Bug#895778: jruby: Several security vulnerabilities
Hi Miguel, I have prepared security updates for Jessie and Stretch. Unfortunately I discovered that jruby in Jessie FTBFS at the moment. This is unrelated to the patches. Do you know how to resolve that? generate-method-classes: _gmc_internal_: [echo] Generating invokers... [java] Exception in thread "main" java.lang.ClassFormatError: Duplicate method name in class file org/jruby/RubyFixnum$i_method_multi$RUBYINVOKER$to_s [java] >---at java.lang.ClassLoader.defineClass1(Native Method) [java] >---at java.lang.ClassLoader.defineClass(ClassLoader.java:803) [java] >---at org.jruby.util.JRubyClassLoader.defineClass(JRubyClassLoader.java:39) [java] >---at org.jruby.internal.runtime.methods.DumpingInvocationMethodFactory.endClass(DumpingInvocationMethodFactory.java:64) [java] >---at org.jruby.internal.runtime.methods.InvocationMethodFactory.getAnnotatedMethodClass(InvocationMethodFactory.java:721) [java] >---at org.jruby.anno.InvokerGenerator.main(InvokerGenerator.java:45) I'm attaching the stretch debdiff to this bug report and push the patches for Jessie. Cheers, Markus diff -Nru jruby-1.7.26/debian/changelog jruby-1.7.26/debian/changelog --- jruby-1.7.26/debian/changelog 2016-11-12 21:33:13.0 +0100 +++ jruby-1.7.26/debian/changelog 2018-04-29 22:24:33.0 +0200 @@ -1,3 +1,25 @@ +jruby (1.7.26-1+deb9u1) stretch-security; urgency=high + + * Team upload. + * Fix CVE-2018-173: Directory Traversal vulnerability in install_location +function of package.rb that can result in path traversal when writing to a +symlinked basedir outside of the root. + * Fix CVE-2018-174: possible Unsafe Object Deserialization Vulnerability +in gem owner. + * Fix CVE-2018-175: Strictly interpret octal fields in tar headers to +avoid infinite loop + * Fix CVE-2018-176: Raise a security error when there are duplicate +files in a package + * Fix CVE-2018-177: Enforce URL validation on spec homepage attribute. + * Fix CVE-2018-178: Mitigate XSS vulnerability in homepage attribute +when displayed via gem server. + * Fix CVE-2018-179: Directory Traversal vulnerability in gem installation +that can result in writing to arbitrary filesystem locations during +installation of malicious gems. +(Closes: #895778) + + -- Markus KoschanySun, 29 Apr 2018 22:24:33 +0200 + jruby (1.7.26-1) unstable; urgency=medium * Team upload. diff -Nru jruby-1.7.26/debian/patches/CVE-2018-173.patch jruby-1.7.26/debian/patches/CVE-2018-173.patch --- jruby-1.7.26/debian/patches/CVE-2018-173.patch 1970-01-01 01:00:00.0 +0100 +++ jruby-1.7.26/debian/patches/CVE-2018-173.patch 2018-04-29 22:24:33.0 +0200 @@ -0,0 +1,23 @@ +From: Markus Koschany +Date: Sun, 29 Apr 2018 21:29:28 +0200 +Subject: CVE-2018-173 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 +Origin: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2 +--- + lib/ruby/shared/rubygems/package.rb | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/ruby/shared/rubygems/package.rb b/lib/ruby/shared/rubygems/package.rb +index e8b8b38..25ac814 100644 +--- a/lib/ruby/shared/rubygems/package.rb b/lib/ruby/shared/rubygems/package.rb +@@ -405,6 +405,8 @@ EOM + destination_dir = File.expand_path destination_dir + + destination = File.join destination_dir, filename ++destination = File.realpath destination if ++ File.respond_to? :realpath + destination = File.expand_path destination + + raise Gem::Package::PathError.new(destination, destination_dir) unless diff -Nru jruby-1.7.26/debian/patches/CVE-2018-174.patch jruby-1.7.26/debian/patches/CVE-2018-174.patch --- jruby-1.7.26/debian/patches/CVE-2018-174.patch 1970-01-01 01:00:00.0 +0100 +++ jruby-1.7.26/debian/patches/CVE-2018-174.patch 2018-04-29 22:24:33.0 +0200 @@ -0,0 +1,23 @@ +From: Markus Koschany +Date: Sun, 29 Apr 2018 21:11:01 +0200 +Subject: CVE-2018-174 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 +Origin: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d +--- + lib/ruby/shared/rubygems/commands/owner_command.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ruby/shared/rubygems/commands/owner_command.rb b/lib/ruby/shared/rubygems/commands/owner_command.rb +index 322bf65..c5416f8 100644 +--- a/lib/ruby/shared/rubygems/commands/owner_command.rb b/lib/ruby/shared/rubygems/commands/owner_command.rb +@@ -61,7 +61,7 @@ permission to. + end + + with_response response do |resp| +- owners = YAML.load resp.body ++ owners = Gem::SafeYAML.load resp.body + + say "Owners for gem: #{name}" + owners.each do |owner| diff -Nru
