailgun-0.9.0.jar -rw-r--r-- 1 root root 7048 Jul 18 22:54 /usr/share/java/nailgun-examples-0.9.0.jar lrwxrwxrwx 1 root root17 Jul 18 22:54 /usr/share/java/nailgun.jar - nailgun-0.7.1.jar It's my mistake that using static version for symlink... sorry for the mess. And a bit confusion for versioning, so prepared fix as below. If it seems to be okay, I'll upload to unstable. diff -Nru nailgun-0.7.1+trunk95/debian/changelog nailgun-0.9.0+trunk95/debian/changelog --- nailgun-0.7.1+trunk95/debian/changelog 2012-07-19 07:54:01.0 +0900 +++ nailgun-0.9.0+trunk95/debian/changelog 2012-09-20 23:01:12.0 +0900 @@ -1,3 +1,12 @@ +nailgun (0.9.0+trunk95-1) unstable; urgency=low + + * Bump up version number since it produces jar files with version as +0.9.0. Nothing changed in upstream source. + * debian/nailgun.links +- fix symlink, don't use static version number. + + -- Hideki Yamane henr...@debian.org Thu, 20 Sep 2012 22:58:48 +0900 + nailgun (0.7.1+trunk95-1) unstable; urgency=medium * Taken from Subversion repository @@ -8,7 +17,7 @@ * debian/patches - refresh all two patches - add name_define_as_ng-nailgun_ng.c.patch to avoid - ClassNotFoundException (Closes: LP#793859) + ClassNotFoundException (LP: #793859) - add Makefile_enable_hardening.patch to enable hardening * debian/rules - enable hardening diff -Nru nailgun-0.7.1+trunk95/debian/nailgun.links nailgun-0.9.0+trunk95/debian/nailgun.links --- nailgun-0.7.1+trunk95/debian/nailgun.links 2010-08-23 04:33:49.0 +0900 +++ nailgun-0.9.0+trunk95/debian/nailgun.links 2012-09-20 22:57:45.0 +0900 @@ -1 +1 @@ -usr/share/java/nailgun-0.7.1.jar usr/share/java/nailgun.jar +usr/share/java/nailgun-*.jar usr/share/java/nailgun.jar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686867: jruby: CVE-2011-4838
On Thu, 20 Sep 2012 23:05:38 +0900 Hideki Yamane henr...@debian.or.jp wrote: $ ls -al /usr/share/java/nailgun* previous one is wrong, send again... (I misunderstood debian/package.link extract * to correspond file) diff -Nru nailgun-0.7.1+trunk95/debian/changelog nailgun-0.9.0+trunk95/debian/changelog --- nailgun-0.7.1+trunk95/debian/changelog 2012-07-19 07:54:01.0 +0900 +++ nailgun-0.9.0+trunk95/debian/changelog 2012-09-20 23:08:33.0 +0900 @@ -1,3 +1,12 @@ +nailgun (0.9.0+trunk95-1) unstable; urgency=low + + * Bump up version number since it produces jar files with version as +0.9.0. Nothing changed in upstream source. + * debian/nailgun.links +- fix symlink, change to 0.9.0 + + -- Hideki Yamane henr...@debian.org Thu, 20 Sep 2012 22:58:48 +0900 + nailgun (0.7.1+trunk95-1) unstable; urgency=medium * Taken from Subversion repository @@ -8,7 +17,7 @@ * debian/patches - refresh all two patches - add name_define_as_ng-nailgun_ng.c.patch to avoid - ClassNotFoundException (Closes: LP#793859) + ClassNotFoundException (LP: #793859) - add Makefile_enable_hardening.patch to enable hardening * debian/rules - enable hardening diff -Nru nailgun-0.7.1+trunk95/debian/nailgun.links nailgun-0.9.0+trunk95/debian/nailgun.links --- nailgun-0.7.1+trunk95/debian/nailgun.links 2010-08-23 04:33:49.0 +0900 +++ nailgun-0.9.0+trunk95/debian/nailgun.links 2012-09-20 23:07:51.0 +0900 @@ -1 +1 @@ -usr/share/java/nailgun-0.7.1.jar usr/share/java/nailgun.jar +usr/share/java/nailgun-0.9.0.jar usr/share/java/nailgun.jar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686867: jruby: CVE-2011-4838
