diff --git a/SOURCES/ruby-2.6.8-net-ftp-pasv-can-connect-to-arbitrary-host.patch b/SOURCES/ruby-2.6.8-net-ftp-pasv-can-connect-to-arbitrary-host.patch new file mode 100644 index 0000000..03f9685 --- /dev/null +++ b/SOURCES/ruby-2.6.8-net-ftp-pasv-can-connect-to-arbitrary-host.patch @@ -0,0 +1,247 @@ +commit be5a83e84a34091f2a4e3c6dfb911b20e78e690c +Author: usa +Date: Wed Jul 7 10:34:08 2021 +0000 + + Ignore IP addresses in PASV responses by default, and add new option use_pasv_ip + + This fixes CVE-2021-31810. + Reported by Alexandr Savca. + + Co-authored-by: Shugo Maeda + + + git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67949 b2dd03c8-39d4-4d8f-98ff-823fe69b080e + +diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb +index e68d825dcf..c5d669d898 100644 +--- a/lib/net/ftp.rb ++++ b/lib/net/ftp.rb +@@ -97,6 +97,10 @@ class FTP < Protocol + # When +true+, the connection is in passive mode. Default: +true+. + attr_accessor :passive + ++ # When +true+, use the IP address in PASV responses. Otherwise, it uses ++ # the same IP address for the control connection. Default: +false+. ++ attr_accessor :use_pasv_ip ++ + # When +true+, all traffic to and from the server is written + # to +$stdout+. Default: +false+. + attr_accessor :debug_mode +@@ -205,6 +209,9 @@ def FTP.open(host, *args) + # handshake. + # See Net::FTP#ssl_handshake_timeout for + # details. Default: +nil+. ++ # use_pasv_ip:: When +true+, use the IP address in PASV responses. ++ # Otherwise, it uses the same IP address for the control ++ # connection. Default: +false+. + # debug_mode:: When +true+, all traffic to and from the server is + # written to +$stdout+. Default: +false+. + # +@@ -265,6 +272,7 @@ def initialize(host = nil, user_or_options = {}, passwd = nil, acct = nil) + @open_timeout = options[:open_timeout] + @ssl_handshake_timeout = options[:ssl_handshake_timeout] + @read_timeout = options[:read_timeout] || 60 ++ @use_pasv_ip = options[:use_pasv_ip] || false + if host + connect(host, options[:port] || FTP_PORT) + if options[:username] +@@ -1330,7 +1338,12 @@ def parse227(resp) # :nodoc: + raise FTPReplyError, resp + end + if m = /\((?\d+(,\d+){3}),(?\d+,\d+)\)/.match(resp) +- return parse_pasv_ipv4_host(m["host"]), parse_pasv_port(m["port"]) ++ if @use_pasv_ip ++ host = parse_pasv_ipv4_host(m["host"]) ++ else ++ host = @bare_sock.remote_address.ip_address ++ end ++ return host, parse_pasv_port(m["port"]) + else + raise FTPProtoError, resp + end +diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb +index a5219644bb..b3fe7774ed 100644 +--- a/test/net/ftp/test_ftp.rb ++++ b/test/net/ftp/test_ftp.rb +@@ -61,7 +61,7 @@ def test_connect_fail + end + + def test_parse227 +- ftp = Net::FTP.new ++ ftp = Net::FTP.new(nil, use_pasv_ip: true) + host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)") + assert_equal("192.168.0.1", host) + assert_equal(3106, port) +@@ -80,6 +80,14 @@ def test_parse227 + assert_raise(Net::FTPProtoError) do + ftp.send(:parse227, "227 ) foo bar (") + end ++ ++ ftp = Net::FTP.new ++ sock = OpenStruct.new ++ sock.remote_address = OpenStruct.new ++ sock.remote_address.ip_address = "10.0.0.1" ++ ftp.instance_variable_set(:@bare_sock, sock) ++ host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)") ++ assert_equal("10.0.0.1", host) + end + + def test_parse228 +@@ -2360,10 +2368,155 @@ def test_puttextfile_command_injection + end + end + ++ def test_ignore_pasv_ip ++ commands = [] ++ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 ++ server = create_ftp_server(nil, "127.0.0.1") { |sock| ++ sock.print("220 (test_ftp).\r\n") ++ commands.push(sock.gets) ++ sock.print("331 Please specify the password.\r\n") ++ commands.push(sock.gets) ++ sock.print("230 Login successful.\r\n") ++ commands.push(sock.gets) ++ sock.print("200 Switching to Binary mode.\r\n") ++ line = sock.gets ++ commands.push(line) ++ data_server = TCPServer.new("127.0.0.1", 0) ++ port = data_server.local_address.ip_port ++ sock.printf("227 Entering Passive Mode (999,0,0,1,%s).