Ruby 1.9.1 Squeeze package for test
Hi there,
I've prepared a ruby 1.9.1 package to fix the two open CVEs
CVE-2012-5371 and CVE-2013-0269. As usual, test are more than welcome.
The package is available at the repository:
deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/
Debdiff against current package attached.
Cheers,
Santiago
diff -Nru ruby1.9.1-1.9.2.0/debian/changelog ruby1.9.1-1.9.2.0/debian/changelog
--- ruby1.9.1-1.9.2.0/debian/changelog 2015-05-30 19:47:29.0 +0200
+++ ruby1.9.1-1.9.2.0/debian/changelog 2015-06-23 23:04:10.0 +0200
@@ -1,3 +1,16 @@
+ruby1.9.1 (1.9.2.0-2+deb6u5~2) santiago-squeeze-lts; urgency=medium
+
+ * Non-maintainer upload by the Squeeze LTS Team.
+ * Fix CVE-2012-5371, Ruby computed hash values without properly restricting the
+ability to trigger hash collisions predictably, allowing context-dependent
+attackers to cause a denial of service (CPU consumption).
+ * Fix CVE-2013-0269, the JSON gem before allows remote attackers to cause a denial of
+service (resource consumption) or bypass the mass assignment protection
+mechanism via a crafted JSON document that triggers the creation of arbitrary
+Ruby symbols or certain internal objects.
+
+ -- Santiago Ruano Rincón Tue, 23 Jun 2015 22:47:39 +0200
+
ruby1.9.1 (1.9.2.0-2+deb6u4) squeeze-lts; urgency=high
* Non-maintainer upload by the Squeeze LTS Team.
diff -Nru ruby1.9.1-1.9.2.0/debian/patches/CVE-2012-5371.patch ruby1.9.1-1.9.2.0/debian/patches/CVE-2012-5371.patch
--- ruby1.9.1-1.9.2.0/debian/patches/CVE-2012-5371.patch 1970-01-01 01:00:00.0 +0100
+++ ruby1.9.1-1.9.2.0/debian/patches/CVE-2012-5371.patch 2015-06-23 22:46:32.0 +0200
@@ -0,0 +1,625 @@
+Description: replace hash implementation to avoid DOS attacks
+ This patch fixes CVE-2012-5371
+Bug-Debian: http://bugs.debian.org/693024
+Origin: upstream, https://github.com/ruby/ruby/commit/5e45af463cca6f062a986d5e686350e17ea653bb
+Backported-By: James Healy
+Reviewed-By: Antonio Terceiro
+
+--- a/common.mk
b/common.mk
+@@ -584,7 +584,8 @@
+ process.$(OBJEXT): {$(VPATH)}process.c $(RUBY_H_INCLUDES) \
+ {$(VPATH)}util.h {$(VPATH)}io.h $(ENCODING_H_INCLUDES) {$(VPATH)}dln.h \
+ $(VM_CORE_H_INCLUDES) {$(VPATH)}debug.h
+-random.$(OBJEXT): {$(VPATH)}random.c $(RUBY_H_INCLUDES)
++random.$(OBJEXT): {$(VPATH)}random.c $(RUBY_H_INCLUDES) \
++ {$(VPATH)}siphash.c {$(VPATH)}siphash.h
+ range.$(OBJEXT): {$(VPATH)}range.c $(RUBY_H_INCLUDES) \
+ $(ENCODING_H_INCLUDES)
+ rational.$(OBJEXT): {$(VPATH)}rational.c $(RUBY_H_INCLUDES)
+--- a/random.c
b/random.c
+@@ -1146,7 +1146,15 @@
+ return r;
+ }
+
++#define SIP_HASH_STREAMING 0
++#define sip_hash24 ruby_sip_hash24
++#include "siphash.c"
++
+ static st_index_t hashseed;
++static union {
++uint8_t key[16];
++uint32_t u32[(16 * sizeof(uint8_t) - 1) / sizeof(uint32_t)];
++} sipseed;
+
+ static VALUE
+ init_randomseed(struct MT *mt, unsigned int initial[DEFAULT_SEED_CNT])
+@@ -1166,6 +1174,7 @@
