diff --git a/1000-ruby-2.8.0-Brace-the-fact-that-lchmod-can-EOPNOTSUPP.patch b/1000-ruby-2.8.0-Brace-the-fact-that-lchmod-can-EOPNOTSUPP.patch deleted file mode 100644 index 42f47a9e8f5298139b44c2b790e9ca589942ead9..0000000000000000000000000000000000000000 --- a/1000-ruby-2.8.0-Brace-the-fact-that-lchmod-can-EOPNOTSUPP.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 29d9f866f686e81818fb9cf402c4fb479decb282 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=E5=8D=9C=E9=83=A8=E6=98=8C=E5=B9=B3?= - -Date: Thu, 23 Jan 2020 15:33:42 +0900 -Subject: [PATCH 1/2] brace the fact that lchmod(2) can EOPNOTSUPP - -Musl libc has this function as a tiny wrapper of fchmodat(3posix). On -the other hand Linux kernel does not support changing modes of a symlink. -The operation always fails with EOPNOTSUPP. This fchmodat behaviour is -defined in POSIX. We have to take care of such exceptions. ---- - lib/fileutils.rb | 3 ++- - test/pathname/test_pathname.rb | 2 +- - test/ruby/test_notimp.rb | 19 ++++++++++++------- - 3 files changed, 15 insertions(+), 9 deletions(-) - -diff --git a/lib/fileutils.rb b/lib/fileutils.rb -index f56d7f9cb9..1a02d5435e 100644 ---- a/lib/fileutils.rb -+++ b/lib/fileutils.rb -@@ -1242,6 +1242,7 @@ def chmod(mode) - else - File.chmod mode, path() - end -+ rescue Errno::EOPNOTSUPP - end - - def chown(uid, gid) -@@ -1317,7 +1318,7 @@ def copy_metadata(path) - if st.symlink? - begin - File.lchmod mode, path -- rescue NotImplementedError -+ rescue NotImplementedError, Errno::EOPNOTSUPP - end - else - File.chmod mode, path -diff --git a/test/pathname/test_pathname.rb b/test/pathname/test_pathname.rb -index 8a72b8026d..e381d3fa58 100644 ---- a/test/pathname/test_pathname.rb -+++ b/test/pathname/test_pathname.rb -@@ -823,7 +823,7 @@ def test_lchmod - old = path.lstat.mode - begin - path.lchmod(0444) -- rescue NotImplementedError -+ rescue NotImplementedError, Errno::EOPNOTSUPP - next - end - assert_equal(0444, path.lstat.mode & 0777) -diff --git a/test/ruby/test_notimp.rb b/test/ruby/test_notimp.rb -index ddebb657bf..daa5a82d7b 100644 ---- a/test/ruby/test_notimp.rb -+++ b/test/ruby/test_notimp.rb -@@ -13,11 +13,11 @@ def test_respond_to_fork - - def test_respond_to_lchmod - assert_include(File.methods, :lchmod) -- if /linux/ =~ RUBY_PLATFORM -- assert_equal(false, File.respond_to?(:lchmod)) -- end -- if /freebsd/ =~ RUBY_PLATFORM -+ case RUBY_PLATFORM -+ when /freebsd/, /linux-musl/ - assert_equal(true, File.respond_to?(:lchmod)) -+ when /linux/ -+ assert_equal(false, File.respond_to?(:lchmod)) - end - end - -@@ -57,9 +57,14 @@ def test_call_lchmod - File.open(f, "w") {} - File.symlink f, g - newmode = 0444 -- File.lchmod newmode, "#{d}/g" -- snew = File.lstat(g) -- assert_equal(newmode, snew.mode & 0777) -+ begin -+ File.lchmod newmode, "#{d}/g" -+ rescue Errno::EOPNOTSUPP -+ skip $! -+ else -+ snew = File.lstat(g) -+ assert_equal(newmode, snew.mode & 0777) -+ end - } - end - end --- -2.26.2 - diff --git a/1001-ruby-2.8.0-Moved-not-implemented-method-tests.patch b/1001-ruby-2.8.0-Moved-not-implemented-method-tests.patch deleted file mode 100644 index 72d09bcd2ccc6555e2483c4846608ee3f45968b3..0000000000000000000000000000000000000000 --- a/1001-ruby-2.8.0-Moved-not-implemented-method-tests.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 5400fc3c67446e2f7f35ea317c596e71f0cb1ca4 Mon Sep 17 00:00:00 2001 -From: Nobuyoshi Nakada -Date: Fri, 28 Feb 2020 21:15:37 +0900 -Subject: [PATCH 2/2] Moved not-implemented method tests [Bug #16662] - -Test not-implemented method with the dedicated methods, instead of -platform dependent features. ---- - test/-ext-/test_notimplement.rb | 7 +++ - test/ruby/test_notimp.rb | 90 --------------------------------- - 2 files changed, 7 insertions(+), 90 deletions(-) - delete mode 100644 test/ruby/test_notimp.rb - -diff --git a/test/-ext-/test_notimplement.rb b/test/-ext-/test_notimplement.rb -index 0eba7bdaf8..be8c3623cc 100644 ---- a/test/-ext-/test_notimplement.rb -+++ b/test/-ext-/test_notimplement.rb -@@ -10,6 +10,11 @@ def test_funcall_notimplement - end - - def test_respond_to -+ assert_include(Bug.methods(false), :notimplement) - assert_not_respond_to(Bug, :notimplement) - end -+ -+ def test_method_inspect_notimplement -+ assert_match(/not-implemented/, Bug.method(:notimplement).inspect) -+ end - end -diff --git a/test/ruby/test_notimp.rb b/test/ruby/test_notimp.rb -deleted file mode 100644 -index daa5a82d7b..0000000000 ---- a/test/ruby/test_notimp.rb -+++ /dev/null -@@ -1,90 +0,0 @@ --# frozen_string_literal: false --require 'test/unit' --require 'timeout' --require 'tmpdir' -- --class TestNotImplement < Test::Unit::TestCase -- def test_respond_to_fork -- assert_include(Process.methods, :fork) -- if /linux/ =~ RUBY_PLATFORM -- assert_equal(true, Process.respond_to?(:fork)) -- end -- end -- -- def test_respond_to_lchmod -- assert_include(File.methods, :lchmod) -- case RUBY_PLATFORM -- when /freebsd/, /linux-musl/ -- assert_equal(true, File.respond_to?(:lchmod)) -- when /linux/ -- assert_equal(false, File.respond_to?(:lchmod)) -- end -- end -- -- def test_call_fork -- GC.start -- pid = nil -- ps = -- case RUBY_PLATFORM -- when /linux/ # assume Linux Distribution uses procps -- proc {`ps -eLf #{pid}`} -- when /freebsd/ -- proc {`ps -lH #{pid}`} -- when /darwin/ -- proc {`ps -lM #{pid}`} -- else -- proc {`ps -l #{pid}`} -- end -- assert_nothing_raised(Timeout::Error, ps) do -- Timeout.timeout(EnvUtil.apply_timeout_scale(5)) { -- pid = fork {} -- Process.wait pid -- pid = nil -- } -- end -- ensure -- if pid -- Process.kill(:KILL, pid) -- Process.wait pid -- end -- end if Process.respond_to?(:fork) -- -- def test_call_lchmod -- if File.respond_to?(:lchmod) -- Dir.mktmpdir {|d| -- f = "#{d}/f" -- g = "#{d}/g" -- File.open(f, "w") {} -- File.symlink f, g -- newmode = 0444 -- begin -- File.lchmod newmode, "#{d}/g" -- rescue Errno::EOPNOTSUPP -- skip $! -- else -- snew = File.lstat(g) -- assert_equal(newmode, snew.mode & 0777) -- end -- } -- end -- end -- -- def test_method_inspect_fork -- m = Process.method(:fork) -- if Process.respond_to?(:fork) -- assert_not_match(/not-implemented/, m.inspect) -- else -- assert_match(/not-implemented/, m.inspect) -- end -- end -- -- def test_method_inspect_lchmod -- m = File.method(:lchmod) -- if File.respond_to?