On Fri, Nov 29, 2013 at 11:55:28AM -0300, Antonio Terceiro wrote: > I am working on having fixed for all suites, and I should be able to > finish it during the weekend. > > I had already send debdiff's to t...@security.debian.org early in the > week but forgot to push them to the git repository, and to mention that > in the bug logs. Raphael, thanks for your help anyway.
I have uploaded fixed packages to stable-security and oldstable-security, final diffs are atttached. Raphael, thanks for your help. I have also uploaded fixed packages for unstable. Their version numbers: ruby1.8 1.8.7.358-9 ruby1.9.1 1.9.3.484-1 ruby2.0 2.0.0.353-1 -- Antonio Terceiro <terce...@debian.org>
diff -u ruby1.8-1.8.7.302/debian/changelog ruby1.8-1.8.7.302/debian/changelog --- ruby1.8-1.8.7.302/debian/changelog +++ ruby1.8-1.8.7.302/debian/changelog @@ -1,3 +1,15 @@ +ruby1.8 (1.8.7.302-2squeeze2) oldstable-security; urgency=high + + [ Raphaël Hertzog ] + * Add multiple patches to fix security issues: + - CVE-2013-4164: Fix heap overflow in floating point parsing + (Closes: #730189) + - CVE-2013-1821: Fix entity expansion DoS vulnerability in REXML + (Closes: #702526) + - CVE-2013-4073: Fix incorrect ssl hostname verification (Closes: #714541) + + -- Antonio Terceiro <terce...@debian.org> Sun, 01 Dec 2013 19:24:20 -0300 + ruby1.8 (1.8.7.302-2squeeze1) stable; urgency=low * Add Conflicts and Replaces to libruby1.8 for irb1.8 and rdoc1.8. diff -u ruby1.8-1.8.7.302/debian/patches/series ruby1.8-1.8.7.302/debian/patches/series --- ruby1.8-1.8.7.302/debian/patches/series +++ ruby1.8-1.8.7.302/debian/patches/series @@ -12,0 +13,3 @@ +904-CVE-2013-4164.patch +905-CVE-2013-1821.patch +906-CVE-2013-4073.patch only in patch2: unchanged: --- ruby1.8-1.8.7.302.orig/debian/gbp.conf +++ ruby1.8-1.8.7.302/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch=squeeze +upstream-branch=upstream-squeeze only in patch2: unchanged: --- ruby1.8-1.8.7.302.orig/debian/patches/904-CVE-2013-4164.patch +++ ruby1.8-1.8.7.302/debian/patches/904-CVE-2013-4164.patch @@ -0,0 +1,74 @@ +Description: Fix Heap Overflow in Floating Point Parsing + This vulnerability is tracked with CVE-2013-4164. + . + https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ +Origin: backport, https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43776/diff + https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43782/diff +Bug-Debian: http://bugs.debian.org/730189 +Forwarded: not-needed +Applied-Upstream: 1.9.3-p484, 2.0.0-p353 +Last-Update: 2013-11-29 + +--- a/util.c ++++ b/util.c +@@ -888,6 +888,11 @@ extern void *MALLOC(size_t); + #else + #define MALLOC malloc + #endif ++#ifdef FREE ++extern void FREE(void*); ++#else ++#define FREE free ++#endif + + #ifndef Omit_Private_Memory + #ifndef PRIVATE_MEM +@@ -1172,7 +1177,7 @@ Balloc(int k) + #endif + + ACQUIRE_DTOA_LOCK(0); +- if ((rv = freelist[k]) != 0) { ++ if (k <= Kmax && (rv = freelist[k]) != 0) { + freelist[k] = rv->next; + } + else { +@@ -1182,7 +1187,7 @@ Balloc(int k) + #else + len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) + /sizeof(double); +- if (pmem_next - private_mem + len <= PRIVATE_mem) { ++ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { + rv = (Bigint*)pmem_next; + pmem_next += len; + } +@@ -1201,6 +1206,10 @@ static void + Bfree(Bigint *v) + { + if (v) { ++ if (v->k > Kmax) { ++ FREE(v); ++ return; ++ } + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; +@@ -2196,6 +2205,7 @@ break2: + for (; c >= '0' && c <= '9'; c = *++s) { + have_dig: + nz++; ++ if (nf > DBL_DIG * 4) continue; + if (c -= '0') { + nf += nz; + for (i = 1; i < nz; i++) +--- a/test/ruby/test_float.rb ++++ b/test/ruby/test_float.rb +@@ -144,4 +144,9 @@ class TestFloat < Test::Unit::TestCase + assert_operator((-4611686018427387905.0).to_i, :<, 0) + assert_operator((-4611686018427387906.0).to_i, :<, 0) + end ++ ++ def test_long_string ++ assert(10.0 - ("1."+"1"*300000).to_f*9 < 0.000001) ++ end ++ + end only in patch2: unchanged: --- ruby1.8-1.8.7.302.orig/debian/patches/905-CVE-2013-1821.patch +++ ruby1.8-1.8.7.302/debian/patches/905-CVE-2013-1821.patch @@ -0,0 +1,120 @@ +Description: Fix entity expansion DoS vulnerability in REXML + CVE-2013-1821 +Origin: upstream, http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=39384&view=patch +Bug-Debian: http://bugs.debian.org/702526 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2013-03-09 + +--- a/lib/rexml/document.rb ++++ b/lib/rexml/document.rb +@@ -214,6 +214,18 @@ + return @@entity_expansion_limit + end + ++ @@entity_expansion_text_limit = 10_240 ++ ++ # Set the entity expansion limit. By default the limit is set to 10240. ++ def Document::entity_expansion_text_limit=( val ) ++ @@entity_expansion_text_limit = val ++ end ++ ++ # Get the entity expansion limit. By default the limit is set to 10000. ++ def Document::entity_expansion_text_limit ++ return @@entity_expansion_text_limit ++ end ++ + attr_reader :entity_expansion_count + + def record_entity_expansion +--- a/test/rexml/test_document.rb ++++ b/test/rexml/test_document.rb +@@ -63,4 +63,23 @@ + ensure + REXML::Document.entity_expansion_limit = 10000 + end ++ ++ def test_entity_string_limit ++ template = '<!DOCTYPE bomb [ <!ENTITY a "^" > ]> <bomb>$</bomb>' ++ len = 5120 # 5k per entity ++ template.sub!(/\^/, "B" * len) ++ ++ # 10k is OK ++ entities = '&a;' * 2 # 5k entity * 2 = 10k ++ xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++ assert_equal(len * 2, xmldoc.root.text.bytesize) ++ ++ # above 10k explodes ++ entities = '&a;' * 3 # 5k entity * 2 = 15k ++ xmldoc = REXML::Document.new(template.sub(/\$/, entities)) ++ assert_raises(RuntimeError) do ++ xmldoc.root.text ++ end ++ end ++ + end +--- a/lib/rexml/text.rb ++++ b/lib/rexml/text.rb +@@ -308,37 +308,35 @@ + + # Unescapes all possible entities + def Text::unnormalize( string, doctype=nil, filter=nil, illegal=nil ) +- rv = string.clone +- rv.gsub!( /\r\n?/, "\n" ) +- matches = rv.scan( REFERENCE ) +- return rv if matches.size == 0 +- rv.gsub!( NUMERICENTITY ) {|m| +- m=$1 +- m = "0#{m}" if m[0] == ?x +- [Integer(m)].pack('U*') ++ sum = 0 ++ string.gsub( /\r\n?/, "\n" ).gsub( REFERENCE ) { ++ s = Text.expand($&, doctype, filter) ++ if sum + s.bytesize > Document.entity_expansion_text_limit ++ raise "entity expansion has grown too large" ++ else ++ sum += s.bytesize ++ end ++ s + } +- matches.collect!{|x|x[0]}.compact! +- if matches.size > 0 +- if doctype +- matches.each do |entity_reference| +- unless filter and filter.include?(entity_reference) +- entity_value = doctype.entity( entity_reference ) +- re = /&#{entity_reference};/ +- rv.gsub!( re, entity_value ) if entity_value +- end +- end ++ end ++ ++ def Text.expand(ref, doctype, filter) ++ if ref[1] == ?# ++ if ref[2] == ?x ++ [ref[3...-1].to_i(16)].pack('U*') + else +- matches.each do |entity_reference| +- unless filter and filter.include?(entity_reference) +- entity_value = DocType::DEFAULT_ENTITIES[ entity_reference ] +- re = /&#{entity_reference};/ +- rv.gsub!( re, entity_value.value ) if entity_value +- end +- end ++ [ref[2...-1].to_i].pack('U*') + end +- rv.gsub!( /&/, '&' ) ++ elsif ref == '&' ++ '&' ++ elsif filter and filter.include?( ref[1...-1] ) ++ ref ++ elsif doctype ++ doctype.entity( ref[1...-1] ) or ref ++ else ++ entity_value = DocType::DEFAULT_ENTITIES[ ref[1...-1] ] ++ entity_value ? entity_value.value : ref + end +- rv + end + end + end only in patch2: unchanged: --- ruby1.8-1.8.7.302.orig/debian/patches/906-CVE-2013-4073.patch +++ ruby1.8-1.8.7.302/debian/patches/906-CVE-2013-4073.patch @@ -0,0 +1,79 @@ +Description: fix incorrect ssl hostname verification +Origin: upstream, https://github.com/ruby/ruby/commit/961bf7496ded3acfe847cf56fa90bbdcfd6e614f +Origin: backport, https://github.com/ruby/ruby/commit/a3a62f87e144be31b9ca8ad6415b207f43f4e126 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=714541 +Bug: https://bugs.ruby-lang.org/issues/8575 + +Index: ruby1.8-1.8.7.352/ext/openssl/lib/openssl/ssl-internal.rb +=================================================================== +--- ruby1.8-1.8.7.352.orig/ext/openssl/lib/openssl/ssl-internal.rb 2013-07-08 10:16:49.926709322 -0400 ++++ ruby1.8-1.8.7.352/ext/openssl/lib/openssl/ssl-internal.rb 2013-07-08 10:16:49.918709322 -0400 +@@ -90,14 +90,22 @@ + should_verify_common_name = true + cert.extensions.each{|ext| + next if ext.oid != "subjectAltName" +- ext.value.split(/,\s+/).each{|general_name| +- if /\ADNS:(.*)/ =~ general_name ++ ostr = OpenSSL::ASN1.decode(ext.to_der).value.last ++ sequence = OpenSSL::ASN1.decode(ostr.value) ++ sequence.value.each{|san| ++ case san.tag ++ when 2 # dNSName in GeneralName (RFC5280) + should_verify_common_name = false +- reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+") ++ reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+") + return true if /\A#{reg}\z/i =~ hostname +- elsif /\AIP Address:(.*)/ =~ general_name ++ when 7 # iPAddress in GeneralName (RFC5280) + should_verify_common_name = false +- return true if $1 == hostname ++ # follows GENERAL_NAME_print() in x509v3/v3_alt.c ++ if san.value.size == 4 ++ return true if san.value.unpack('C*').join('.') == hostname ++ elsif san.value.size == 16 ++ return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname ++ end + end + } + } +Index: ruby1.8-1.8.7.352/test/openssl/test_ssl.rb +=================================================================== +--- ruby1.8-1.8.7.352.orig/test/openssl/test_ssl.rb 2013-07-08 10:16:49.926709322 -0400 ++++ ruby1.8-1.8.7.352/test/openssl/test_ssl.rb 2013-07-08 10:16:49.922709322 -0400 +@@ -532,6 +532,36 @@ + end + end + end ++ ++ def test_verify_certificate_identity ++ [true, false].each do |criticality| ++ cert = create_null_byte_SAN_certificate(criticality) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17')) ++ end ++ end ++ ++ # Create NULL byte SAN certificate ++ def create_null_byte_SAN_certificate(critical = false) ++ ef = OpenSSL::X509::ExtensionFactory.new ++ cert = OpenSSL::X509::Certificate.new ++ cert.subject = OpenSSL::X509::Name.parse "/DC=some/DC=site/CN=Some Site" ++ ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17', critical) ++ ext_asn1 = OpenSSL::ASN1.decode(ext.to_der) ++ san_list_der = ext_asn1.value.reduce(nil) { |memo,val| val.tag == 4 ? val.value : memo } ++ san_list_asn1 = OpenSSL::ASN1.decode(san_list_der) ++ san_list_asn1.value[0].value = 'www.example.com\0.evil.com' ++ pos = critical ? 2 : 1 ++ ext_asn1.value[pos].value = san_list_asn1.to_der ++ real_ext = OpenSSL::X509::Extension.new ext_asn1 ++ cert.add_extension(real_ext) ++ cert ++ end ++ + end + + end
diff -Nru ruby1.8-1.8.7.358/debian/changelog ruby1.8-1.8.7.358/debian/changelog --- ruby1.8-1.8.7.358/debian/changelog 2013-07-08 11:37:30.000000000 -0300 +++ ruby1.8-1.8.7.358/debian/changelog 2013-12-02 00:23:45.000000000 -0300 @@ -1,3 +1,17 @@ +ruby1.8 (1.8.7.358-7.1+deb7u1) stable-security; urgency=high + + [ Raphaël Hertzog ] + * debian/patches/CVE-2013-4164.patch: New patch to fix + heap overflow in floating point parsing (Closes: #730189) + Thanks to Moritz Muehlenhoff for the patch. + + [ Antonio Terceiro ] + * debian/patches/CVE-2013-4073: fix regression that introduced syntax errors + in test/openssl/test_ssl.rb, breaking the execution of the test suite + during the package build. + + -- Antonio Terceiro <terce...@debian.org> Sun, 01 Dec 2013 23:22:26 -0300 + ruby1.8 (1.8.7.358-7.1) unstable; urgency=high * Non-maintainer upload. diff -Nru ruby1.8-1.8.7.358/debian/gbp.conf ruby1.8-1.8.7.358/debian/gbp.conf --- ruby1.8-1.8.7.358/debian/gbp.conf 2013-07-08 11:37:30.000000000 -0300 +++ ruby1.8-1.8.7.358/debian/gbp.conf 2013-12-01 23:19:56.000000000 -0300 @@ -1,2 +1,3 @@ [DEFAULT] -pristine-tar = True +debian-branch=wheezy +upstream-branch=wheezy-squeeze diff -Nru ruby1.8-1.8.7.358/debian/patches/CVE-2013-4073.patch ruby1.8-1.8.7.358/debian/patches/CVE-2013-4073.patch --- ruby1.8-1.8.7.358/debian/patches/CVE-2013-4073.patch 2013-07-08 11:37:30.000000000 -0300 +++ ruby1.8-1.8.7.358/debian/patches/CVE-2013-4073.patch 2013-12-02 00:16:45.000000000 -0300 @@ -12,7 +12,7 @@ --- a/ext/openssl/lib/openssl/ssl-internal.rb +++ b/ext/openssl/lib/openssl/ssl-internal.rb -@@ -90,14 +90,22 @@ +@@ -90,14 +90,22 @@ module OpenSSL should_verify_common_name = true cert.extensions.each{|ext| next if ext.oid != "subjectAltName" @@ -42,40 +42,40 @@ } --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb -@@ -547,6 +547,36 @@ +@@ -547,6 +547,36 @@ class OpenSSL::TestSSL < Test::Unit::Tes ssl.close } end + -+ def test_verify_certificate_identity$ -+ [true, false].each do |criticality|$ -+ cert = create_null_byte_SAN_certificate(criticality)$ -+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com'))$ -+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com'))$ -+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255'))$ -+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1'))$ -+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))$ -+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))$ -+ end$ -+ end$ -+$ -+ # Create NULL byte SAN certificate$ -+ def create_null_byte_SAN_certificate(critical = false)$ -+ ef = OpenSSL::X509::ExtensionFactory.new$ -+ cert = OpenSSL::X509::Certificate.new$ -+ cert.subject = OpenSSL::X509::Name.parse "/DC=some/DC=site/CN=Some Site"$ -+ ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17', critical)$ -+ ext_asn1 = OpenSSL::ASN1.decode(ext.to_der)$ -+ san_list_der = ext_asn1.value.reduce(nil) { |memo,val| val.tag == 4 ? val.value : memo }$ -+ san_list_asn1 = OpenSSL::ASN1.decode(san_list_der)$ -+ san_list_asn1.value[0].value = 'www.example.com\0.evil.com'$ -+ pos = critical ? 2 : 1$ -+ ext_asn1.value[pos].value = san_list_asn1.to_der$ -+ real_ext = OpenSSL::X509::Extension.new ext_asn1$ -+ cert.add_extension(real_ext)$ -+ cert$ -+ end$ -+$ ++ def test_verify_certificate_identity ++ [true, false].each do |criticality| ++ cert = create_null_byte_SAN_certificate(criticality) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1')) ++ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17')) ++ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17')) ++ end ++ end ++ ++ # Create NULL byte SAN certificate ++ def create_null_byte_SAN_certificate(critical = false) ++ ef = OpenSSL::X509::ExtensionFactory.new ++ cert = OpenSSL::X509::Certificate.new ++ cert.subject = OpenSSL::X509::Name.parse "/DC=some/DC=site/CN=Some Site" ++ ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17', critical) ++ ext_asn1 = OpenSSL::ASN1.decode(ext.to_der) ++ san_list_der = ext_asn1.value.reduce(nil) { |memo,val| val.tag == 4 ? val.value : memo } ++ san_list_asn1 = OpenSSL::ASN1.decode(san_list_der) ++ san_list_asn1.value[0].value = 'www.example.com\0.evil.com' ++ pos = critical ? 2 : 1 ++ ext_asn1.value[pos].value = san_list_asn1.to_der ++ real_ext = OpenSSL::X509::Extension.new ext_asn1 ++ cert.add_extension(real_ext) ++ cert ++ end ++ end end diff -Nru ruby1.8-1.8.7.358/debian/patches/CVE-2013-4164.patch ruby1.8-1.8.7.358/debian/patches/CVE-2013-4164.patch --- ruby1.8-1.8.7.358/debian/patches/CVE-2013-4164.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby1.8-1.8.7.358/debian/patches/CVE-2013-4164.patch 2013-12-01 23:21:31.000000000 -0300 @@ -0,0 +1,74 @@ +Description: Fix Heap Overflow in Floating Point Parsing + This vulnerability is tracked with CVE-2013-4164. + . + https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ +Origin: backport, https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43776/diff + https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43782/diff +Bug-Debian: http://bugs.debian.org/730189 +Forwarded: not-needed +Applied-Upstream: 1.9.3-p484, 2.0.0-p353 +Last-Update: 2013-11-29 + +--- a/util.c ++++ b/util.c +@@ -892,6 +892,11 @@ extern void *MALLOC(size_t); + #else + #define MALLOC malloc + #endif ++#ifdef FREE ++extern void FREE(void*); ++#else ++#define FREE free ++#endif + + #ifndef Omit_Private_Memory + #ifndef PRIVATE_MEM +@@ -1176,7 +1181,7 @@ Balloc(int k) + #endif + + ACQUIRE_DTOA_LOCK(0); +- if ((rv = freelist[k]) != 0) { ++ if (k <= Kmax && (rv = freelist[k]) != 0) { + freelist[k] = rv->next; + } + else { +@@ -1186,7 +1191,7 @@ Balloc(int k) + #else + len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) + /sizeof(double); +- if (pmem_next - private_mem + len <= PRIVATE_mem) { ++ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { + rv = (Bigint*)pmem_next; + pmem_next += len; + } +@@ -1205,6 +1210,10 @@ static void + Bfree(Bigint *v) + { + if (v) { ++ if (v->k > Kmax) { ++ FREE(v); ++ return; ++ } + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; +@@ -2200,6 +2209,7 @@ break2: + for (; c >= '0' && c <= '9'; c = *++s) { + have_dig: + nz++; ++ if (nf > DBL_DIG * 4) continue; + if (c -= '0') { + nf += nz; + for (i = 1; i < nz; i++) +--- a/test/ruby/test_float.rb ++++ b/test/ruby/test_float.rb +@@ -171,4 +171,9 @@ class TestFloat < Test::Unit::TestCase + assert_raise(ArgumentError) { 1.0 < nil } + assert_raise(ArgumentError) { 1.0 <= nil } + end ++ ++ def test_long_string ++ assert(10.0 - ("1."+"1"*300000).to_f*9 < 0.000001) ++ end ++ + end diff -Nru ruby1.8-1.8.7.358/debian/patches/series ruby1.8-1.8.7.358/debian/patches/series --- ruby1.8-1.8.7.358/debian/patches/series 2013-07-08 11:37:30.000000000 -0300 +++ ruby1.8-1.8.7.358/debian/patches/series 2013-12-01 23:19:56.000000000 -0300 @@ -16,3 +16,4 @@ CVE-2012-4481.patch CVE-2013-1821.patch CVE-2013-4073.patch +CVE-2013-4164.patch
diff -Nru ruby1.9.1-1.9.2.0/debian/changelog ruby1.9.1-1.9.2.0/debian/changelog --- ruby1.9.1-1.9.2.0/debian/changelog 2013-08-07 16:56:56.000000000 -0300 +++ ruby1.9.1-1.9.2.0/debian/changelog 2013-12-01 19:47:32.000000000 -0300 @@ -1,3 +1,11 @@ +ruby1.9.1 (1.9.2.0-2+deb6u2) oldstable-security; urgency=high + + [ Raphaël Hertzog ] + * debian/patches/CVE-2013-4164.patch: add upstream patch to fix heap + overflow in floating point parsing. Closes: #730178 + + -- Antonio Terceiro <terce...@debian.org> Sun, 01 Dec 2013 19:47:31 -0300 + ruby1.9.1 (1.9.2.0-2+deb6u1) oldstable-security; urgency=high * Team upload diff -Nru ruby1.9.1-1.9.2.0/debian/gbp.conf ruby1.9.1-1.9.2.0/debian/gbp.conf --- ruby1.9.1-1.9.2.0/debian/gbp.conf 1969-12-31 21:00:00.000000000 -0300 +++ ruby1.9.1-1.9.2.0/debian/gbp.conf 2013-12-01 19:49:49.000000000 -0300 @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch=squeeze +upstream-branch=upstream-squeeze diff -Nru ruby1.9.1-1.9.2.0/debian/patches/CVE-2013-4164.patch ruby1.9.1-1.9.2.0/debian/patches/CVE-2013-4164.patch --- ruby1.9.1-1.9.2.0/debian/patches/CVE-2013-4164.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby1.9.1-1.9.2.0/debian/patches/CVE-2013-4164.patch 2013-12-01 19:40:51.000000000 -0300 @@ -0,0 +1,80 @@ +Description: Fix Heap Overflow in Floating Point Parsing + This vulnerability is tracked with CVE-2013-4164. + . + https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ +Origin: upstream, https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43776/diff +Bug-Debian: http://bugs.debian.org/730178 +Forwarded: not-needed +Applied-Upstream: 1.9.3-p484, 2.0.0-p353 +Last-Update: 2013-11-29 + +--- a/util.c ++++ b/util.c +@@ -852,6 +852,11 @@ extern void *MALLOC(size_t); + #else + #define MALLOC malloc + #endif ++#ifdef FREE ++extern void FREE(void*); ++#else ++#define FREE free ++#endif + + #ifndef Omit_Private_Memory + #ifndef PRIVATE_MEM +@@ -1142,7 +1147,7 @@ Balloc(int k) + #endif + + ACQUIRE_DTOA_LOCK(0); +- if ((rv = freelist[k]) != 0) { ++ if (k <= Kmax && (rv = freelist[k]) != 0) { + freelist[k] = rv->next; + } + else { +@@ -1152,7 +1157,7 @@ Balloc(int k) + #else + len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) + /sizeof(double); +- if (pmem_next - private_mem + len <= PRIVATE_mem) { ++ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { + rv = (Bigint*)pmem_next; + pmem_next += len; + } +@@ -1171,6 +1176,10 @@ static void + Bfree(Bigint *v) + { + if (v) { ++ if (v->k > Kmax) { ++ FREE(v); ++ return; ++ } + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; +@@ -2201,6 +2210,7 @@ break2: + for (; c >= '0' && c <= '9'; c = *++s) { + have_dig: + nz++; ++ if (nf > DBL_DIG * 4) continue; + if (c -= '0') { + nf += nz; + for (i = 1; i < nz; i++) +--- a/test/ruby/test_float.rb ++++ b/test/ruby/test_float.rb +@@ -450,4 +450,16 @@ class TestFloat < Test::Unit::TestCase + sleep(0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1) + end + end ++ ++ def test_long_string ++ assert_normal_exit(<<-'end;') ++ assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9) ++ end; ++ end ++ ++ def test_long_string ++ assert_normal_exit(<<-'end;') ++ assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9) ++ end; ++ end + end diff -Nru ruby1.9.1-1.9.2.0/debian/patches/series ruby1.9.1-1.9.2.0/debian/patches/series --- ruby1.9.1-1.9.2.0/debian/patches/series 2013-08-07 15:27:59.000000000 -0300 +++ ruby1.9.1-1.9.2.0/debian/patches/series 2013-12-01 19:40:51.000000000 -0300 @@ -27,3 +27,4 @@ 20100829-rubygems_default_dir.diff CVE-2013-1821.patch CVE-2013-4073.patch +CVE-2013-4164.patch
diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog --- ruby1.9.1-1.9.3.194/debian/changelog 2013-08-06 12:43:31.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/changelog 2013-12-01 23:28:35.000000000 -0300 @@ -1,3 +1,11 @@ +ruby1.9.1 (1.9.3.194-8.1+deb7u2) stable-security; urgency=low + + [ Raphaël Hertzog ] + * debian/patches/CVE-2013-4164.patch: add upstream patch to fix heap + overflow in floating point parsing. Closes: #730178 + + -- Antonio Terceiro <terce...@debian.org> Sun, 01 Dec 2013 23:28:34 -0300 + ruby1.9.1 (1.9.3.194-8.1+deb7u1) stable-security; urgency=low * debian/patches/CVE-2013-2065.patch: add upstream patch to fix object taint diff -Nru ruby1.9.1-1.9.3.194/debian/gbp.conf ruby1.9.1-1.9.3.194/debian/gbp.conf --- ruby1.9.1-1.9.3.194/debian/gbp.conf 1969-12-31 21:00:00.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/gbp.conf 2013-12-01 23:28:06.000000000 -0300 @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch=wheezy +upstream-branch=upstream-wheezy diff -Nru ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-4164.patch ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-4164.patch --- ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-4164.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-4164.patch 2013-12-01 23:28:06.000000000 -0300 @@ -0,0 +1,80 @@ +Description: Fix Heap Overflow in Floating Point Parsing + This vulnerability is tracked with CVE-2013-4164. + . + https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/ +Origin: upstream, https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43776/diff +Bug-Debian: http://bugs.debian.org/730178 +Forwarded: not-needed +Applied-Upstream: 1.9.3-p484, 2.0.0-p353 +Last-Update: 2013-11-29 + +--- a/util.c ++++ b/util.c +@@ -852,6 +852,11 @@ extern void *MALLOC(size_t); + #else + #define MALLOC malloc + #endif ++#ifdef FREE ++extern void FREE(void*); ++#else ++#define FREE free ++#endif + + #ifndef Omit_Private_Memory + #ifndef PRIVATE_MEM +@@ -1142,7 +1147,7 @@ Balloc(int k) + #endif + + ACQUIRE_DTOA_LOCK(0); +- if ((rv = freelist[k]) != 0) { ++ if (k <= Kmax && (rv = freelist[k]) != 0) { + freelist[k] = rv->next; + } + else { +@@ -1152,7 +1157,7 @@ Balloc(int k) + #else + len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) + /sizeof(double); +- if (pmem_next - private_mem + len <= PRIVATE_mem) { ++ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { + rv = (Bigint*)pmem_next; + pmem_next += len; + } +@@ -1171,6 +1176,10 @@ static void + Bfree(Bigint *v) + { + if (v) { ++ if (v->k > Kmax) { ++ FREE(v); ++ return; ++ } + ACQUIRE_DTOA_LOCK(0); + v->next = freelist[v->k]; + freelist[v->k] = v; +@@ -2231,6 +2240,7 @@ break2: + for (; c >= '0' && c <= '9'; c = *++s) { + have_dig: + nz++; ++ if (nf > DBL_DIG * 4) continue; + if (c -= '0') { + nf += nz; + for (i = 1; i < nz; i++) +--- a/test/ruby/test_float.rb ++++ b/test/ruby/test_float.rb +@@ -519,4 +519,16 @@ class TestFloat < Test::Unit::TestCase + sleep(0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1) + end + end ++ ++ def test_long_string ++ assert_normal_exit(<<-'end;') ++ assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9) ++ end; ++ end ++ ++ def test_long_string ++ assert_normal_exit(<<-'end;') ++ assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9) ++ end; ++ end + end diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series --- ruby1.9.1-1.9.3.194/debian/patches/series 2013-08-06 12:43:31.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/patches/series 2013-12-01 21:58:20.000000000 -0300 @@ -24,3 +24,4 @@ CVE-2013-1821.patch CVE-2013-2065.patch CVE-2013-4073.patch +CVE-2013-4164.patch
signature.asc
Description: Digital signature