+ unsigned int initial[DEFAULT_SEED_CNT];
+ struct MT *mt = &r->mt;
+ VALUE seed = init_randomseed(mt, initial);
++int i;
+
+ hashseed = genrand_int32(mt);
+ #if SIZEOF_ST_INDEX_T*CHAR_BIT > 4*8
+@@ -1181,6 +1190,9 @@
+ hashseed |= genrand_int32(mt);
+ #endif
+
++for (i = 0; i < numberof(sipseed.u32); ++i)
++ sipseed.u32[i] = genrand_int32(mt);
++
+ rb_global_variable(&r->seed);
+ r->seed = seed;
+ }
+@@ -1191,6 +1203,17 @@
+ return st_hash_start(hashseed + h);
+ }
+
++st_index_t
++rb_memhash(const void *ptr, long len)
++{
++sip_uint64_t h = sip_hash24(sipseed.key, ptr, len);
++#ifdef HAVE_UINT64_T
++return (st_index_t)h;
++#else
++return (st_index_t)(h.u32[0] ^ h.u32[1]);
++#endif
++}
++
+ static void
+ Init_RandomSeed2(void)
+ {
+--- /dev/null
b/siphash.c
+@@ -0,0 +1,483 @@
++#include
++#include
++#include "siphash.h"
++#ifndef SIP_HASH_STREAMING
++ #define SIP_HASH_STREAMING 1
++#endif
++
++#ifdef _WIN32
++ #define BYTE_ORDER __LITTLE_ENDIAN
++#elif !defined BYTE_ORDER
++ #include
++#endif
++#ifndef LITTLE_ENDIAN
++#define LITTLE_ENDIAN __LITTLE_ENDIAN
++#endif
++#ifndef BIG_ENDIAN
++#define BIG_ENDIAN __BIG_ENDIAN
++#endif
++
++#if BYTE_ORDER == LITTLE_ENDIAN
++ #define lo u32[0]
++ #define hi u32[1]
++#elif BYTE_ORDER == BIG_ENDIAN
++ #define hi u32[0]
++ #define lo u32[1]
++#else
++ #error "Only strictly little or big endian supported"
++#endif
++
++#ifndef UNALIGNED_WORD_ACCESS
++# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
++ defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD86) || \
++ defined(__mc68020__)
++# define UNALIGNED_WORD_ACCESS 1
++# endif
++#endif
++#ifndef UNALIGNED_WORD_ACCESS
++# define UNALIGNED_WORD_ACCESS 0
++#endif
++
++#define U8TO32_LE(p) \
++(((uint32_t)((p)[0]) ) | ((uint32_t)((p)[1]) << 8) | \
++ ((uint32_t)((p)[2]) << 16) | ((uint32_t)((p)[3]) << 24)) \
++
++#define U32TO8_LE(p, v) \
++do { \
Re: Ruby 1.9.1 Squeeze package for test
Hi Santiago,
On Wed, Jun 24, 2015 at 10:16:08PM +0200, Santiago Ruano Rincón wrote:
> Hi there,
>
> I've prepared a ruby 1.9.1 package to fix the two open CVEs
> CVE-2012-5371 and CVE-2013-0269. As usual, test are more than welcome.
> The package is available at the repository:
>
> deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/
>
> Debdiff against current package attached.
>
> Cheers,
>
> Santiago
>
> diff -Nru ruby1.9.1-1.9.2.0/debian/changelog
> ruby1.9.1-1.9.2.0/debian/changelog
> --- ruby1.9.1-1.9.2.0/debian/changelog2015-05-30 19:47:29.0
> +0200
> +++ ruby1.9.1-1.9.2.0/debian/changelog2015-06-23 23:04:10.0
> +0200
> @@ -1,3 +1,16 @@
> +ruby1.9.1 (1.9.2.0-2+deb6u5~2) santiago-squeeze-lts; urgency=medium
> +
> + * Non-maintainer upload by the Squeeze LTS Team.
> + * Fix CVE-2012-5371, Ruby computed hash values without properly
> restricting the
> +ability to trigger hash collisions predictably, allowing
> context-dependent
> +attackers to cause a denial of service (CPU consumption).
