Bug#895778: jruby: Several security vulnerabilities

2018-04-29 Thread Markus Koschany 
Hi Miguel,

I have prepared security updates for Jessie and Stretch. Unfortunately I
discovered that jruby in Jessie FTBFS at the moment. This is unrelated
to the patches.

Do you know how to resolve that?

generate-method-classes:

_gmc_internal_:
 [echo] Generating invokers...
 [java] Exception in thread "main" java.lang.ClassFormatError:
Duplicate method name in class file
org/jruby/RubyFixnum$i_method_multi$RUBYINVOKER$to_s
 [java] >---at java.lang.ClassLoader.defineClass1(Native Method)
 [java] >---at java.lang.ClassLoader.defineClass(ClassLoader.java:803)
 [java] >---at
org.jruby.util.JRubyClassLoader.defineClass(JRubyClassLoader.java:39)
 [java] >---at
org.jruby.internal.runtime.methods.DumpingInvocationMethodFactory.endClass(DumpingInvocationMethodFactory.java:64)
 [java] >---at
org.jruby.internal.runtime.methods.InvocationMethodFactory.getAnnotatedMethodClass(InvocationMethodFactory.java:721)
 [java] >---at
org.jruby.anno.InvokerGenerator.main(InvokerGenerator.java:45)

I'm attaching the stretch debdiff to this bug report and push the
patches for Jessie.

Cheers,

Markus
diff -Nru jruby-1.7.26/debian/changelog jruby-1.7.26/debian/changelog
--- jruby-1.7.26/debian/changelog   2016-11-12 21:33:13.0 +0100
+++ jruby-1.7.26/debian/changelog   2018-04-29 22:24:33.0 +0200
@@ -1,3 +1,25 @@
+jruby (1.7.26-1+deb9u1) stretch-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2018-173: Directory Traversal vulnerability in install_location
+function of package.rb that can result in path traversal when writing to a
+symlinked basedir outside of the root.
+  * Fix CVE-2018-174: possible Unsafe Object Deserialization Vulnerability
+in gem owner.
+  * Fix CVE-2018-175: Strictly interpret octal fields in tar headers to
+avoid infinite loop
+  * Fix CVE-2018-176: Raise a security error when there are duplicate
+files in a package
+  * Fix CVE-2018-177: Enforce URL validation on spec homepage attribute.
+  * Fix CVE-2018-178: Mitigate XSS vulnerability in homepage attribute
+when displayed via gem server.
+  * Fix CVE-2018-179: Directory Traversal vulnerability in gem installation
+that can result in writing to arbitrary filesystem locations during
+installation of malicious gems.
+(Closes: #895778)
+
+ -- Markus Koschany   Sun, 29 Apr 2018 22:24:33 +0200
+
 jruby (1.7.26-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-173.patch 
jruby-1.7.26/debian/patches/CVE-2018-173.patch
--- jruby-1.7.26/debian/patches/CVE-2018-173.patch  1970-01-01 
01:00:00.0 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-173.patch  2018-04-29 
22:24:33.0 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany 
+Date: Sun, 29 Apr 2018 21:29:28 +0200
+Subject: CVE-2018-173
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: 
https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
+---
+ lib/ruby/shared/rubygems/package.rb | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/ruby/shared/rubygems/package.rb 
b/lib/ruby/shared/rubygems/package.rb
+index e8b8b38..25ac814 100644
+--- a/lib/ruby/shared/rubygems/package.rb
 b/lib/ruby/shared/rubygems/package.rb
+@@ -405,6 +405,8 @@ EOM
+ destination_dir = File.expand_path destination_dir
+ 
+ destination = File.join destination_dir, filename
++destination = File.realpath destination if
++  File.respond_to? :realpath
+ destination = File.expand_path destination
+ 
+ raise Gem::Package::PathError.new(destination, destination_dir) unless
diff -Nru jruby-1.7.26/debian/patches/CVE-2018-174.patch 
jruby-1.7.26/debian/patches/CVE-2018-174.patch
--- jruby-1.7.26/debian/patches/CVE-2018-174.patch  1970-01-01 
01:00:00.0 +0100
+++ jruby-1.7.26/debian/patches/CVE-2018-174.patch  2018-04-29 
22:24:33.0 +0200
@@ -0,0 +1,23 @@
+From: Markus Koschany 
+Date: Sun, 29 Apr 2018 21:11:01 +0200
+Subject: CVE-2018-174
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+Origin: 
https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
+---
+ lib/ruby/shared/rubygems/commands/owner_command.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ruby/shared/rubygems/commands/owner_command.rb 
b/lib/ruby/shared/rubygems/commands/owner_command.rb
+index 322bf65..c5416f8 100644
+--- a/lib/ruby/shared/rubygems/commands/owner_command.rb
 b/lib/ruby/shared/rubygems/commands/owner_command.rb
+@@ -61,7 +61,7 @@ permission to.
+ end
+ 
+ with_response response do |resp|
+-  owners = YAML.load resp.body
++  owners = Gem::SafeYAML.load resp.body
+ 
+   say "Owners for gem: #{name}"
+   owners.each do |owner|
diff -Nru