Bug#895778: jruby: Several security vulnerabilities
On Sun, Apr 15, 2018 at 10:48:10PM +0200, Markus Koschany wrote: > I intend to work on the patches for Jessie and Stretch. Unstable could > be a bit more complicated due to the FTBFS with OpenJDK 9. Hi Markus, Thanks for taking care of jessie and stretch. I expect to be able to update jruby in unstable soon, although there is some pending work to do, as I mentioned in #895837. These days I'm more involved with that project as upstream, so I haven't find enough time to work on this package yet. Cheers, Miguel. -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. "Faith means not wanting to know what is true." -- Nietzsche signature.asc Description: PGP signature
Bug#895778: jruby: Several security vulnerabilities
I intend to work on the patches for Jessie and Stretch. Unstable could be a bit more complicated due to the FTBFS with OpenJDK 9. Markus signature.asc Description: OpenPGP digital signature
Bug#895778: jruby: Several security vulnerabilities
Package: jruby X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for jruby. Apparently rubygems is embedded into jruby which makes it vulnerable to. CVE-2018-179[0]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Directory Traversal vulnerability in gem installation that can result | in the gem could write to arbitrary filesystem locations during | installation. This attack appear to be exploitable via the victim must | install a malicious gem. This vulnerability appears to have been fixed | in 2.7.6. CVE-2018-178[1]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Cross Site Scripting (XSS) vulnerability in gem server display of | homepage attribute that can result in XSS. This attack appear to be | exploitable via the victim must browse to a malicious gem on a | vulnerable gem server. This vulnerability appears to have been fixed | in 2.7.6. CVE-2018-177[2]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Improper Input Validation vulnerability in ruby gems specification | homepage attribute that can result in a malicious gem could set an | invalid homepage URL. This vulnerability appears to have been fixed in | 2.7.6. CVE-2018-176[3]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Improper Verification of Cryptographic Signature vulnerability in | package.rb that can result in a mis-signed gem could be installed, as | the tarball would contain multiple gem signatures.. This vulnerability | appears to have been fixed in 2.7.6. CVE-2018-175[4]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | infinite loop caused by negative size vulnerability in ruby gem | package tar header that can result in a negative size could cause an | infinite loop.. This vulnerability appears to have been fixed in | 2.7.6. CVE-2018-174[5]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Deserialization of Untrusted Data vulnerability in owner command that | can result in code execution. This attack appear to be exploitable via | victim must run the `gem owner` command on a gem with a specially | crafted YAML file. This vulnerability appears to have been fixed in | 2.7.6. CVE-2018-173[6]: | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: | 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 | series: 2.5.0 and earlier, prior to trunk revision 62422 contains a | Directory Traversal vulnerability in install_location function of | package.rb that can result in path traversal when writing to a | symlinked basedir outside of the root. This vulnerability appears to | have been fixed in 2.7.6. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-179 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-179 [1] https://security-tracker.debian.org/tracker/CVE-2018-178 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-178 [2] https://security-tracker.debian.org/tracker/CVE-2018-177 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-177 [3] https://security-tracker.debian.org/tracker/CVE-2018-176 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-176 [4] https://security-tracker.debian.org/tracker/CVE-2018-175 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-175 [5] https://security-tracker.debian.org/tracker/CVE-2018-174 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-174 [6] https://security-tracker.debian.org/tracker/CVE-2018-173 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-173 Please adjust the affected versions in the BTS as needed. Regards, Markus signature.asc Description: OpenPGP digital signature