diff --git a/SOURCES/ruby-2.0.0-p594-CVE-2014-8080-REXML-billion-laughs-attack.patch b/SOURCES/ruby-2.0.0-p594-CVE-2014-8080-REXML-billion-laughs-attack.patch new file mode 100644 index 0000000..de00efa --- /dev/null +++ b/SOURCES/ruby-2.0.0-p594-CVE-2014-8080-REXML-billion-laughs-attack.patch @@ -0,0 +1,114 @@ +Index: ChangeLog +=================================================================== +--- ChangeLog (revision 48161) ++++ ChangeLog (revision 48162) +@@ -1,3 +1,9 @@ ++Mon Oct 27 20:21:05 2014 NAKAMURA Usaku ++ ++ * lib/rexml/entity.rb: keep the entity size within the limitation. ++ reported by Willis Vandevanter and ++ patched by nahi. ++ + Mon Sep 22 12:10:29 2014 Tanaka Akira + + * test/ruby/test_time_tz.rb: Fix test error with tzdata-2014g. +Index: lib/rexml/entity.rb +=================================================================== +--- lib/rexml/entity.rb (revision 48161) ++++ lib/rexml/entity.rb (revision 48162) +@@ -138,8 +138,14 @@ + matches = @value.scan(PEREFERENCE_RE) + rv = @value.clone + if @parent ++ sum = 0 + matches.each do |entity_reference| + entity_value = @parent.entity( entity_reference[0] ) ++ if sum + entity_value.bytesize > Document.entity_expansion_text_limit ++ raise "entity expansion has grown too large" ++ else ++ sum += entity_value.bytesize ++ end + rv.gsub!( /%#{entity_reference.join};/um, entity_value ) + end + end +Index: test/rexml/test_document.rb +=================================================================== +--- test/rexml/test_document.rb (revision 48161) ++++ test/rexml/test_document.rb (revision 48162) +@@ -47,6 +47,20 @@ + + EOF + ++ XML_WITH_NESTED_PARAMETER_ENTITY = < ++ ++ ++ ++ ++ ++ ++ ++]> ++ ++EOF ++ + XML_WITH_4_ENTITY_EXPANSION = < + ..." + message = "こんにちは、世界!" # Hello world! in Japanese +Index: test/rexml/test_entity.rb +=================================================================== +--- test/rexml/test_entity.rb (revision 48161) ++++ test/rexml/test_entity.rb (revision 48162) +@@ -122,6 +122,22 @@ + end + end + ++ def test_entity_string_limit_for_parameter_entity ++ template = ' ]>' ++ len = 5120 # 5k per entity ++ template.sub!(/\^/, "B" * len) ++ ++ # 10k is OK ++ entities = '%a;' * 2 # 5k entity * 2 = 10k ++ REXML::Document.new(template.sub(/\$/, entities)) ++ ++ # above 10k explodes ++ entities = '%a;' * 3 # 5k entity * 2 = 15k ++ assert_raises(REXML::ParseException) do ++ REXML::Document.new(template.sub(/\$/, entities)) ++ end ++ end ++ + def test_raw + source = ' +Index: . +=================================================================== +--- . (revision 48161) ++++ . (revision 48162) + +Property changes on: . +___________________________________________________________________ +Modified: svn:mergeinfo + Merged /trunk:r48161 diff --git a/SOURCES/ruby-2.0.0-p598-CVE-2014-8090-REXML-incomplete-fix-for-CVE-2014-8080.patch b/SOURCES/ruby-2.0.0-p598-CVE-2014-8090-REXML-incomplete-fix-for-CVE-2014-8080.patch new file mode 100644 index 0000000..9687888 --- /dev/null +++ b/SOURCES/ruby-2.0.0-p598-CVE-2014-8090-REXML-incomplete-fix-for-CVE-2014-8080.patch @@ -0,0 +1,131 @@ +Index: ChangeLog +=================================================================== +--- ChangeLog (revision 48402) ++++ ChangeLog (revision 48403) +@@ -1,3 +1,8 @@ ++Thu Nov 13 22:31:50 2014 CHIKANAGA Tomoyuki ++ ++ * lib/rexml/document.rb: add REXML::Document#document. ++ reported by Tomas Hoger