From bb3359ab8e3c20eb91d61509b5ab364d03c9ec3b Mon Sep 17 00:00:00 2001 From: Ben Woodcroft Date: Sun, 18 Feb 2018 00:09:17 +1000 Subject: gnu: ruby-2.4.3: Update rubygems to 2.7.6. This fixes the security issues described at https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in- rubygems/ * gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch: New file. * gnu/packages/ruby.scm (ruby-2.4.3)[source]: Use it. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../patches/ruby-rubygems-276-for-ruby24.patch | 605 +++++++++++++++++++++ gnu/packages/ruby.scm | 1 + 3 files changed, 607 insertions(+) create mode 100644 gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index 7fe374208b..735635158f 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1079,6 +1079,7 @@ dist_patch_DATA = \ %D%/packages/patches/rpcbind-CVE-2017-8779.patch \ %D%/packages/patches/rsem-makefile.patch \ %D%/packages/patches/rtags-separate-rct.patch \ + %D%/packages/patches/ruby-rubygems-276-for-ruby24.patch \ %D%/packages/patches/ruby-concurrent-ignore-broken-test.patch \ %D%/packages/patches/ruby-concurrent-test-arm.patch \ %D%/packages/patches/ruby-rack-ignore-failing-test.patch \ diff --git a/gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch b/gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch new file mode 100644 index 0000000000..0d0ed6b204 --- /dev/null +++ b/gnu/packages/patches/ruby-rubygems-276-for-ruby24.patch @@ -0,0 +1,605 @@ +diff --git lib/rubygems.rb lib/rubygems.rb +index 0685bcb3c6..a5a9202e56 100644 +--- ruby-2.4.3/lib/rubygems.rb ++++ ruby-2.4.3/lib/rubygems.rb +@@ -10,7 +10,7 @@ + require 'thread' + + module Gem +- VERSION = "2.6.14" ++ VERSION = "2.6.14.1" + end + + # Must be first since it unloads the prelude from 1.9.2 +diff --git lib/rubygems/commands/owner_command.rb lib/rubygems/commands/owner_command.rb +index 4b99434e87..2ee7f84462 100644 +--- ruby-2.4.3/lib/rubygems/commands/owner_command.rb ++++ ruby-2.4.3/lib/rubygems/commands/owner_command.rb +@@ -62,7 +62,7 @@ def show_owners name + end + + with_response response do |resp| +- owners = YAML.load resp.body ++ owners = Gem::SafeYAML.load resp.body + + say "Owners for gem: #{name}" + owners.each do |owner| +diff --git lib/rubygems/package.rb lib/rubygems/package.rb +index 77811ed5ec..b5a5fe2a26 100644 +--- ruby-2.4.3/lib/rubygems/package.rb ++++ ruby-2.4.3/lib/rubygems/package.rb +@@ -378,7 +378,7 @@ def extract_tar_gz io, destination_dir, pattern = "*" # :nodoc: + File.dirname destination + end + +- FileUtils.mkdir_p mkdir, mkdir_options ++ mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name + + open destination, 'wb' do |out| + out.write entry.read +@@ -416,20 +416,35 @@ def install_location filename, destination_dir # :nodoc: + raise Gem::Package::PathError.new(filename, destination_dir) if + filename.start_with? '/' + +- destination_dir = File.realpath destination_dir if +- File.respond_to? :realpath ++ destination_dir = realpath destination_dir + destination_dir = File.expand_path destination_dir + + destination = File.join destination_dir, filename + destination = File.expand_path destination + + raise Gem::Package::PathError.new(destination, destination_dir) unless +- destination.start_with? destination_dir ++ destination.start_with? destination_dir + '/' + + destination.untaint + destination + end + ++ def mkdir_p_safe mkdir, mkdir_options, destination_dir, file_name ++ destination_dir = realpath File.expand_path(destination_dir) ++ parts = mkdir.split(File::SEPARATOR) ++ parts.reduce do |path, basename| ++ path = realpath path unless path == "" ++ path = File.expand_path(path + File::SEPARATOR + basename) ++ lstat = File.lstat path rescue nil ++ if !lstat || !lstat.directory? ++ unless path.start_with? destination_dir and (FileUtils.mkdir path, mkdir_options rescue false) ++ raise Gem::Package::PathError.new(file_name, destination_dir) ++ end ++ end ++ path ++ end ++ end ++ + ## + # Loads a Gem::Specification from the TarEntry +entry+ + +@@ -603,6 +618,10 @@ def verify_files gem + raise Gem::Package::FormatError.new \ + 'package content (data.tar.gz) is missing', @gem + end ++ ++ if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any? ++ raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})" ++ end + end + + ## +@@ -616,6 +635,16 @@ def verify_gz entry # :nodoc: + raise Gem::Package::FormatError.new(e.message, entry.full_name) + end + ++ if File.respond_to? :realpath ++ def realpath file ++ File.realpath file ++ end ++ else ++ def realpath file ++ file ++ end ++ end ++ + end + + require 'rubygems/package/digest_io' +diff --git lib/rubygems/package/tar_header.rb lib/rubygems/package/tar_header.rb +index c54bd14d57..d557357114 100644 +--- ruby-2.4.3/lib/rubygems/package/tar_header.rb ++++ ruby-2.4.3/lib/rubygems/package/tar_header.rb +@@ -104,25 +104,30 @@ def self.from(stream) + fields = header.unpack UNPACK_FORMAT + + new :name => fields.shift, +- :mode => fields.shift.oct, +- :uid => fields.shift.oct, +- :gid => fields.shift.oct, +- :size => fields.shift.oct, +- :mtime => fields.shift.oct, +- :checksum => fields.shift.oct, ++ :mode => strict_oct(fields.shift), ++ :uid => strict_oct(fields.shift), ++ :gid => strict_oct(fields.shift), ++ :size => strict_oct(fields.shift), ++ :mtime => strict_oct(fields.shift), ++ :checksum => strict_oct(fields.shift), + :typeflag => fields.shift, + :linkname => fields.shift, + :magic => fields.shift, +- :version => fields.shift.oct, ++ :version => strict_oct(fields.shift), + :uname => fields.shift, + :gname => fields.shift, +- :devmajor => fields.shift.oct, +- :devminor => fields.shift.oct, ++ :devmajor => strict_oct(fields.shift), ++ :devminor => strict_oct(fields.shift), + :prefix => fields.shift, + + :empty => empty + end + ++ def self.strict_oct(str) ++ return str.oct if str =~ /\A[0-7]*\z/ ++ raise ArgumentError, "#{str.inspect} is not an octal string" ++ end ++ + ## + # Creates a new TarHeader using +vals+ + +diff --git lib/rubygems/package/tar_writer.rb lib/rubygems/package/tar_writer.rb +index f68b8d4c5e..390f7851a3 100644 +--- ruby-2.4.3/lib/rubygems/package/tar_writer.rb ++++ ruby-2.4.3/lib/rubygems/package/tar_writer.rb +@@ -196,6 +196,8 @@ def add_file_signed name, mode, signer + digest_name == signer.digest_name + end + ++ raise "no #{signer.digest_name} in #{digests.values.compact}" unless signature_digest ++ + if signer.key then + signature = signer.sign signature_digest.digest + +diff --git lib/rubygems/server.rb lib/rubygems/server.rb +index df4eb566d3..a7b5243ba0 100644 +--- ruby-2.4.3/lib/rubygems/server.rb ++++ ruby-2.4.3/lib/rubygems/server.rb +@@ -631,6 +631,18 @@ def root(req, res) + executables = nil if executables.empty? + executables.last["is_last"] = true if executables + ++ # Pre-process