Bug#826348: marked as done (jessie-pu: package ruby2.1/2.1.5-2+deb8u3)

[Debian Bug Tracking System]

Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #826348,
regarding jessie-pu: package ruby2.1/2.1.5-2+deb8u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
826348: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826348
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

On my Debian Jessie machine, a security issue from 2009 is reported by
debsecan,
<URL: https://security-tracker.debian.org/tracker/CVE-2009-5147 >.

The issue was fixed in Squeeze by the LTS team (DLA-299-1), but has not
yet been fixed in Jessie.  I would like to get it fixed, to get it out
of my debsecan list.

The attached patch is based on the squeeze patch (had to refresh it), and
should solve the problem.

I asked on #debian-security how to best get this solved, and Salvatore
Bonaccorso (carnil) said the security team did not plan to upload a DSA,
so I should use the procedure from
<URL: 
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
 > fix it.

Is it OK to upload the fix for stable?

-- System Information:
Debian Release: 8.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=no_NO (charmap=locale: Cannot set 
LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru ruby2.1-2.1.5/debian/changelog ruby2.1-2.1.5/debian/changelog
--- ruby2.1-2.1.5/debian/changelog	2015-07-30 14:02:04.000000000 +0200
+++ ruby2.1-2.1.5/debian/changelog	2016-06-04 19:00:48.000000000 +0200
@@ -1,3 +1,11 @@
+ruby2.1 (2.1.5-2+deb8u3) jessie; urgency=medium
+
+  * Non-maintainer upload to fix security problem.
+  * Fix CVE-2009-5147: DL::dlopen could open a library with tainted
+    library name.  Based on patch used in DLA-299-1.
+
+ -- Petter Reinholdtsen <p...@debian.org>  Sat, 04 Jun 2016 18:59:31 +0200
+
 ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high
 
   * Apply upstream patches to fix Request hijacking vulnerability in Rubygems
diff -Nru ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch
--- ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch	2016-06-04 19:38:20.000000000 +0200
@@ -0,0 +1,31 @@
+Description: CVE-2009-5147: DL::dlopen could open a library with tainted library name
+Origin: upstream, https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b
+Reviewed-by: Santiago R.R. <santiag...@riseup.net>
+
+Index: ruby2.1-2.1.5/ext/dl/handle.c
+===================================================================
+--- ruby2.1-2.1.5.orig/ext/dl/handle.c	2016-06-04 19:38:16.133297957 +0200
++++ ruby2.1-2.1.5/ext/dl/handle.c	2016-06-04 19:38:16.129297922 +0200
+@@ -5,6 +5,8 @@
+ #include <ruby.h>
+ #include "dl.h"
+ 
++#define SafeStringValuePtr(v) (rb_string_value(&v), rb_check_safe_obj(v), RSTRING_PTR(v))
++
+ VALUE rb_cDLHandle;
+ 
+ #ifdef _WIN32
+@@ -132,11 +134,11 @@
+ 	cflag = RTLD_LAZY | RTLD_GLOBAL;
+ 	break;
+       case 1:
+-	clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
++	clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib);
+ 	cflag = RTLD_LAZY | RTLD_GLOBAL;
+ 	break;
+       case 2:
+-	clib = NIL_P(lib) ? NULL : StringValuePtr(lib);
++	clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib);
+ 	cflag = NUM2INT(flag);
+ 	break;
+       default:
diff -Nru ruby2.1-2.1.5/debian/patches/series ruby2.1-2.1.5/debian/patches/series
--- ruby2.1-2.1.5/debian/patches/series	2015-08-26 01:53:36.000000000 +0200
+++ ruby2.1-2.1.5/debian/patches/series	2016-06-04 18:52:43.000000000 +0200
@@ -1 +1,2 @@
 debian-changes
+CVE-2009-5147.patch

--- End Message ---

--- Begin Message ---

Version: 8.6

The updates referred to in each of these bugs were included in today's
stable point release.

Regards,

Adam

--- End Message ---