(:lchmod) -- assert_not_match(/not-implemented/, m.inspect) -- else -- assert_match(/not-implemented/, m.inspect) -- end -- end -- --end --- -2.26.2 - diff --git a/1002-ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch b/1002-ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch deleted file mode 100644 index b7ea0465eaa4ce1ece2852c611359added41aa52..0000000000000000000000000000000000000000 --- a/1002-ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 9b42fce32bff25e0569581f76f532b9d57865aef Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?V=C3=ADt=20Ondruch?= -Date: Mon, 27 Jul 2020 14:56:05 +0200 -Subject: [PATCH] Timeout the test_bug_reporter_add witout raising error. - -While timeouting the threads might be still good idea, it does not seems -the timeout impacts the TestBugReporter#test_bug_reporter_add result, -because the output of the child process has been already collected -earlier. - -It seems that when the system is under heavy load, the thread might not -be sheduled to finish its processing. Even finishing the child process -might take tens of seconds and therefore the test case finish might take -a while. ---- - test/-ext-/bug_reporter/test_bug_reporter.rb | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/test/-ext-/bug_reporter/test_bug_reporter.rb b/test/-ext-/bug_reporter/test_bug_reporter.rb -index 628fcd0340..2c677cc8a7 100644 ---- a/test/-ext-/bug_reporter/test_bug_reporter.rb -+++ b/test/-ext-/bug_reporter/test_bug_reporter.rb -@@ -17,7 +17,7 @@ def test_bug_reporter_add - args = ["--disable-gems", "-r-test-/bug_reporter", - "-C", tmpdir] - stdin = "register_sample_bug_reporter(12345); Process.kill :SEGV, $$" -- assert_in_out_err(args, stdin, [], expected_stderr, encoding: "ASCII-8BIT") -+ assert_in_out_err(args, stdin, [], expected_stderr, encoding: "ASCII-8BIT", timeout_error: nil) - ensure - FileUtils.rm_rf(tmpdir) if tmpdir - end --- -2.27.0 - diff --git a/ruby-2.6.8-net-ftp-pasv-can-connect-to-arbitrary-host.patch b/ruby-2.6.8-net-ftp-pasv-can-connect-to-arbitrary-host.patch new file mode 100644 index 0000000000000000000000000000000000000000..03f96859e0819cf144463e152d5fd508e965f8c2 --- /dev/null +++ b/ruby-2.6.8-net-ftp-pasv-can-connect-to-arbitrary-host.patch @@ -0,0 +1,247 @@ +commit be5a83e84a34091f2a4e3c6dfb911b20e78e690c +Author: usa +Date: Wed Jul 7 10:34:08 2021 +0000 + + Ignore IP addresses in PASV responses by default, and add new option use_pasv_ip + + This fixes CVE-2021-31810. + Reported by Alexandr Savca. + + Co-authored-by: Shugo Maeda + + + git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67949 b2dd03c8-39d4-4d8f-98ff-823fe69b080e + +diff --git a/lib/net/ftp.rb b/lib/net/ftp.rb +index e68d825dcf..c5d669d898 100644 +--- a/lib/net/ftp.rb ++++ b/lib/net/ftp.rb +@@ -97,6 +97,10 @@ class FTP < Protocol + # When +true+, the connection is in passive mode. Default: +true+. + attr_accessor :passive + ++ # When +true+, use the IP address in PASV responses. Otherwise, it uses ++ # the same IP address for the control connection. Default: +false+. ++ attr_accessor :use_pasv_ip ++ + # When +true+, all traffic to and from the server is written + # to +$stdout+. Default: +false+. + attr_accessor :debug_mode +@@ -205,6 +209,9 @@ def FTP.open(host, *args) + # handshake. + # See Net::FTP#ssl_handshake_timeout for + # details. Default: +nil+. ++ # use_pasv_ip:: When +true+, use the IP address in PASV responses. ++ # Otherwise, it uses the same IP address for the control ++ # connection. Default: +false+. + # debug_mode:: When +true+, all traffic to and from the server is + # written to +$stdout+. Default: +false+. + # +@@ -265,6 +272,7 @@ def initialize(host = nil, user_or_options = {}, passwd = nil, acct = nil) + @open_timeout = options[:open_timeout] + @ssl_handshake_timeout = options[:ssl_handshake_timeout] + @read_timeout = options[:read_timeout] || 60 ++ @use_pasv_ip = options[:use_pasv_ip] || false + if host + connect(host, options[:port] || FTP_PORT) + if options[:username] +@@ -1330,7 +1338,12 @@ def parse227(resp) # :nodoc: + raise FTPReplyError, resp + end + if m = /\((?\d+(,\d+){3}),(?\d+,\d+)\)/.match(resp) +- return parse_pasv_ipv4_host(m["host"]), parse_pasv_port(m["port"]) ++ if @use_pasv_ip ++ host = parse_pasv_ipv4_host(m["host"]) ++ else ++ host = @bare_sock.remote_address.ip_address ++ end ++ return host, parse_pasv_port(m["port"]) + else + raise FTPProtoError, resp + end +diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb +index a5219644bb..b3fe7774ed 100644 +--- a/test/net/ftp/test_ftp.rb ++++ b/test/net/ftp/test_ftp.rb +@@ -61,7 +61,7 @@ def test_connect_fail + end + + def test_parse227 +- ftp = Net::FTP.new ++ ftp = Net::FTP.new(nil, use_pasv_ip: true) + host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)") + assert_equal("192.168.0.1", host) + assert_equal(3106, port) +@@ -80,6 +80,14 @@ def test_parse227 + assert_raise(Net::FTPProtoError) do + ftp.send(:parse227, "227 ) foo bar (") + end ++ ++ ftp = Net::FTP.new ++ sock = OpenStruct.new ++ sock.remote_address = OpenStruct.new ++ sock.remote_address.ip_address = "10.0.0.1" ++ ftp.instance_variable_set(:@bare_sock, sock) ++ host, port = ftp.send(:parse227, "227 Entering Passive Mode (192,168,0,1,12,34)") ++ assert_equal("10.0.0.1", host) + end + + def test_parse228 +@@ -2360,10 +2368,155 @@ def test_puttextfile_command_injection + end + end + ++ def test_ignore_pasv_ip ++ commands = [] ++ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 ++ server = create_ftp_server(nil, "127.0.0.1") { |sock| ++ sock.print("220 (test_ftp).\r\n") ++ commands.push(sock.gets) ++ sock.print("331 Please specify the password.\r\n") ++ commands.push(sock.gets) ++ sock.print("230 Login successful.\r\n") ++ commands.push(sock.gets) ++ sock.print("200 Switching to Binary mode.\r\n") ++ line = sock.gets ++ commands.push(line) ++ data_server = TCPServer.new("127.0.0.1", 0) ++ port = data_server.local_address.ip_port ++ sock.printf("227 Entering Passive Mode (999,0,0,1,%s).\r\n", ++ port.divmod(256).join(",")) ++ commands.push(sock.gets) ++ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n") ++ conn = data_server.accept ++ binary_data.scan(/.{1,1024}/nm) do |s| ++ conn.print(s) ++ end ++ conn.shutdown(Socket::SHUT_WR) ++ conn.read ++ conn.close ++ data_server.close ++ sock.print("226 Transfer complete.\r\n") ++ } ++ begin ++ begin ++ ftp = Net::FTP.new ++ ftp.passive = true ++ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait ++ ftp.connect("127.0.0.1", server.port) ++ ftp.login ++ assert_match(/\AUSER /, commands.shift) ++ assert_match(/\APASS /, commands.shift) ++ assert_equal("TYPE I\r\n", commands.shift) ++ buf = ftp.getbinaryfile("foo", nil) ++ assert_equal(binary_data, buf) ++ assert_equal(Encoding::ASCII_8BIT, buf.encoding) ++ assert_equal("PASV\r\n", commands.shift) ++ assert_equal("RETR foo\r\n", commands.shift) ++ assert_equal(nil, commands.shift) ++ ensure ++ ftp.close if ftp ++ end ++ ensure ++ server.close ++ end ++ end ++ ++ def test_use_pasv_ip ++ commands = [] ++ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 ++ server = create_ftp_server(nil, "127.0.0.1") { |sock| ++ sock.print("220 (test_ftp).\r\n") ++ commands.push(sock.gets) ++ sock.print("331 Please specify the password.\r\n") ++ commands.push(sock.gets) ++ sock.print("230 Login successful.\r\n") ++ commands.push(sock.gets) ++ sock.print("200 Switching to Binary mode.\r\n") ++ line = sock.gets ++ commands.push(line) ++ data_server = TCPServer.new("127.0.0.1", 0) ++ port = data_server.local_address.ip_port ++ sock.printf("227 Entering Passive Mode (127,0,0,1,%s).\r\n", ++ port.divmod(256).join(",")) ++ commands.push(sock.gets) ++ sock.print("150 Opening BINARY mode data connection for foo (#{binary_data.size} bytes)\r\n") ++ conn = data_server.accept ++ binary_data.scan(/.{1,1024}/nm) do |s| ++ conn.print(s) ++ end ++ conn.shutdown(Socket::SHUT_WR) ++ conn.read ++ conn.close ++ data_server.close ++ sock.print("226 Transfer complete.\r\n") ++ } ++ begin ++ begin ++ ftp = Net::FTP.new ++ ftp.passive = true ++ ftp.use_pasv_ip = true ++ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait ++ ftp.connect("127.0.0.1", server.port) ++ ftp.login ++ assert_match(/\AUSER /, commands.shift) ++ assert_match(/\APASS /, commands.shift) ++ assert_equal("TYPE I\r\n", commands.shift) ++ buf = ftp.getbinaryfile("foo", nil) ++ assert_equal(binary_data, buf) ++ assert_equal(Encoding::ASCII_8BIT, buf.encoding) ++ assert_equal("PASV\r\n", commands.shift) ++ assert_equal("RETR foo\r\n", commands.shift) ++ assert_equal(nil, commands.shift) ++ ensure ++ ftp.close if ftp ++ end ++ ensure ++ server.close ++ end ++ end ++ ++ def test_use_pasv_invalid_ip ++ commands = [] ++ binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 ++ server = create_ftp_server(nil, "127.0.0.1") { |sock| ++ sock.print("220 (test_ftp).\r\n") ++ commands.push(sock.gets) ++ sock.print("331 Please specify the password.\r\n") ++ commands.push(sock.gets) ++ sock.print("230 Login successful.\r\n") ++ commands.push(sock.gets) ++ sock.print("200 Switching to Binary mode.\r\n") ++ line = sock.gets ++ commands.push(line) ++ sock.print("227 Entering Passive Mode (999,0,0,1,48,57).\r\n") ++ commands.push(sock.gets) ++ } ++ begin ++ begin ++ ftp = Net::FTP.new ++ ftp.passive = true ++ ftp.use_pasv_ip = true ++ ftp.read_timeout *= 5 if defined?(RubyVM::MJIT) && RubyVM::MJIT.enabled? # for --jit-wait ++ ftp.connect("127.0.0.1", server.port) ++ ftp.login ++ assert_match(/\AUSER /, commands.shift) ++ assert_match(/\APASS /, commands.shift) ++ assert_equal("TYPE I\r\n", commands.shift) ++ assert_raise(SocketError) do ++ ftp.getbinaryfile("foo", nil) ++ end ++ ensure ++ ftp.close if ftp ++ end ++ ensure ++ server.close ++ end ++ end ++ + private + +- def create_ftp_server(sleep_time = nil) +- server = TCPServer.new(SERVER_ADDR, 0) ++ def create_ftp_server(sleep_time = nil, addr = SERVER_ADDR) ++ server = TCPServer.new(addr, 0) + @thread = Thread.start do + if sleep_time + sleep(sleep_time) diff --git a/ruby-2.6.8-net-imap-startls-stripping-vulnerability.patch b/ruby-2.6.8-net-imap-startls-stripping-vulnerability.patch new file mode 100644 index 0000000000000000000000000000000000000000..83a655f467d00099e9e9178ccc4f9d05c63e0989 --- /dev/null +++ b/ruby-2.6.8-net-imap-startls-stripping-vulnerability.patch @@ -0,0 +1,101 @@ +commit 95ba9053e20ad8d113af37b3f1f4cbfff1f6a8f1 +Author: usa +Date: Wed Jul 7 10:38:10 2021 +0000 + + Fix StartTLS stripping vulnerability + + Reported by Alexandr Savca in https://hackerone.com/reports/1178562 + + Co-authored-by: Shugo Maeda + + + git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67950 b2dd03c8-39d4-4d8f-98ff-823fe69b080e + +diff --git a/lib/net/imap.rb b/lib/net/imap.rb +index 1c7e89ba14..91df89b79e 100644 +--- a/lib/net/imap.rb ++++ b/lib/net/imap.rb +@@ -1213,12 +1213,14 @@ def get_tagged_response(tag, cmd) + end + resp = @tagged_responses.delete(tag) + case resp.name ++ when /\A(?:OK)\z/ni ++ return resp + when /\A(?:NO)\z/ni + raise NoResponseError, resp + when /\A(?:BAD)\z/ni + raise BadResponseError, resp + else +- return resp ++ raise UnknownResponseError, resp + end + end + +@@ -3714,6 +3716,10 @@ class BadResponseError < ResponseError + class ByeResponseError < ResponseError + end + ++ # Error raised upon an unknown response from the server. ++ class UnknownResponseError < ResponseError ++ end ++ + RESPONSE_ERRORS = Hash.new(ResponseError) + RESPONSE_ERRORS["NO"] = NoResponseError + RESPONSE_ERRORS["BAD"] = BadResponseError +diff --git a/test/net/imap/test_imap.rb b/test/net/imap/test_imap.rb +index 936f4e0f42..81928cb8fe 100644 +--- a/test/net/imap/test_imap.rb ++++ b/test/net/imap/test_imap.rb +@@ -127,6 +127,24 @@ def test_starttls + imap.disconnect + end + end ++ ++ def test_starttls_stripping ++ starttls_stripping_test do |port| ++ imap = Net::IMAP.new("localhost", :port => port) ++ assert_raise(Net::IMAP::UnknownResponseError) do ++ imap.starttls(:ca_file => CA_FILE) ++ end ++ imap ++ end ++ end ++ end ++ ++ def start_server ++ th = Thread.new do ++ yield ++ end ++ @threads << th ++ sleep 0.1 until th.stop? + end + + def test_unexpected_eof +@@ -760,6 +760,27 @@ def starttls_test + end + end + ++ def starttls_stripping_test ++ server = create_tcp_server ++ port = server.addr[1] ++ start_server do ++ sock = server.accept ++ begin ++ sock.print("* OK test server\r\n") ++ sock.gets ++ sock.print("RUBY0001 BUG unhandled command\r\n") ++ ensure ++ sock.close ++ server.close ++ end ++ end ++ begin ++ imap = yield(port) ++ ensure ++ imap.disconnect if imap && !imap.disconnected? ++ end ++ end ++ + def create_tcp_server + return TCPServer.new(server_addr, 0) + end diff --git a/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch b/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch new file mode 100644 index 0000000000000000000000000000000000000000..2cca400a8079b13c6e912080337185a1f0e5ec32 --- /dev/null +++ b/ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch @@ -0,0 +1,88 @@ +commit fe3c49c9baeeab58304ede915b7edd18ecf360fc +Author: usa +Date: Sat Jul 3 17:10:28 2021 +0000 + + merge revision(s) b1c73f23,c9ab8fe2: [Backport #17877] + + [ruby/rdoc] Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799 + + https://github.com/ruby/rdoc/commit/a7f5d6ab88 + + The test for command injection on Unix platforms should be omitted on Windows + + + git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67947 b2dd03c8-39d4-4d8f-98ff-823fe69b080e + +diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb +index ca2c1abefd..46aace7839 100644 +--- a/lib/rdoc/rdoc.rb ++++ b/lib/rdoc/rdoc.rb +@@ -436,7 +436,7 @@ def remove_unparseable files + files.reject do |file| + file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or + (file =~ /tags$/i and +- open(file, 'rb') { |io| ++ File.open(file, 'rb') { |io| + io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/ + }) + end +--- a/lib/rdoc/encoding.rb 2022-02-16 16:51:28.080178281 +0100 ++++ b/lib/rdoc/encoding.rb 2022-02-16 16:51:37.108160840 +0100 +@@ -18,7 +18,7 @@ + # unknown character in the target encoding will be replaced with '?' + + def self.read_file filename, encoding, force_transcode = false +- content = open filename, "rb" do |f| f.read end ++ content = File.open filename, "rb" do |f| f.read end + content.gsub!("\r\n", "\n") if RUBY_PLATFORM =~ /mswin|mingw/ + + utf8 = content.sub!(/\A\xef\xbb\xbf/, '') +--- a/lib/rdoc/parser.rb 2021-04-05 13:46:35.000000000 +0200 ++++ b/lib/rdoc/parser.rb 2022-02-16 15:37:17.904822389 +0100 +@@ -74,7 +74,12 @@ + def self.binary?(file) + return false if file =~ /\.(rdoc|txt)$/ + +- s = File.read(file, 1024) or return false ++ begin ++ open_file = File.open(file) ++ s = open_file.read(1024) or return false ++ ensure ++ open_file.close if open_file ++ end + + return true if s[0, 2] == Marshal.dump('')[0, 2] or s.index("\x00") + +@@ -92,7 +97,8 @@ + # http://www.garykessler.net/library/file_sigs.html + + def self.zip? file +- zip_signature = File.read file, 4 ++ zip_signature = '' ++ File.open(file) { |f| zip_signature = f.read(4) } + + zip_signature == "PK\x03\x04" or + zip_signature == "PK\x05\x06" or +diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb +index 3bce54b243..123b1a4f87 100644 +--- a/test/rdoc/test_rdoc_rdoc.rb ++++ b/test/rdoc/test_rdoc_rdoc.rb +@@ -366,6 +366,18 @@ def test_remove_unparseable_tags_vim + end + end + ++ def test_remove_unparseable_CVE_2021_31799 ++ skip 'for Un*x platforms' if Gem.win_platform? ++ temp_dir do ++ file_list = ['| touch evil.txt && echo tags'] ++ file_list.each do |f| ++ FileUtils.touch f ++ end ++ assert_equal file_list, @rdoc.remove_unparseable(file_list) ++ assert_equal file_list, Dir.children('.') ++ end ++ end ++ + def test_setup_output_dir + Dir.mktmpdir {|d| + path = File.join d, 'testdir' diff --git a/ruby.spec b/ruby.spec index e76fdd4d641ca7da1f688418415ed2caef5e5d3a..d2cdffa64ca6428018368310d7fb1ac0a369d486 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 %global major_version 2 %global minor_version 5 %global teeny_version 9 @@ -22,9 +21,9 @@ %endif -%global release 107 +%global release 109 -%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{anolis_release}%{?dist}} +%{!?release_string:%global release_string %{?development_release:0.}%{release}%{?development_release:.%{development_release}}%{?dist}} # The RubyGems library has to stay out of Ruby directory tree, since the # RubyGems should be share by all Ruby implementations. @@ -179,19 +178,16 @@ Patch28: ruby-2.5.9-revert-stop-the-error-due-to-openssl-1-1-1h.patch # contains leading zero # https://bugzilla.redhat.com/show_bug.cgi?id=1950308 Patch29: ruby-3.0.0-Convert-ip-addresses-to-canonical-form.patch - -# Begin: Anolis OS customized -# Fix lchmod test failures. -# refer url: https://src.fedoraproject.org/rpms/ruby/c/79683d7d629de74dbcefe8cce68d51ec1eb1da01?branch=rawhide -# https://github.com/ruby/ruby/commit/a19228f878d955eaf2cce086bcf53f46fdf894b9 -Patch1000: 1000-ruby-2.8.0-Brace-the-fact-that-lchmod-can-EOPNOTSUPP.patch -# https://github.com/ruby/ruby/commit/72c02aa4b79731c7f25c9267f74b347f1946c704 -Patch1001: 1001-ruby-2.8.0-Moved-not-implemented-method-tests.patch -# Avoid possible timeout errors in TestBugReporter#test_bug_reporter_add. -# https://bugs.ruby-lang.org/issues/16492 -# refer url: https://src.fedoraproject.org/rpms/ruby/c/4979be53acdcfd0d6021c4f209403c2e88fae58e?branch=rawhide -Patch1002: 1002-ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch -# End: Anolis OS customized +# Fix CVE-2021-31799 rdoc: Command injection vulnerability in RDoc. +# https://bugzilla.redhat.com/show_bug.cgi?id=1980839 +Patch30: ruby-2.6.8-rdoc-6.1.2.1-command-injection-vulnerability.patch +# Fix CVE-2021-32066 StartTLS stripping vulnerability in Net::IMAP. +# https://bugzilla.redhat.com/show_bug.cgi?id=1980830 +Patch31: ruby-2.6.8-net-imap-startls-stripping-vulnerability.patch +# Fix CVE-2021-31810 FTP PASV command response can cause Net::FTP to connect +# to arbitrary host. +# https://bugzilla.redhat.com/show_bug.cgi?id=1980825 +Patch32: ruby-2.6.8-net-ftp-pasv-can-connect-to-arbitrary-host.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Suggests: rubypick @@ -591,9 +587,9 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \ %patch27 -p1 %patch28 -p1 -R %patch29 -p1 -%patch1000 -p1 -%patch1001 -p1 -%patch1002 -p1 +%patch30 -p1 +%patch31 -p1 +%patch32 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1146,12 +1142,17 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \ %{gem_dir}/specifications/xmlrpc-%{xmlrpc_version}.gemspec %changelog -* Thu Jan 13 2022 Weitao Zhou - 2.5.9-107.0.1 -- Fix FTBFS due to glibc 2.31.9000 implementing lchmod(2), compatible with glibc2.28 also - * Patch: ruby-2.8.0-Brace-the-fact-that-lchmod-can-EOPNOTSUPP.patch - * Patch: ruby-2.8.0-Moved-not-implemented-method-tests.patch -- Avoid possible timeout errors in TestBugReporter#test_bug_reporter_add. - * Patch: ruby-2.7.1-Timeout-the-test_bug_reporter_add-witout-raising-err.patch +* Wed Feb 16 2022 Jarek Prokop - 2.5.9-109 +- Properly fix command injection vulnerability in Rdoc. + Related: CVE-2021-31799 + +* Wed Feb 09 2022 Jarek Prokop - 2.5.9-108 +- Fix command injection vulnerability in RDoc. + Resolves: CVE-2021-31799 +- Fix StartTLS stripping vulnerability in Net::IMAP + Resolves: CVE-2021-32066 +- Fix FTP PASV command response can cause Net::FTP to connect to arbitrary host. + Resolves: CVE-2021-31810 * Mon Apr 19 2021 Pavel Valena - 2.5.9-107 - Update to Ruby 2.5.9.