and patched by nahi. ++ + Mon Oct 27 20:21:05 2014 NAKAMURA Usaku + + * lib/rexml/entity.rb: keep the entity size within the limitation. +Index: lib/rexml/document.rb +=================================================================== +--- lib/rexml/document.rb (revision 48402) ++++ lib/rexml/document.rb (revision 48403) +@@ -278,6 +278,10 @@ + end + end + ++ def document ++ self ++ end ++ + private + def build( source ) + Parsers::TreeParser.new( source, self ).parse +Index: lib/rexml/entity.rb +=================================================================== +--- lib/rexml/entity.rb (revision 48402) ++++ lib/rexml/entity.rb (revision 48403) +@@ -157,6 +157,7 @@ + + # This is a set of entity constants -- the ones defined in the XML + # specification. These are +gt+, +lt+, +amp+, +quot+ and +apos+. ++ # CAUTION: these entities does not have parent and document + module EntityConst + # +>+ + GT = Entity.new( 'gt', '>' ) +Index: test/rexml/test_document.rb +=================================================================== +--- test/rexml/test_document.rb (revision 48402) ++++ test/rexml/test_document.rb (revision 48403) +@@ -47,6 +47,22 @@ + + EOF + ++ XML_WITH_NESTED_EMPTY_ENTITY = < ++ ++ ++ ++ ++ ++ ++ ++]> ++ ++&a; ++ ++EOF ++ + XML_WITH_NESTED_PARAMETER_ENTITY = < +@@ -60,6 +76,19 @@ + ]> + + EOF ++ XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY = < ++ ++ ++ ++ ++ ++ ++ ++]> ++ ++EOF + + XML_WITH_4_ENTITY_EXPANSION = < +@@ -87,6 +116,18 @@ + end + assert_equal(101, doc.entity_expansion_count) + ++ doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY) ++ assert_raise(RuntimeError) do ++ doc.root.children.first.value ++ end ++ REXML::Document.entity_expansion_limit = 100 ++ assert_equal(100, REXML::Document.entity_expansion_limit) ++ doc = REXML::Document.new(XML_WITH_NESTED_EMPTY_ENTITY) ++ assert_raise(RuntimeError) do ++ doc.root.children.first.value ++ end ++ assert_equal(101, doc.entity_expansion_count) ++ + REXML::Document.entity_expansion_limit = 4 + doc = REXML::Document.new(XML_WITH_4_ENTITY_EXPANSION) + assert_equal("\na\na a\n<\n", doc.root.children.first.value) +@@ -95,6 +136,15 @@ + assert_raise(RuntimeError) do + doc.root.children.first.value + end ++ ++ assert_raise(REXML::ParseException) do ++ REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY) ++ end ++ REXML::Document.entity_expansion_limit = 100 ++ assert_equal(100, REXML::Document.entity_expansion_limit) ++ assert_raise(REXML::ParseException) do ++ REXML::Document.new(XML_WITH_NESTED_EMPTY_PARAMETER_ENTITY) ++ end + ensure + REXML::Document.entity_expansion_limit = 10000 + end +Index: . +=================================================================== +--- . (revision 48402) ++++ . (revision 48403) + +Property changes on: . +___________________________________________________________________ +Modified: svn:mergeinfo + Merged /trunk:r48402 diff --git a/SOURCES/ruby-2.1.0-CVE-2014-4975-fix-buffer-overru-by-tail_lf.patch b/SOURCES/ruby-2.1.0-CVE-2014-4975-fix-buffer-overru-by-tail_lf.patch new file mode 100644 index 0000000..2a38eeb --- /dev/null +++ b/SOURCES/ruby-2.1.0-CVE-2014-4975-fix-buffer-overru-by-tail_lf.patch @@ -0,0 +1,84 @@ +Index: ChangeLog +=================================================================== +--- ChangeLog (revision 46805) ++++ ChangeLog (revision 46806) +@@ -3,6 +3,11 @@ + * test/ruby/test_time_tz.rb: Fix test error