Package: ruby1.9.1 Version: 1.9.3.194-1 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu quantal ubuntu-patch
Dear Maintainer, While I was preparing an Ubuntu ruby1.9.1 update for CVE-2012-2126, I noticed that ruby1.9.1-1.9.3.194-1 included its own trusted CA certificate bundle, rather than using the bundle from ca-certificates, to do server certificate verification in the gem fetcher. In Ubuntu, the attached patch was applied to achieve the following: * Make the RubyGems fetcher use distro-provided ca-certificates (LP: #1057926) - debian/control: Add ca-certificates to libruby1.9.1 depends so that rubygems can perform certificate verification - debian/rules: Don't install SSL certificates from upstream sources - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates. Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers quantal-updates APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 'quantal') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.5.0-15-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog diff -Nru ruby1.9.1-1.9.3.194/debian/control ruby1.9.1-1.9.3.194/debian/control --- ruby1.9.1-1.9.3.194/debian/control 2012-05-27 15:47:25.000000000 -0700 +++ ruby1.9.1-1.9.3.194/debian/control 2012-09-28 14:29:00.000000000 -0700 @@ -29,7 +29,7 @@ Package: libruby1.9.1 Section: libs Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends} +Depends: ca-certificates, ${shlibs:Depends}, ${misc:Depends} Conflicts: libdbm-ruby1.9.1, libgdbm-ruby1.9.1, libreadline-ruby1.9.1, libopenssl-ruby1.9.1, irb1.8 (<< 1.9.1.378-2~), rdoc1.8 (<< 1.9.1.378-2~) Replaces: libdbm-ruby1.9.1, libgdbm-ruby1.9.1, libreadline-ruby1.9.1, libopenssl-ruby1.9.1, irb1.8, rdoc1.8 Provides: libdbm-ruby1.9.1, libgdbm-ruby1.9.1, libreadline-ruby1.9.1, libopenssl-ruby1.9.1 diff -Nru ruby1.9.1-1.9.3.194/debian/patches/20120927-rubygems_disable_upstream_certs.patch ruby1.9.1-1.9.3.194/debian/patches/20120927-rubygems_disable_upstream_certs.patch --- ruby1.9.1-1.9.3.194/debian/patches/20120927-rubygems_disable_upstream_certs.patch 1969-12-31 16:00:00.000000000 -0800 +++ ruby1.9.1-1.9.3.194/debian/patches/20120927-rubygems_disable_upstream_certs.patch 2012-09-28 00:09:07.000000000 -0700 @@ -0,0 +1,30 @@ +Description: Use the certificates maintained by the distro + Rather than using the certificates packaged in the upstream sources to verify + server SSL certificates, use the certificates provided by the ca-certificates + package. +Author: Tyler Hicks <tyhi...@canonical.com> +Forwarded: not-needed +Index: ruby1.9.1-1.9.3.194/lib/rubygems/remote_fetcher.rb +=================================================================== +--- ruby1.9.1-1.9.3.194.orig/lib/rubygems/remote_fetcher.rb 2012-09-27 10:48:23.046684546 -0700 ++++ ruby1.9.1-1.9.3.194/lib/rubygems/remote_fetcher.rb 2012-09-27 10:48:42.590685014 -0700 +@@ -8,7 +8,7 @@ + + class Gem::RemoteFetcher + +- BuiltinSSLCerts = File.expand_path("./ssl_certs/*.pem", File.dirname(__FILE__)) ++ BuiltinSSLCerts = "/etc/ssl/certs/ca-certificates.crt" + + include Gem::UserInteraction + +@@ -354,8 +354,8 @@ + end + + def add_rubygems_trusted_certs(store) +- Dir.glob(BuiltinSSLCerts).each do |ssl_cert_file| +- store.add_file ssl_cert_file ++ if File.file? BuiltinSSLCerts ++ store.add_file BuiltinSSLCerts + end + end + diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series --- ruby1.9.1-1.9.3.194/debian/patches/series 2012-05-27 15:46:34.000000000 -0700 +++ ruby1.9.1-1.9.3.194/debian/patches/series 2012-09-28 00:32:14.000000000 -0700 @@ -16,3 +16,5 @@ 110829-hurd_dirent_usage.patch hurd-path-max.diff 20120517-r35434.patch +20120927-rubygems_disable_upstream_certs.patch diff -Nru ruby1.9.1-1.9.3.194/debian/rules ruby1.9.1-1.9.3.194/debian/rules --- ruby1.9.1-1.9.3.194/debian/rules 2012-06-02 03:35:36.000000000 -0700 +++ ruby1.9.1-1.9.3.194/debian/rules 2012-09-28 00:09:07.000000000 -0700 @@ -170,7 +170,8 @@ for f in libruby-$(ruby_ver).so.$(ruby_ver) libruby-$(ruby_ver).so.$(ruby_ver_major); do \ echo usr/lib/$$f; \ done) | xargs dh_movefiles -p$(cdbs_curpkg) - dh_movefiles -p$(cdbs_curpkg) $(ruby_libdir) + # Do not install the SSL certs bundled in the upstream source + dh_movefiles -p$(cdbs_curpkg) -Xssl_certs $(ruby_libdir) cd $(DEB_SRCDIR)/ext && \ for dir in \