\r\n", ++ port.divmod(256).join(",")) ++ commands.push(sock.gets) ++ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n") ++ conn = data_server.accept ++ binary_data.scan(/.{1,1024}/nm) do |s| ++ conn.print(s) ++ end ++ conn.shutdown(Socket::SHUT_WR) ++ conn.read ++ conn.close ++ data_server.close ++ sock.print("226 Transfer complete.\r\n") ++ } ++ begin ++ begin ++ ftp = Net::FTP.new ++ ftp.passive = true ++ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait ++ ftp.connect("127.0.0.1", server.port) ++ ftp.login ++ assert_match(/\AUSER /, commands.shift) ++ assert_match(/\APASS /, commands.shift) ++ assert_equal("TYPE I\r\n", commands.shift) ++ buf = ftp.getbinaryfile("foo", nil) ++ assert_equal(binary_data, buf) ++ assert_equal(Encoding::ASCII_8BIT, buf.encoding) ++ assert_equal("PASV\r\n", commands.shift) ++ assert_equal("RETR foo\r\n", commands.shift) ++ assert_equal(nil, commands.shift) ++ ensure ++ ftp.close if ftp ++ end ++ ensure ++ server.close ++ end ++ end ++ ++ def test_use_pasv_ip ++ commands = [] ++ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 ++ server = create_ftp_server(nil, "127.0.0.1") { |sock| ++ sock.print("220 (test_ftp).\r\n") ++ commands.push(sock.gets) ++ sock.print("331 Please specify the password.\r\n") ++ commands.push(sock.gets) ++ sock.print("230 Login successful.\r\n") ++ commands.push(sock.gets) ++ sock.print("200 Switching to Binary mode.\r\n") ++ line = sock.gets ++ commands.push(line) ++ data_server = TCPServer.new("127.0.0.1", 0) ++ port = data_server.local_address.ip_port ++ sock.printf("227 Entering Passive Mode (127,0,0,1,%s).\r\n", ++ port.divmod(256).join(",")) ++ commands.push(sock.gets) ++ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n") ++ conn = data_server.accept ++ binary_data.scan(/.{1,1024}/nm) do |s| ++ conn.print(s) ++ end ++ conn.shutdown(Socket::SHUT_WR) ++ conn.read ++ conn.close ++ data_server.close ++ sock.print("226 Transfer complete.\r\n") ++ } ++ begin ++ begin ++ ftp = Net::FTP.new ++ ftp.passive = true ++ ftp.use_pasv_ip = true ++ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait ++ ftp.connect("127.0.0.1", server.port) ++ ftp.login ++ assert_match(/\AUSER /, commands.shift) ++ assert_match(/\APASS /, commands.shift) ++ assert_equal("TYPE I\r\n", commands.shift) ++ buf = ftp.getbinaryfile("foo", nil) ++ assert_equal(binary_data, buf) ++ assert_equal(Encoding::ASCII_8BIT, buf.encoding) ++ assert_equal("PASV\r\n", commands.shift) ++ assert_equal("RETR foo\r\n", commands.shift) ++ assert_equal(nil, commands.shift) ++ ensure ++ ftp.close if ftp ++ end ++ ensure ++ server.close ++ end ++ end ++ ++ def test_use_pasv_invalid_ip ++ commands = [] ++ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 ++ server = create_ftp_server(nil, "127.0.0.1") { |sock| ++ sock.print("220 (test_ftp).\r\n") ++ commands.push(sock.gets) ++ sock.print("331 Please specify the password.\r\n") ++ commands.push(sock.gets) ++ sock.print("230 Login successful.\r\n") ++ commands.push(sock.gets) ++ sock.print("200 Switching to Binary mode.\r\n") ++ line = sock.gets ++ commands.push(line) ++ sock.print("227 Entering Passive Mode (999,0,0,1,48,57).\r\n") ++ commands.push(sock.gets) ++ } ++ begin ++ begin ++ ftp = Net::FTP.new ++ ftp.passive = true ++ ftp.use_pasv_ip = true ++ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait ++ ftp.connect("127.0.0.1", server.port) ++ ftp.login ++ assert_match(/\AUSER /, commands.shift) ++ assert_match(/\APASS /, commands.shift) ++ assert_equal("TYPE I\r\n", commands.shift) ++ assert_raise(SocketError) do ++ ftp.getbinaryfile("foo", nil) ++ end ++ ensure ++ ftp.close if ftp ++ end ++ ensure ++ server.close ++ end ++ end ++ + private + +- def create_ftp_server(sleep_time = nil) +- server = TCPServer.new(SERVER_ADDR, 0) ++ def create_ftp_server(sleep_time = nil, addr = SERVER_ADDR) ++ server = TCPServer.new(addr, 0) + @thread = Thread.start do + if sleep_time + sleep(sleep_time) diff --git a/SOURCES/ruby-2.6.8-net-imap-startls-stripping-vulnerability.patch