On 09/20/2012 07:05 AM, Hideki Yamane wrote: It's my mistake that using static version for symlink... sorry for the mess. And a bit confusion for versioning, so prepared fix as below. If it seems to be okay, I'll upload to unstable. Hello Hideki, Thank you for the quick response. The 2nd patch you supplied looks good to me. Also, I determined that I can build the jruby package successfully against the nailgun package in wheezy, which I think might be preferable anyway since this is a security bug that is being targeted for wheezy (right?). The dependency on nailgun is a build-dep only, meaning that it doesn't appear in the jruby Depends, and jruby is an architecture any package. Moritz, for this bug with respect to wheezy, would you prefer that an updated package be uploaded to unstable + an unblock request, or would this be a case for targeting testing-security? Thank you, tony signature.asc Description: OpenPGP digital signature
Bug#686867: jruby: CVE-2011-4838
On Thu, Sep 20, 2012 at 12:10:30PM -0700, tony mancill wrote: On 09/20/2012 07:05 AM, Hideki Yamane wrote: It's my mistake that using static version for symlink... sorry for the mess. And a bit confusion for versioning, so prepared fix as below. If it seems to be okay, I'll upload to unstable. Hello Hideki, Thank you for the quick response. The 2nd patch you supplied looks good to me. Also, I determined that I can build the jruby package successfully against the nailgun package in wheezy, which I think might be preferable anyway since this is a security bug that is being targeted for wheezy (right?). The dependency on nailgun is a build-dep only, meaning that it doesn't appear in the jruby Depends, and jruby is an architecture any package. Moritz, for this bug with respect to wheezy, would you prefer that an updated package be uploaded to unstable + an unblock request, or would this be a case for targeting testing-security? testing-security doesn't work currently (only testing-proposed-updates works), so getting this via unstable (urgency=medium) and an unblock request is the way to go forward. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#686867: jruby: CVE-2011-4838
On 09/18/2012 03:17 PM, Moritz Mühlenhoff wrote: tags 686867 patch thanks On Thu, Sep 06, 2012 at 10:03:58PM +0200, Moritz Muehlenhoff wrote: Package: jruby Severity: grave Tags: security Justification: user security hole Hi, jruby in Wheezy is still affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838 http://www.nruns.com/_downloads/advisory28122011.pdf Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea? Wheezy has 1.5.6, not 1.6.5. Anyway, I've extracted the patch, it's attached. Cheers, Moritz Hello Moritz, Thank you for attaching the patch. I have it applying cleanly and am in the process of preparing an upload. However, currently the jruby package is FTBFS due to an issue with one of its build-deps, nailgun, which is installing a bad symlink. $ ls -al /usr/share/java/nailgun* -rw-r--r-- 1 root root 25607 Jul 18 22:54 /usr/share/java/nailgun-0.9.0.jar -rw-r--r-- 1 root root 7048 Jul 18 22:54 /usr/share/java/nailgun-examples-0.9.0.jar lrwxrwxrwx 1 root root17 Jul 18 22:54 /usr/share/java/nailgun.jar - nailgun-0.7.1.jar Anyway, that's a separate bug. Just wanted to comment that this bug is being worked on. Cheers, tony signature.asc Description: OpenPGP digital signature
Bug#686867: jruby: CVE-2011-4838
tags 686867 patch thanks On Thu, Sep 06, 2012 at 10:03:58PM +0200, Moritz Muehlenhoff wrote: Package: jruby Severity: grave Tags: security Justification: user security hole Hi, jruby in Wheezy is still affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838 http://www.nruns.com/_downloads/advisory28122011.pdf Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea? Wheezy has 1.5.6, not 1.6.5. Anyway, I've extracted the patch, it's attached. Cheers, Moritz diff -Naur jruby-1.6.5/src/org/jruby/RubyHash.java jruby-1.6.5.1/src/org/jruby/RubyHash.java --- jruby-1.6.5/src/org/jruby/RubyHash.java 2011-10-25 16:54:53.0 +0200 +++ jruby-1.6.5.1/src/org/jruby/RubyHash.java 2011-12-27 20:04:20.0 +0100 @@ -824,7 +824,7 @@ oldTable[j] = null; while (entry != null) { RubyHashEntry