Package: rubygems
Version: 1.8.24-1
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu quantal ubuntu-patch
Dear Maintainer,
While I was preparing an Ubuntu rubygems update for CVE-2012-2126, I
noticed that rubygems-1.8.24-1 included its own trusted CA certificate
bundle, rather than using the bundle from ca-certificates, to do server
certificate verification in the gem fetcher.
In Ubuntu, the attached patch was applied to achieve the following:
* Make the RubyGems fetcher use distro-provided ca-certificates
(LP: #1057926)
- debian/control: Add ca-certificates to rubygems depends so that
rubygems can perform certificate verification
- debian/rules: Don't install SSL certificates from upstream sources
- debian/patches/20120927-disable_upstream_certs.patch: Use
/etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers quantal-updates
APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500,
'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.5.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru rubygems-1.8.24/debian/changelog rubygems-1.8.24/debian/changelog
diff -Nru rubygems-1.8.24/debian/control rubygems-1.8.24/debian/control
--- rubygems-1.8.24/debian/control 2012-06-09 06:44:27.000000000 -0700
+++ rubygems-1.8.24/debian/control 2012-09-28 14:18:32.000000000 -0700
@@ -14,7 +14,7 @@
Package: rubygems
Architecture: all
XB-Ruby-Versions: ${ruby:Versions}
-Depends: ${misc:Depends}, ruby1.8
+Depends: ca-certificates, ${misc:Depends}, ruby1.8
Recommends: ruby1.8-dev, build-essential
Replaces: rubygems1.8 (<< 1.7.2-1~), rubygems-doc (<< 1.7.2-1~)
Conflicts: rubygems1.8 (<< 1.7.2-1~), rubygems-doc (<< 1.7.2-1~)
diff -Nru rubygems-1.8.24/debian/patches/20120927-disable_upstream_certs.patch rubygems-1.8.24/debian/patches/20120927-disable_upstream_certs.patch
--- rubygems-1.8.24/debian/patches/20120927-disable_upstream_certs.patch 1969-12-31 16:00:00.000000000 -0800
+++ rubygems-1.8.24/debian/patches/20120927-disable_upstream_certs.patch 2012-09-27 12:12:57.000000000 -0700
@@ -0,0 +1,30 @@
+Description: Use the certificates maintained by the distro
+ Rather than using the certificates packaged in the upstream sources to verify
+ server SSL certificates, use the certificates provided by the ca-certificates
+ package.
+Author: Tyler Hicks <[email protected]>
+Forwarded: not-needed
+Index: rubygems-1.8.24/lib/rubygems/remote_fetcher.rb
+===================================================================
+--- rubygems-1.8.24.orig/lib/rubygems/remote_fetcher.rb 2012-04-27 16:15:17.000000000 -0700
++++ rubygems-1.8.24/lib/rubygems/remote_fetcher.rb 2012-09-27 12:12:53.970805064 -0700
+@@ -8,7 +8,7 @@
+
+ class Gem::RemoteFetcher
+
+- BuiltinSSLCerts = File.expand_path("./ssl_certs/*.pem", File.dirname(__FILE__))
++ BuiltinSSLCerts = "/etc/ssl/certs/ca-certificates.crt"
+
+ include Gem::UserInteraction
+
+@@ -365,8 +365,8 @@
+ end
+
+ def add_rubygems_trusted_certs(store)
+- Dir.glob(BuiltinSSLCerts).each do |ssl_cert_file|
+- store.add_file ssl_cert_file
++ if File.file? BuiltinSSLCerts
++ store.add_file BuiltinSSLCerts
+ end
+ end
+
diff -Nru rubygems-1.8.24/debian/patches/series rubygems-1.8.24/debian/patches/series
--- rubygems-1.8.24/debian/patches/series 2012-06-09 06:44:27.000000000 -0700
+++ rubygems-1.8.24/debian/patches/series 2012-09-27 12:23:22.000000000 -0700
@@ -5,3 +5,4 @@
fix-shebang.diff
20120608-fix-test_gem_platform.rb.diff
20120608-fix-assert_match.diff
+20120927-disable_upstream_certs.patch
diff -Nru rubygems-1.8.24/debian/rules rubygems-1.8.24/debian/rules
--- rubygems-1.8.24/debian/rules 2012-06-09 06:44:27.000000000 -0700
+++ rubygems-1.8.24/debian/rules 2012-09-27 20:37:45.000000000 -0700
@@ -25,6 +25,8 @@
override_dh_auto_install:
dh_auto_install
+ # Do not install the SSL certs bundled in the upstream source
+ rm -rf debian/rubygems/usr/lib/ruby/vendor_ruby/rubygems/ssl_certs
mv debian/rubygems/usr/bin/gem debian/rubygems/usr/bin/gem1.8
rm debian/rubygems/usr/bin/update_rubygems # not needed
# we don't want to share rubygems with 1.9.
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
