Bug#689069: rubygems: RubyGems should use ca-certificates for SSL verification

Fri, 28 Sep 2012 14:30:25 -0700 

Package: rubygems
Version: 1.8.24-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

While I was preparing an Ubuntu rubygems update for CVE-2012-2126, I
noticed that rubygems-1.8.24-1 included its own trusted CA certificate
bundle, rather than using the bundle from ca-certificates, to do server
certificate verification in the gem fetcher.

In Ubuntu, the attached patch was applied to achieve the following:

  * Make the RubyGems fetcher use distro-provided ca-certificates
    (LP: #1057926)
    - debian/control: Add ca-certificates to rubygems depends so that
      rubygems can perform certificate verification
    - debian/rules: Don't install SSL certificates from upstream sources
    - debian/patches/20120927-disable_upstream_certs.patch: Use
      /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers quantal-updates
  APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 
'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru rubygems-1.8.24/debian/changelog rubygems-1.8.24/debian/changelog
diff -Nru rubygems-1.8.24/debian/control rubygems-1.8.24/debian/control
--- rubygems-1.8.24/debian/control	2012-06-09 06:44:27.000000000 -0700
+++ rubygems-1.8.24/debian/control	2012-09-28 14:18:32.000000000 -0700
@@ -14,7 +14,7 @@
 Package: rubygems
 Architecture: all
 XB-Ruby-Versions: ${ruby:Versions}
-Depends: ${misc:Depends}, ruby1.8
+Depends: ca-certificates, ${misc:Depends}, ruby1.8
 Recommends: ruby1.8-dev, build-essential
 Replaces: rubygems1.8 (<< 1.7.2-1~), rubygems-doc (<< 1.7.2-1~)
 Conflicts: rubygems1.8 (<< 1.7.2-1~), rubygems-doc (<< 1.7.2-1~)
diff -Nru rubygems-1.8.24/debian/patches/20120927-disable_upstream_certs.patch rubygems-1.8.24/debian/patches/20120927-disable_upstream_certs.patch
--- rubygems-1.8.24/debian/patches/20120927-disable_upstream_certs.patch	1969-12-31 16:00:00.000000000 -0800
+++ rubygems-1.8.24/debian/patches/20120927-disable_upstream_certs.patch	2012-09-27 12:12:57.000000000 -0700
@@ -0,0 +1,30 @@
+Description: Use the certificates maintained by the distro
+ Rather than using the certificates packaged in the upstream sources to verify
+ server SSL certificates, use the certificates provided by the ca-certificates
+ package.
+Author: Tyler Hicks <tyhi...@canonical.com>
+Forwarded: not-needed
+Index: rubygems-1.8.24/lib/rubygems/remote_fetcher.rb
+===================================================================
+--- rubygems-1.8.24.orig/lib/rubygems/remote_fetcher.rb	2012-04-27 16:15:17.000000000 -0700
++++ rubygems-1.8.24/lib/rubygems/remote_fetcher.rb	2012-09-27 12:12:53.970805064 -0700
+@@ -8,7 +8,7 @@
+ 
+ class Gem::RemoteFetcher
+ 
+-  BuiltinSSLCerts = File.expand_path("./ssl_certs/*.pem", File.dirname(__FILE__))
++  BuiltinSSLCerts = "/etc/ssl/certs/ca-certificates.crt"
+ 
+   include Gem::UserInteraction
+ 
+@@ -365,8 +365,8 @@
+   end
+ 
+   def add_rubygems_trusted_certs(store)
+-    Dir.glob(BuiltinSSLCerts).each do |ssl_cert_file|
+-      store.add_file ssl_cert_file
++    if File.file? BuiltinSSLCerts
++      store.add_file BuiltinSSLCerts
+     end
+   end
+ 
diff -Nru rubygems-1.8.24/debian/patches/series rubygems-1.8.24/debian/patches/series
--- rubygems-1.8.24/debian/patches/series	2012-06-09 06:44:27.000000000 -0700
+++ rubygems-1.8.24/debian/patches/series	2012-09-27 12:23:22.000000000 -0700
@@ -5,3 +5,4 @@
 fix-shebang.diff
 20120608-fix-test_gem_platform.rb.diff
 20120608-fix-assert_match.diff
+20120927-disable_upstream_certs.patch
diff -Nru rubygems-1.8.24/debian/rules rubygems-1.8.24/debian/rules
--- rubygems-1.8.24/debian/rules	2012-06-09 06:44:27.000000000 -0700
+++ rubygems-1.8.24/debian/rules	2012-09-27 20:37:45.000000000 -0700
@@ -25,6 +25,8 @@
 
 override_dh_auto_install:
 	dh_auto_install
+	# Do not install the SSL certs bundled in the upstream source
+	rm -rf debian/rubygems/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs
 	mv debian/rubygems/usr/bin/gem debian/rubygems/usr/bin/gem1.8
 	rm debian/rubygems/usr/bin/update_rubygems # not needed
 	# we don't want to share rubygems with 1.9.

Reply via email to