next = entry.next; -entry.hash = entry.key.hashCode(); // update the hash value +entry.hash = hashValue(entry.key.hashCode()); // update the hash value int i = bucketIndex(entry.hash, newTable.length); entry.next = newTable[i]; newTable[i] = entry; diff -Naur jruby-1.6.5/src/org/jruby/Ruby.java jruby-1.6.5.1/src/org/jruby/Ruby.java --- jruby-1.6.5/src/org/jruby/Ruby.java 2011-10-25 16:54:53.0 +0200 +++ jruby-1.6.5.1/src/org/jruby/Ruby.java 2011-12-27 20:04:20.0 +0100 @@ -291,6 +291,8 @@ this.beanManager= BeanManagerFactory.create(this, config.isManagementEnabled()); this.jitCompiler= new JITCompiler(this); this.parserStats= new ParserStats(this); + + this.hashSeed = this.random.nextInt(); this.beanManager.register(new Config(this)); this.beanManager.register(parserStats); @@ -3929,6 +3931,10 @@ public boolean isBooting() { return booting; } + +public int getHashSeed() { +return hashSeed; +} public CoverageData getCoverageData() { return coverageData; @@ -3946,6 +3952,8 @@ private long randomSeed = 0; private long randomSeedSequence = 0; private Random random = new Random(); +/** The runtime-local seed for hash randomization */ +private int hashSeed = 0; private final ListEventHook eventHooks = new VectorEventHook(); private boolean hasEventHooks; diff -Naur jruby-1.6.5/src/org/jruby/RubyString.java jruby-1.6.5.1/src/org/jruby/RubyString.java --- jruby-1.6.5/src/org/jruby/RubyString.java 2011-10-25 16:54:54.0 +0200 +++ jruby-1.6.5.1/src/org/jruby/RubyString.java 2011-12-27 20:04:21.0 +0100 @@ -93,6 +93,7 @@ import org.jruby.runtime.marshal.UnmarshalStream; import org.jruby.util.ByteList; import org.jruby.util.ConvertBytes; +import org.jruby.util.MurmurHash; import org.jruby.util.Numeric; import org.jruby.util.Pack; import org.jruby.util.RegexpOptions; @@ -1145,11 +1146,11 @@ } private int strHashCode(Ruby runtime) { +int hash = MurmurHash.hash32(value.getUnsafeBytes(), value.getBegin(), value.getRealSize(), runtime.getHashSeed()); if (runtime.is1_9()) { -return value.hashCode() ^ (value.getEncoding().isAsciiCompatible() scanForCodeRange() == CR_7BIT ? 0 : value.getEncoding().getIndex()); -} else { -return value.hashCode(); +hash ^= (value.getEncoding().isAsciiCompatible() scanForCodeRange() == CR_7BIT ? 0 : value.getEncoding().getIndex()); } +return hash; } @Override diff -Naur jruby-1.6.5/src/org/jruby/util/MurmurHash.java jruby-1.6.5.1/src/org/jruby/util/MurmurHash.java --- jruby-1.6.5/src/org/jruby/util/MurmurHash.java 1970-01-01 01:00:00.0 +0100 +++ jruby-1.6.5.1/src/org/jruby/util/MurmurHash.java 2011-12-27 20:04:21.0 +0100 @@ -0,0 +1,62 @@ +package org.jruby.util; + +public class MurmurHash { +// Based on Murmurhash 2.0 Java port at http://dmy999.com/article/50/murmurhash-2-java-port +// 2011-12-05: Modified by Hiroshi Nakamura n...@ruby-lang.org +// - signature change to use offset +// hash(byte[] data, int seed) to hash(byte[] src, int offset, int length, int seed) +// - extract 'm' and 'r' as murmurhash2.0 constants + +// Ported by Derek Young from the C version (specifically the endian-neutral +// version) from: +// http://murmurhash.googlepages.com/ +// +// released to the public domain - dmy...@gmail.com + +// 'm' and 'r' are mixing constants generated offline. +// They're not really 'magic', they just happen to work well. +private static final int MURMUR2_MAGIC = 0x5bd1e995; +// CRuby 1.9 uses 16 but original C++ implementation uses 24 with above Magic. +private static final int
Bug#686867: jruby: CVE-2011-4838
Package: jruby Severity: grave Tags: security Justification: user security hole Hi, jruby in Wheezy is still affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838 http://www.nruns.com/_downloads/advisory28122011.pdf Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org