Bug#895778: jruby: Several security vulnerabilities

2018-04-16 Thread Miguel Landaeta 
On Sun, Apr 15, 2018 at 10:48:10PM +0200, Markus Koschany wrote:
> I intend to work on the patches for Jessie and Stretch. Unstable could
> be a bit more complicated due to the FTBFS with OpenJDK 9.

Hi Markus,

Thanks for taking care of jessie and stretch.

I expect to be able to update jruby in unstable soon, although there
is some pending work to do, as I mentioned in #895837.

These days I'm more involved with that project as upstream, so I haven't
find enough time to work on this package yet.

Cheers,
Miguel.

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche


signature.asc
Description: PGP signature

Bug#895778: jruby: Several security vulnerabilities

2018-04-15 Thread Markus Koschany 
I intend to work on the patches for Jessie and Stretch. Unstable could
be a bit more complicated due to the FTBFS with OpenJDK 9.

Markus



signature.asc
Description: OpenPGP digital signature

Bug#895778: jruby: Several security vulnerabilities

2018-04-15 Thread Markus Koschany 
Package: jruby
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for jruby. Apparently
rubygems is embedded into jruby which makes it vulnerable to.

CVE-2018-179[0]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Directory Traversal vulnerability in gem installation that can result
| in the gem could write to arbitrary filesystem locations during
| installation. This attack appear to be exploitable via the victim must
| install a malicious gem. This vulnerability appears to have been fixed
| in 2.7.6.

CVE-2018-178[1]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Cross Site Scripting (XSS) vulnerability in gem server display of
| homepage attribute that can result in XSS. This attack appear to be
| exploitable via the victim must browse to a malicious gem on a
| vulnerable gem server. This vulnerability appears to have been fixed
| in 2.7.6.

CVE-2018-177[2]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Improper Input Validation vulnerability in ruby gems specification
| homepage attribute that can result in a malicious gem could set an
| invalid homepage URL. This vulnerability appears to have been fixed in
| 2.7.6.

CVE-2018-176[3]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Improper Verification of Cryptographic Signature vulnerability in
| package.rb that can result in a mis-signed gem could be installed, as
| the tarball would contain multiple gem signatures.. This vulnerability
| appears to have been fixed in 2.7.6.

CVE-2018-175[4]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| infinite loop caused by negative size vulnerability in ruby gem
| package tar header that can result in a negative size could cause an
| infinite loop.. This vulnerability appears to have been fixed in
| 2.7.6.

CVE-2018-174[5]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Deserialization of Untrusted Data vulnerability in owner command that
| can result in code execution. This attack appear to be exploitable via
| victim must run the `gem owner` command on a gem with a specially
| crafted YAML file. This vulnerability appears to have been fixed in
| 2.7.6.

CVE-2018-173[6]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Directory Traversal vulnerability in install_location function of
| package.rb that can result in path traversal when writing to a
| symlinked basedir outside of the root. This vulnerability appears to
| have been fixed in 2.7.6.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-179
[1] https://security-tracker.debian.org/tracker/CVE-2018-178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-178
[2] https://security-tracker.debian.org/tracker/CVE-2018-177
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-177
[3] https://security-tracker.debian.org/tracker/CVE-2018-176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-176
[4] https://security-tracker.debian.org/tracker/CVE-2018-175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-175
[5] https://security-tracker.debian.org/tracker/CVE-2018-174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-174
[6] https://security-tracker.debian.org/tracker/CVE-2018-173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-173

Please adjust the affected versions in the BTS as needed.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature