Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
On my Debian Jessie machine, a security issue from 2009 is reported by debsecan, <URL: https://security-tracker.debian.org/tracker/CVE-2009-5147 >. The issue was fixed in Squeeze by the LTS team (DLA-299-1), but has not yet been fixed in Jessie. I would like to get it fixed, to get it out of my debsecan list. The attached patch is based on the squeeze patch (had to refresh it), and should solve the problem. I asked on #debian-security how to best get this solved, and Salvatore Bonaccorso (carnil) said the security team did not plan to upload a DSA, so I should use the procedure from <URL: https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable > fix it. Is it OK to upload the fix for stable? -- System Information: Debian Release: 8.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=no_NO (charmap=locale: Cannot set LC_MESSAGES to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory ISO-8859-1) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru ruby2.1-2.1.5/debian/changelog ruby2.1-2.1.5/debian/changelog --- ruby2.1-2.1.5/debian/changelog 2015-07-30 14:02:04.000000000 +0200 +++ ruby2.1-2.1.5/debian/changelog 2016-06-04 19:00:48.000000000 +0200 @@ -1,3 +1,11 @@ +ruby2.1 (2.1.5-2+deb8u3) jessie; urgency=medium + + * Non-maintainer upload to fix security problem. + * Fix CVE-2009-5147: DL::dlopen could open a library with tainted + library name. Based on patch used in DLA-299-1. + + -- Petter Reinholdtsen <p...@debian.org> Sat, 04 Jun 2016 18:59:31 +0200 + ruby2.1 (2.1.5-2+deb8u2) jessie; urgency=high * Apply upstream patches to fix Request hijacking vulnerability in Rubygems diff -Nru ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch --- ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby2.1-2.1.5/debian/patches/CVE-2009-5147.patch 2016-06-04 19:38:20.000000000 +0200 @@ -0,0 +1,31 @@ +Description: CVE-2009-5147: DL::dlopen could open a library with tainted library name +Origin: upstream, https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b +Reviewed-by: Santiago R.R. <santiag...@riseup.net> + +Index: ruby2.1-2.1.5/ext/dl/handle.c +=================================================================== +--- ruby2.1-2.1.5.orig/ext/dl/handle.c 2016-06-04 19:38:16.133297957 +0200 ++++ ruby2.1-2.1.5/ext/dl/handle.c 2016-06-04 19:38:16.129297922 +0200 +@@ -5,6 +5,8 @@ + #include <ruby.h> + #include "dl.h" + ++#define SafeStringValuePtr(v) (rb_string_value(&v), rb_check_safe_obj(v), RSTRING_PTR(v)) ++ + VALUE rb_cDLHandle; + + #ifdef _WIN32 +@@ -132,11 +134,11 @@ + cflag = RTLD_LAZY | RTLD_GLOBAL; + break; + case 1: +- clib = NIL_P(lib) ? NULL : StringValuePtr(lib); ++ clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib); + cflag = RTLD_LAZY | RTLD_GLOBAL; + break; + case 2: +- clib = NIL_P(lib) ? NULL : StringValuePtr(lib); ++ clib = NIL_P(lib) ? NULL : SafeStringValuePtr(lib); + cflag = NUM2INT(flag); + break; + default: diff -Nru ruby2.1-2.1.5/debian/patches/series ruby2.1-2.1.5/debian/patches/series --- ruby2.1-2.1.5/debian/patches/series 2015-08-26 01:53:36.000000000 +0200 +++ ruby2.1-2.1.5/debian/patches/series 2016-06-04 18:52:43.000000000 +0200 @@ -1 +1,2 @@ debian-changes +CVE-2009-5147.patch