b/SOURCES/ruby-2.6.8-net-imap-startls-stripping-vulnerability.patch new file mode 100644 index 0000000..83a655f --- /dev/null +++ b/SOURCES/ruby-2.6.8-net-imap-startls-stripping-vulnerability.patch @@ -0,0 +1,101 @@ +commit 95ba9053e20ad8d113af37b3f1f4cbfff1f6a8f1 +Author: usa +Date: Wed Jul 7 10:38:10 2021 +0000 + + Fix StartTLS stripping vulnerability + + Reported by Alexandr Savca in https://hackerone.com/reports/1178562 + + Co-authored-by: Shugo Maeda + + + git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67950 b2dd03c8-39d4-4d8f-98ff-823fe69b080e + +diff --git a/lib/net/imap.rb b/lib/net/imap.rb +index 1c7e89ba14..91df89b79e 100644 +--- a/lib/net/imap.rb ++++ b/lib/net/imap.rb +@@ -1213,12 +1213,14 @@ def get_tagged_response(tag, cmd) + end + resp = @tagged_responses.delete(tag) + case resp.name ++ when /\A(?:OK)\z/ni ++ return resp + when /\A(?:NO)\z/ni + raise NoResponseError, resp + when /\A(?:BAD)\z/ni + raise BadResponseError, resp + else +- return resp ++ raise UnknownResponseError, resp + end + end + +@@ -3714,6 +3716,10 @@ class BadResponseError < ResponseError + class ByeResponseError < ResponseError + end + ++ # Error raised upon an unknown response from the server. ++ class UnknownResponseError < ResponseError ++ end ++ + RESPONSE_ERRORS = Hash.new(ResponseError) + RESPONSE_ERRORS["NO"] = NoResponseError + RESPONSE_ERRORS["BAD"] = BadResponseError +diff --git a/test/net/imap/test_imap.rb b/test/net/imap/test_imap.rb +index 936f4e0f42..81928cb8fe 100644 +--- a/test/net/imap/test_imap.rb ++++ b/test/net/imap/test_imap.rb +@@ -127,6 +127,24 @@ def test_starttls + imap.disconnect + end + end ++ ++ def test_starttls_stripping ++ starttls_stripping_test do |port| ++ imap = Net::IMAP.new("localhost", :port => port) ++ assert_raise(Net::IMAP::UnknownResponseError) do ++ imap.starttls(:ca_file => CA_FILE) ++ end ++ imap ++ end ++ end ++ end ++ ++ def start_server ++ th = Thread.new do ++ yield ++ end ++ @threads << th ++ sleep 0.1 until th.stop? + end + + def test_unexpected_eof +@@ -760,6 +760,27 @@ def starttls_test + end + end + ++ def starttls_stripping_test ++ server = create_tcp_server ++ port = server.addr[1] ++ start_server do ++ sock = server.accept ++ begin ++ sock.print("* OK test server\r\n") ++ sock.gets ++ sock.print("RUBY0001 BUG unhandled command\r\n") ++ ensure ++ sock.close ++ server.close ++ end ++ end ++ begin ++ imap = yield(port) ++ ensure ++ imap.disconnect if imap && !imap.disconnected? ++ end ++ end ++ + def create_tcp_server + return TCPServer.new(server_addr, 0) + end diff --git a/SOURCES/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch b/SOURCES/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch new file mode 100644 index 0000000..2cca400 --- /dev/null +++ b/SOURCES/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch @@ -0,0 +1,88 @@ +commit fe3c49c9baeeab58304ede915b7edd18ecf360fc +Author: usa +Date: Sat Jul 3 17:10:28 2021 +0000 + + merge revision(s) b1c73f23,c9ab8fe2: [Backport #17877] + + [ruby/rdoc] Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799 + + https://github.com/ruby/rdoc/commit/a7f5d6ab88 + + The test for command injection on Unix platforms should be omitted on Windows + + + git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67947 b2dd03c8-39d4-4d8f-98ff-823fe69b080e + +diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb +index ca2c1abefd..46aace7839 100644 +--- a/lib/rdoc/rdoc.rb ++++ b/lib/rdoc/rdoc.rb +@@ -436,7 +436,7 @@ def remove_unparseable files + files.reject do |file| + file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or + (file =~ /tags$/i and +- open(file, 'rb') { |io| ++ File.open(file, 'rb') { |io| + io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/ + }) + end +--- a/lib/rdoc/encoding.rb 2022-02-16 16:51:28.080178281 +0100 ++++ b/lib/rdoc/encoding.rb 2022-02-16 16:51:37.108160840 +0100 +@@ -18,7 +18,7 @@ + # unknown character in the target encoding will be replaced with '?' + + def self.read_file filename, encoding, force_transcode = false +- content = open filename, "rb" do |f| f.read end ++ content = File.open filename, "rb" do |f| f.read end + content.gsub!