spec homepage for safety reasons ++ begin ++ homepage_uri = URI.parse(spec.homepage) ++ if [URI::HTTP, URI::HTTPS].member? homepage_uri.class ++ homepage_uri = spec.homepage ++ else ++ homepage_uri = "." ++ end ++ rescue URI::InvalidURIError ++ homepage_uri = "." ++ end ++ + specs << { + "authors" => spec.authors.sort.join(", "), + "date" => spec.date.to_s, +@@ -640,7 +652,7 @@ def root(req, res) + "only_one_executable" => (executables && executables.size == 1), + "full_name" => spec.full_name, + "has_deps" => !deps.empty?, +- "homepage" => spec.homepage, ++ "homepage" => homepage_uri, + "name" => spec.name, + "rdoc_installed" => Gem::RDoc.new(spec).rdoc_installed?, + "ri_installed" => Gem::RDoc.new(spec).ri_installed?, +diff --git lib/rubygems/specification.rb lib/rubygems/specification.rb +index 40e3a70d47..0a154b9001 100644 +--- ruby-2.4.3/lib/rubygems/specification.rb ++++ ruby-2.4.3/lib/rubygems/specification.rb +@@ -15,6 +15,7 @@ + require 'rubygems/stub_specification' + require 'rubygems/util/list' + require 'stringio' ++require 'uri' + + ## + # The Specification class contains the information for a Gem. Typically +@@ -2813,10 +2814,16 @@ def validate packaging = true + raise Gem::InvalidSpecificationException, "#{lazy} is not a summary" + end + +- if homepage and not homepage.empty? and +- homepage !~ /\A[a-z][a-z\d+.-]*:/i then +- raise Gem::InvalidSpecificationException, +- "\"#{homepage}\" is not a URI" ++ # Make sure a homepage is valid HTTP/HTTPS URI ++ if homepage and not homepage.empty? ++ begin ++ homepage_uri = URI.parse(homepage) ++ unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class ++ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI" ++ end ++ rescue URI::InvalidURIError ++ raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI" ++ end + end + + # Warnings +diff --git test/rubygems/test_gem_commands_owner_command.rb test/rubygems/test_gem_commands_owner_command.rb +index 44652c1093..53cac4ce87 100644 +--- ruby-2.4.3/test/rubygems/test_gem_commands_owner_command.rb ++++ ruby-2.4.3/test/rubygems/test_gem_commands_owner_command.rb +@@ -43,6 +43,31 @@ def test_show_owners + assert_match %r{- 4}, @ui.output + end + ++ def test_show_owners_dont_load_objects ++ skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass) ++ ++ response = <xsshomepagegem 1 ++ # ++ # ++ # [rdoc] ++ # ++ # ++ # ++ # [www] ++ # ++ # Variant #2 - rdoc installed ++ # ++ # xsshomepagegem 1 ++ # ++ # ++ # \[rdoc\]<\/a> ++ # ++ # ++ # ++ # [www] ++ regex_match = /xsshomepagegem 1<\/b>[\n\s]+(\[rdoc\]<\/span>|\[rdoc\]<\/a>)[\n\s]+\[www\]<\/a>/ ++ assert_match regex_match, @res.body ++ end ++ ++ def test_invalid_homepage ++ data = StringIO.new "GET / HTTP/1.0\r\n\r\n" ++ dir = "#{@gemhome}2" ++ ++ spec = util_spec 'invalidhomepagegem', 1 ++ spec.homepage = "notavalidhomepageurl" ++ ++ specs_dir = File.join dir, 'specifications' ++ FileUtils.mkdir_p specs_dir ++ ++ open File.join(specs_dir, spec.spec_name), 'w' do |io| ++ io.write spec.to_ruby ++ end ++ ++ server = Gem::Server.new dir, process_based_port, false ++ ++ @req.parse data ++ ++ server.root @req, @res ++ ++ assert_equal 200, @res.status ++ assert_match 'invalidhomepagegem 1', @res.body ++ ++ # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a ++ # valid HTTP/HTTPS URL and could be unsafe in an HTML context. We would prefer to throw an exception here, ++ # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be ++ # validated in future versions of Gem::Specification. ++ # ++ # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex: ++ # ++ # Variant #1 - rdoc not installed ++ # ++ # invalidhomepagegem 1 ++ # ++ # ++ # [rdoc] ++ # ++ # ++ # ++ # [www] ++ # ++ # Variant #2 - rdoc installed ++ # ++ # invalidhomepagegem 1 ++ # ++ # ++ # \[rdoc\]<\/a> ++ # ++ # ++ # ++ # [www] ++ regex_match = /invalidhomepagegem 1<\/b>[\n\s]+(\[rdoc\]<\/span>|\[rdoc\]<\/a>)[\n\s]+\[www\]<\/a>/ ++ assert_match regex_match, @res.body ++ end ++ ++ def test_valid_homepage_http ++ data = StringIO.new "GET / HTTP/1.0\r\n\r\n" ++ dir = "#{@gemhome}2" ++ ++ spec = util_spec 'validhomepagegemhttp', 1 ++ spec.homepage = "http://rubygems.org" ++ ++ specs_dir = File.join dir, 'specifications' ++ FileUtils.mkdir_p specs_dir ++ ++ open File.join(specs_dir, spec.spec_name), 'w' do |io| ++ io.write spec.to_ruby ++ end ++ ++ server = Gem::Server.new dir, process_based_port, false ++ ++ @req.parse data ++ ++ server.root @req, @res ++ ++ assert_equal 200, @res.status ++ assert_match 'validhomepagegemhttp 1', @res.body ++ ++ regex_match = /validhomepagegemhttp 1<\/b>[\n\s]+(\[rdoc\]<\/span>|\[rdoc\]<\/a>)[\n\s]+\[www\]<\/a>/ ++ assert_match regex_match, @res.body ++ end ++ ++ def test_valid_homepage_https ++ data = StringIO.new "GET / HTTP/1.0\r\n\r\n" ++ dir = "#{@gemhome}2" ++ ++ spec = util_spec 'validhomepagegemhttps', 1 ++ spec.homepage = "https://rubygems.org" ++ ++ specs_dir = File.join dir, 'specifications' ++ FileUtils.mkdir_p specs_dir ++ ++ open File.join(specs_dir, spec.spec_name), 'w' do |io| ++ io.write spec.to_ruby ++ end ++ ++ server = Gem::Server.new dir, process_based_port, false ++ ++ @req.parse data ++ ++ server.root @req, @res ++ ++ assert_equal 200, @res.status ++ assert_match 'validhomepagegemhttps 1', @res.body ++ ++ regex_match = /validhomepagegemhttps 1<\/b>[\n\s]+(\[rdoc\]<\/span>|\[rdoc\]<\/a>)[\n\s]+\[www\]<\/a>/ ++ assert_match regex_match, @res.body ++ end ++ + def test_specs + data = StringIO.new "GET /specs.#{Gem.marshal_version} HTTP/1.0\r\n\r\n" + @req.parse data +diff --git test/rubygems/test_gem_specification.rb test/rubygems/test_gem_specification.rb +index 0fcc11e78f..1c68826fb3 100644 +--- ruby-2.4.3/test/rubygems/test_gem_specification.rb ++++ ruby-2.4.3/test/rubygems/test_gem_specification.rb +@@ -2890,7 +2890,22 @@ def test_validate_homepage + @a1.validate + end + +- assert_equal '"over at my cool site" is not a URI', e.message ++ assert_equal '"over at my cool site" is not a valid HTTP URI', e.message ++ ++ @a1.homepage = 'ftp://rubygems.org' ++ ++ e = assert_raises Gem::InvalidSpecificationException do ++ @a1.validate ++ end ++ ++ assert_equal '"ftp://rubygems.org" is not a valid HTTP URI', e.message ++ ++ @a1.homepage = 'http://rubygems.org' ++ assert_equal true, @a1.validate ++ ++ @a1.homepage = 'https://rubygems.org' ++ assert_equal true, @a1.validate ++ + end + end + diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 00b24b26f4..90e3e4fcf7 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -117,6 +117,7 @@ a focus on simplicity and productivity.") (sha256 (base32 "0l9bv67dgsphk42lmiskhrnh47hbyj6rfg2rcjx22xivpx07srr3")) + (patches (search-patches "ruby-rubygems-276-for-ruby24.patch")) (modules '((guix build utils))) (snippet `(begin ;; Remove bundled libffi -- cgit 1.4.1