with tzdata-2014g. + [ruby-core:65058] [Bug #10245] Reported by Vit Ondruch. + ++Sun Jul 13 22:52:43 2014 Nobuyoshi Nakada ++ ++ * pack.c (encodes): fix buffer overrun by tail_lf. Thanks to ++ Mamoru Tasaka and Tomas Hoger. [ruby-core:63604] [Bug #10019] ++ + Fri Jan 3 10:43:57 2014 Aman Gupta + + * test/net/imap/cacert.pem: generate new CA cert, since the last one +Index: pack.c +=================================================================== +--- pack.c (revision 46805) ++++ pack.c (revision 46806) +@@ -1063,7 +1063,8 @@ + static void + encodes(VALUE str, const char *s, long len, int type, int tail_lf) + { +- char buff[4096]; ++ enum {buff_size = 4096, encoded_unit = 4}; ++ char buff[buff_size + 1]; /* +1 for tail_lf */ + long i = 0; + const char *trans = type == 'u' ? uu_table : b64_table; + char padding; +@@ -1076,7 +1077,7 @@ + padding = '='; + } + while (len >= 3) { +- while (len >= 3 && sizeof(buff)-i >= 4) { ++ while (len >= 3 && buff_size-i >= encoded_unit) { + buff[i++] = trans[077 & (*s >> 2)]; + buff[i++] = trans[077 & (((*s << 4) & 060) | ((s[1] >> 4) & 017))]; + buff[i++] = trans[077 & (((s[1] << 2) & 074) | ((s[2] >> 6) & 03))]; +@@ -1084,7 +1085,7 @@ + s += 3; + len -= 3; + } +- if (sizeof(buff)-i < 4) { ++ if (buff_size-i < encoded_unit) { + rb_str_buf_cat(str, buff, i); + i = 0; + } +@@ -1104,6 +1105,7 @@ + } + if (tail_lf) buff[i++] = '\n'; + rb_str_buf_cat(str, buff, i); ++ if ((size_t)i > sizeof(buff)) rb_bug("encodes() buffer overrun"); + } + + static const char hex_table[] = "0123456789ABCDEF"; +Index: test/ruby/test_pack.rb +=================================================================== +--- test/ruby/test_pack.rb (revision 46805) ++++ test/ruby/test_pack.rb (revision 46806) +@@ -536,6 +536,14 @@ + assert_equal(["\377"], "/w==\n".unpack("m")) + assert_equal(["\377\377"], "//8=\n".unpack("m")) + assert_equal(["\377\377\377"], "////\n".unpack("m")) ++ ++ bug10019 = '[ruby-core:63604] [Bug #10019]' ++ size = ((4096-4)/4*3+1) ++ assert_separately(%W[- #{size} #{bug10019}], <<-'end;') ++ size = ARGV.shift.to_i ++ bug = ARGV.shift ++ assert_equal(size, ["a"*size].pack("m#{size+2}").unpack("m")[0].size, bug) ++ end; + end + + def test_pack_unpack_m0 +Index: . +=================================================================== +--- . (revision 46805) ++++ . (revision 46806) + +Property changes on: . +___________________________________________________________________ +Modified: svn:mergeinfo + Merged /trunk:r46778 diff --git a/SOURCES/ruby-2.2.0-fix-error-with-tzdata.patch b/SOURCES/ruby-2.2.0-fix-error-with-tzdata.patch new file mode 100644 index 0000000..52c93c5 --- /dev/null +++ b/SOURCES/ruby-2.2.0-fix-error-with-tzdata.patch @@ -0,0 +1,159 @@ +From a92bb23525243ada0f8b63ccdfeafb385408524b Mon Sep 17 00:00:00 2001 +From: akr +Date: Mon, 22 Sep 2014 03:12:23 +0000 +Subject: [PATCH] * test/ruby/test_time_tz.rb: Fix test error with + tzdata-2014g. [ruby-core:65058] [Bug #10245] Reported by Vit Ondruch. + +git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@47680 b2dd03c8-39d4-4d8f-98ff-823fe69b080e + +Conflicts: + ChangeLog + test/ruby/test_time_tz.rb +--- + ChangeLog | 5 +++ + test/ruby/test_time_tz.rb | 99 ++++++++++++++++++++++++++++++++++------------- + 2 files changed, 78 insertions(+), 26 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 6734f63..e760152 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,8 @@ ++Mon Sep 22 12:10:29 2014 Tanaka Akira ++ ++ * test/ruby/test_time_tz.rb: Fix test error with tzdata-2014g. ++ [ruby-core:65058] [Bug #10245] Reported by Vit Ondruch. ++ + Fri Jan 3 10:43:57 2014 Aman Gupta + + * test/net/imap/cacert.pem: generate new CA cert, since the last one +diff --git a/test/ruby/test_time_tz.rb b/test/ruby/test_time_tz.rb +index bb69af8..626ecd1 100644 +--- a/test/ruby/test_time_tz.rb ++++ b/test/ruby/test_time_tz.rb +@@ -200,35 +200,42 @@ class TestTimeTZ < Test::Unit::TestCase + s.sub(/gen_/) { "gen" + "_#{hint}_".gsub(/[^0-9A-Za-z]+/, '_') } + end + ++ def self.parse_zdump_line(line) ++ return nil if /\A\#/ =~ line || /\A\s*\z/ =~ line ++ if /\A(\S+)\s+ ++ \S+\s+(\S+)\s+(\d+)\s+(\d\d):(\d\d):(\d\d)\s+(\d+)\s+UTC? ++ \s+=\s+ ++ \S+\s+(\S+)\s+(\d+)\s+(\d\d):(\d\d):(\d\d)\s+(\d+)\s+\S+ ++ \s+isdst=\d+\s+gmtoff=(-?\d+)\n ++ \z/x !~ line ++ raise "unexpected zdump line: #{line.inspect}" ++ end ++ tz, u_mon, u_day, u_hour, u_min, u_sec, u_year, ++ l_mon, l_day, l_hour, l_min, l_sec, l_year, gmtoff = $~.captures ++ u_year = u_year.to_i ++ u_mon = MON2NUM[u_mon] ++ u_day = u_day.to_i ++ u_hour = u_hour.to_i ++ u_min = u_min.to_i ++ u_sec = u_sec.to_i ++ l_year = l_year.to_i ++ l_mon = MON2NUM[l_mon] ++ l_day = l_day.to_i ++ l_hour = l_hour.to_i ++ l_min = l_min.to_i ++ l_sec = l_sec.to_i ++ gmtoff = gmtoff.to_i ++ [tz, ++ [u_year, u_mon, u_day, u_hour, u_min, u_sec], ++ [l_year, l_mon, l_day, l_hour, l_min, l_sec], ++ gmtoff] ++ end ++ + def self.gen_zdump_test(data) + sample = [] + data.each_line {|line| +- next if /\A\#/ =~ line || /\A\s*\z/ =~ line +- /\A(\S+)\s+ +- \S+\s+(\S+)\s+(\d+)\s+(\d\d):(\d\d):(\d\d)\s+(\d+)\s+UTC +- \s+=\s+ +- \S+\s+(\S+)\s+(\d+)\s+(\d\d):(\d\d):(\d\d)\s+(\d+)\s+\S+ +- \s+isdst=\d+\s+gmtoff=(-?\d+)\n +- \z/x =~ line +- tz, u_mon, u_day, u_hour, u_min, u_sec, u_year, +- l_mon, l_day, l_hour, l_min, l_sec, l_year, gmtoff = $~.captures +- u_year = u_year.to_i +- u_mon = MON2NUM[u_mon] +- u_day = u_day.to_i +- u_hour = u_hour.to_i +- u_min = u_min.to_i +- u_sec = u_sec.to_i +- l_year = l_year.to_i +- l_mon = MON2NUM[l_mon] +- l_day = l_day.to_i +- l_hour = l_hour.to_i +- l_min = l_min.to_i +- l_sec = l_sec.to_i +- gmtoff = gmtoff.to_i +- sample << [tz, +- [u_year, u_mon, u_day, u_hour, u_min, u_sec], +- [l_year, l_mon, l_day, l_hour, l_min, l_sec], +- gmtoff] ++ s = parse_zdump_line(line) ++ sample << s if s + } + sample.each {|tz, u, l, gmtoff| + expected_utc = "%04d-%02d-%02d %02d:%02d:%02d UTC" % u +@@ -249,6 +256,7 @@ class TestTimeTZ < Test::Unit::TestCase + } + } + } ++ + group_by(sample) {|tz, _, _, _| tz }.each {|tz, a| + a.each_with_index {|(_, u, l, gmtoff), i| + expected = "%04d-%02d-%02d %02d:%02d:%02d %s" % (l+[format_gmtoff(gmtoff)]) +@@ -348,6 +356,45 @@ right/America/Los_Angeles Wed Dec 31 23:59:60 2008 UTC = Wed Dec 31 15:59:60 20 + #right/Asia/Tokyo Sat Dec 31 23:59:60 2005 UTC = Sun Jan 1 08:59:60 2006 JST isdst=0 gmtoff=32400 + right/Europe/Paris Fri Jun 30 23:59:60 1972 UTC = Sat Jul 1 00:59:60 1972 CET isdst=0 gmtoff=3600 + right/Europe/Paris Wed Dec 31 23:59:60 2008 UTC = Thu Jan 1 00:59:60 2009 CET isdst=0 gmtoff=3600 ++End ++ ++ def self.gen_variational_zdump_test(hint, data) ++ sample = [] ++ data.each_line {|line| ++ s = parse_zdump_line(line) ++ sample << s if s ++ } ++ ++ define_method(gen_test_name(hint)) { ++ results = [] ++ sample.each {|tz, u, l, gmtoff| ++ expected_utc = "%04d-%02d-%02d %02d:%02d:%02d UTC" % u ++ expected = "%04d-%02d-%02d %02d:%02d:%02d %s" % (l+[format_gmtoff(gmtoff)]) ++ mesg_utc = "TZ=#{tz} Time.utc(#{u.map {|arg| arg.inspect }.join(', ')})" ++ mesg = "#{mesg_utc}.localtime" ++ with_tz(tz) { ++ t = nil ++ assert_nothing_raised(mesg) { t = Time.utc(*u) } ++ assert_equal(expected_utc, time_to_s(t), mesg_utc) ++ assert_nothing_raised(mesg) { t.localtime } ++ ++ results << [ ++ expected == time_to_s(t), ++ gmtoff == t.gmtoff, ++ format_gmtoff(gmtoff) == t.strftime("%z"), ++ format_gmtoff(gmtoff, true) == t.strftime("%:z"), ++ format_gmtoff2(gmtoff) == t.strftime("%::z") ++ ] ++ } ++ } ++ assert_includes(results, [true, true, true, true, true]) ++ } ++ end ++ ++ # tzdata-2014g fixed the offset for lisbon from -0:36:32 to -0:36:45. ++ # [ruby-core:65058] [Bug #10245] ++ gen_variational_zdump_test "lisbon", <<'End' if force_tz_test + Europe/Lisbon Mon Jan 1 00:36:31 1912 UTC = Sun Dec 31 23:59:59 1911 LMT isdst=0 gmtoff=-2192 ++Europe/Lisbon Mon Jan 1 00:36:44 1912 UT = Sun Dec 31 23:59:59 1911 LMT isdst=0 gmtoff=-2205 + End + end +-- +1.9.3 + diff --git a/SPECS/ruby.spec b/SPECS/ruby.spec index 7846857..7ef2377 100644 --- a/SPECS/ruby.spec +++ b/SPECS/ruby.spec @@ -26,7 +26,7 @@ %endif -%global release 20 +%global release 22 %{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} %global rubygems_version 2.0.14 @@ -161,6 +161,18 @@ Patch20: ruby-2.1.1-fix-test-failures-due-to-expired-certs.patch # Fix test_aes_gcm_wrong_tag(OpenSSL::TestCipher) random test failures. # https://bugs.ruby-lang.org/issues/8439 Patch21: ruby-2.1.0-test_aes_gcm_wrong_tag-Dont-use-String-succ.patch +# Fix test suite for new tzdata +# https://bugs.ruby-lang.org/issues/10245 +Patch22: ruby-2.2.0-fix-error-with-tzdata.patch +# CVE-2014-4975: Fix off-by-one stack-based buffer overflow in the encodes() function +# https://bugs.ruby-lang.org/issues/10019 +Patch23: ruby-2.1.0-CVE-2014-4975-fix-buffer-overru-by-tail_lf.patch +# CVE-2014-8080: Fix REXML billion laughs attack via parameter entity expansion. +# https://bugzilla.redhat.com/show_bug.cgi?id=1157709 +Patch24: ruby-2.0.0-p594-CVE-2014-8080-REXML-billion-laughs-attack.patch +# CVE-2014-8090: REXML incomplete fix for CVE-2014-8080. +# https://bugzilla.redhat.com/show_bug.cgi?id=1159927 +Patch25: ruby-2.0.0-p598-CVE-2014-8090-REXML-incomplete-fix-for-CVE-2014-8080.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: ruby(rubygems) >= %{rubygems_version} @@ -431,6 +443,10 @@ Tcl/Tk interface for the object-oriented scripting language Ruby. %patch19 -p1 %patch20 -p1 %patch21 -p1 +%patch22 -p1 +%patch23 +%patch24 +%patch25 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -894,6 +910,22 @@ OPENSSL_ENABLE_MD5_VERIFY=1 make check TESTS="-v $DISABLE_TESTS" %{ruby_libdir}/tkextlib %changelog +* Sun Nov 16 2014 Vít Ondruch - 2.0.0.353-22 +- Fix REXML billion laughs attack via parameter entity expansion + (CVE-2014-8080). + Resolves: rhbz#1163998 +- REXML incomplete fix for CVE-2014-8080 (CVE-2014-8090). + Resolves: rhbz#1163998 + +* Fri Nov 14 2014 Vít Ondruch - 2.0.0.353-21 +- Fix off-by-one stack-based buffer overflow in the encodes() function + (CVE-2014-4975) + Resolves: rhbz#1163998 + +* Tue Sep 23 2014 Josef Stribny - 2.0.0.353-21 +- Fix FTBFS with new tzdata + Related: rhbz#1163998 + * Fri Jan 24 2014 Daniel Mach - 2.0.0.353-20 - Mass rebuild 2014-01-24