("\r\n", "\n") if RUBY_PLATFORM =~ /mswin|mingw/ + + utf8 = content.sub!(/\A\xef\xbb\xbf/, '') +--- a/lib/rdoc/parser.rb 2021-04-05 13:46:35.000000000 +0200 ++++ b/lib/rdoc/parser.rb 2022-02-16 15:37:17.904822389 +0100 +@@ -74,7 +74,12 @@ + def self.binary?(file) + return false if file =~ /\.(rdoc|txt)$/ + +- s = File.read(file, 1024) or return false ++ begin ++ open_file = File.open(file) ++ s = open_file.read(1024) or return false ++ ensure ++ open_file.close if open_file ++ end + + return true if s[0, 2] == Marshal.dump('')[0, 2] or s.index("\x00") + +@@ -92,7 +97,8 @@ + # http://www.garykessler.net/library/file_sigs.html + + def self.zip? file +- zip_signature = File.read file, 4 ++ zip_signature = '' ++ File.open(file) { |f| zip_signature = f.read(4) } + + zip_signature == "PK\x03\x04" or + zip_signature == "PK\x05\x06" or +diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb +index 3bce54b243..123b1a4f87 100644 +--- a/test/rdoc/test_rdoc_rdoc.rb ++++ b/test/rdoc/test_rdoc_rdoc.rb +@@ -366,6 +366,18 @@ def test_remove_unparseable_tags_vim + end + end + ++ def test_remove_unparseable_CVE_2021_31799 ++ skip 'for Un*x platforms' if Gem.win_platform? ++ temp_dir do ++ file_list = ['| touch evil.txt && echo tags'] ++ file_list.each do |f| ++ FileUtils.touch f ++ end ++ assert_equal file_list, @rdoc.remove_unparseable(file_list) ++ assert_equal file_list, Dir.children('.') ++ end ++ end ++ + def test_setup_output_dir + Dir.mktmpdir {|d| + path = File.join d, 'testdir' diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index fc59c29..d2cdffa 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -21,7 +21,7 @@ %endif -%global release 107 +%global release 109 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} @@ -176,8 +176,18 @@ Patch27: ruby-2.6.0-rdoc-6.0.2-fix-different-js-gz-pages-across-multilib.patch Patch28: ruby-2.5.9-revert-stop-the-error-due-to-openssl-1-1-1h.patch # Resolv::DNS: timeouts if multiple IPv6 name servers are given and address # contains leading zero -# https://bugzilla.redhat.com/show_bug.cgi?id=1955010 +# https://bugzilla.redhat.com/show_bug.cgi?id=1950308 Patch29: ruby-3.0.0-Convert-ip-addresses-to-canonical-form.patch +# Fix CVE-2021-31799 rdoc: Command injection vulnerability in RDoc. +# https://bugzilla.redhat.com/show_bug.cgi?id=1980839 +Patch30: ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch +# Fix CVE-2021-32066 StartTLS stripping vulnerability in Net::IMAP. +# https://bugzilla.redhat.com/show_bug.cgi?id=1980830 +Patch31: ruby-2.6.8-net-imap-startls-stripping-vulnerability.patch +# Fix CVE-2021-31810 FTP PASV command response can cause Net::FTP to connect +# to arbitrary host. +# https://bugzilla.redhat.com/show_bug.cgi?id=1980825 +Patch32: ruby-2.6.8-net-ftp-pasv-can-connect-to-arbitrary-host.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -577,6 +587,9 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \ %patch27 -p1 %patch28 -p1 -R %patch29 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1129,13 +1142,25 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %changelog +* Wed Feb 16 2022 Jarek Prokop - 2.5.9-109 +- Properly fix command injection vulnerability in Rdoc. + Related: CVE-2021-31799 + +* Wed Feb 09 2022 Jarek Prokop - 2.5.9-108 +- Fix command injection vulnerability in RDoc. + Resolves: CVE-2021-31799 +- Fix StartTLS stripping vulnerability in Net::IMAP + Resolves: CVE-2021-32066 +- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host. + Resolves: CVE-2021-31810 + * Mon Apr 19 2021 Pavel Valena - 2.5.9-107 - Update to Ruby 2.5.9. * Remove Patch20: ruby-2.6.0-rdoc-6.0.1-fix-template-typo.patch; subsumed - Resolves: rhbz#1952626 + Resolves: rhbz#1757844 - Resolv::DNS: timeouts if multiple IPv6 name servers are given and address contains leading zero - Resolves: rhbz#1955010 + Resolves: rhbz#1950308 * Mon Jun 22 2020 Pavel Valena - 2.5.5-106 - Remove file with non-commercial license from did_you_mean gem.