> + * Fix CVE-2013-0269, the JSON gem before allows remote attackers to cause
> a denial of
> +service (resource consumption) or bypass the mass assignment protection
> +mechanism via a crafted JSON document that triggers the creation of
> arbitrary
> +Ruby symbols or certain internal objects.
> +
> + -- Santiago Ruano Rincón Tue, 23 Jun 2015 22:47:39
> +0200
> +
> ruby1.9.1 (1.9.2.0-2+deb6u4) squeeze-lts; urgency=high
>
>* Non-maintainer upload by the Squeeze LTS Team.
> diff -Nru ruby1.9.1-1.9.2.0/debian/patches/CVE-2012-5371.patch
> ruby1.9.1-1.9.2.0/debian/patches/CVE-2012-5371.patch
> --- ruby1.9.1-1.9.2.0/debian/patches/CVE-2012-5371.patch 1970-01-01
> 01:00:00.0 +0100
> +++ ruby1.9.1-1.9.2.0/debian/patches/CVE-2012-5371.patch 2015-06-23
> 22:46:32.0 +0200
> @@ -0,0 +1,625 @@
> +Description: replace hash implementation to avoid DOS attacks
> + This patch fixes CVE-2012-5371
> +Bug-Debian: http://bugs.debian.org/693024
> +Origin: upstream,
> https://github.com/ruby/ruby/commit/5e45af463cca6f062a986d5e686350e17ea653bb
> +Backported-By: James Healy
> +Reviewed-By: Antonio Terceiro
> +
> +--- a/common.mk
> b/common.mk
> +@@ -584,7 +584,8 @@
> + process.$(OBJEXT): {$(VPATH)}process.c $(RUBY_H_INCLUDES) \
> + {$(VPATH)}util.h {$(VPATH)}io.h $(ENCODING_H_INCLUDES) {$(VPATH)}dln.h \
> + $(VM_CORE_H_INCLUDES) {$(VPATH)}debug.h
> +-random.$(OBJEXT): {$(VPATH)}random.c $(RUBY_H_INCLUDES)
> ++random.$(OBJEXT): {$(VPATH)}random.c $(RUBY_H_INCLUDES) \
> ++ {$(VPATH)}siphash.c {$(VPATH)}siphash.h
> + range.$(OBJEXT): {$(VPATH)}range.c $(RUBY_H_INCLUDES) \
> + $(ENCODING_H_INCLUDES)
> + rational.$(OBJEXT): {$(VPATH)}rational.c $(RUBY_H_INCLUDES)
> +--- a/random.c
> b/random.c
> +@@ -1146,7 +1146,15 @@
> + return r;
> + }
> +
> ++#define SIP_HASH_STREAMING 0
> ++#define sip_hash24 ruby_sip_hash24
> ++#include "siphash.c"
> ++
> + static st_index_t hashseed;
> ++static union {
> ++uint8_t key[16];
> ++uint32_t u32[(16 * sizeof(uint8_t) - 1) / sizeof(uint32_t)];
> ++} sipseed;
> +
> + static VALUE
> + init_randomseed(struct MT *mt, unsigned int initial[DEFAULT_SEED_CNT])
> +@@ -1166,6 +1174,7 @@
> + unsigned int initial[DEFAULT_SEED_CNT];
> + struct MT *mt = &r->mt;
> + VALUE seed = init_randomseed(mt, initial);
> ++int i;
> +
> + hashseed = genrand_int32(mt);
> + #if SIZEOF_ST_INDEX_T*CHAR_BIT > 4*8
> +@@ -1181,6 +1190,9 @@
> + hashseed |= genrand_int32(mt);
> + #endif
> +
> ++for (i = 0; i < numberof(sipseed.u32); ++i)
> ++sipseed.u32[i] = genrand_int32(mt);
> ++
> + rb_global_variable(&r->seed);
> + r->seed = seed;
> + }
> +@@ -1191,6 +1203,17 @@
> + return st_hash_start(hashseed + h);
> + }
> +
> ++st_index_t
> ++rb_memhash(const void *ptr, long len)
> ++{
> ++sip_uint64_t h = sip_hash24(sipseed.key, ptr, len);
> ++#ifdef HAVE_UINT64_T
> ++return (st_index_t)h;
> ++#else
> ++return (st_index_t)(h.u32[0] ^ h.u32[1]);
> ++#endif
> ++}
> ++
> + static void
> + Init_RandomSeed2(void)
> + {
> +--- /dev/null
> b/siphash.c
> +@@ -0,0 +1,483 @@
> ++#include
> ++#include
> ++#include "siphash.h"
> ++#ifndef SIP_HASH_STREAMING
> ++ #define SIP_HASH_STREAMING 1
> ++#endif
> ++
> ++#ifdef _WIN32
> ++ #define BYTE_ORDER __LITTLE_ENDIAN
> ++#elif !defined BYTE_ORDER
> ++ #include
> ++#endif
> ++#ifndef LITTLE_ENDIAN
> ++#define LITTLE_ENDIAN __LITTLE_ENDIAN
> ++#endif
> ++#ifndef BIG_ENDIAN
> ++#define BIG_ENDIAN __BIG_ENDIAN
> ++#endif
> ++
> ++#if BYTE_ORDER == LITTLE_ENDIAN
> ++ #define lo u32[0]
> ++ #define hi u32[1]
> ++#elif BYTE_ORDER == BIG_ENDIAN
> ++ #define hi u32[0]
> ++ #define lo u32[1]
> ++#else
> ++ #error "Only strictly little or big endian supported"
> ++#endif
> ++
> ++#ifndef UNALIGNED_WORD_ACCESS
> ++# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \
> ++ defined(__x8
Re: Ruby 1.9.1 Squeeze package for test
El 26/06/15 a las 12:03, Guido Günther escribió:
> Hi Santiago,
Hi Guido,
Thanks for reviewing!
> On Wed, Jun 24, 2015 at 10:16:08PM +0200, Santiago Ruano Rincón wrote:
> > Hi there,
> >
> > I've prepared a ruby 1.9.1 package to fix the two open CVEs
> > CVE-2012-5371 and CVE-2013-0269. As usual, test are more than welcome.
> > The package is available at the repository:
> >
> > deb https://people.debian.org/~santiago/debian santiago-squeeze-lts/
> >
> > Debdiff against current package attached.
> >
> > Cheers,
> >
> > Santiago
> >
...
> > diff -Nru ruby1.9.1-1.9.2.0/debian/patches/series
> > ruby1.9.1-1.9.2.0/debian/patches/series
> > --- ruby1.9.1-1.9.2.0/debian/patches/series 2015-05-30 19:47:58.0
> > +0200
> > +++ ruby1.9.1-1.9.2.0/debian/patches/series 2015-06-23 22:44:07.0
> > +0200
> > @@ -68,3 +68,5 @@
> >
> > #XXX todo: CVE-2012-5371
> > #XXX todo: CVE-2013-0269
>
> Minor nitpick: I think these can be dropped now that the CVEs are
> fixed.
>
Ok
> Apart from that I noticed this behaviour change due to the fix for
> CVE-2013-0269 (based on [1]):
>
> Squeeze version:
> # cat <
> require 'json'
> p JSON.parse('{"json_class":"foo"}')['json_class']
> EOF
> Outputs: /usr/lib/ruby/1.9.1/json/common.rb:39:in `const_defined?':
> wrong constant name foo (NameError)
> from /usr/lib/ruby/1.9.1/json/common.rb:39:in `block in deep_const_get'
> from /usr/lib/ruby/1.9.1/json/common.rb:36:in `each'
> from /usr/lib/ruby/1.9.1/json/common.rb:36:in `inject'
> from /usr/lib/ruby/1.9.1/json/common.rb:36:in `deep_const_get'
> from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse'
> from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse'
> from -:2:in `'
>
> Your fixed version:
>
> # cat < require 'json'
> p JSON.parse('{"json_class":"foo"}')['json_class']
> EOF
> Outputs: "foo"
>
This is the same behavior I get from the wheezy's version.
% cat < I just wonder if there could be any code out there that relies on the
> first version throwing NameError and if we'd need to mention this in the
> DLA?
For the moment, I have been unable to find any code or to throw the
NameError.
Moreover, I've realised that the test_json_rails results on 4 failures
from 7 tests. But json/add/rails.rb was removed before the wheezy
version. What do you think? Maybe we could find a more suitable
solution?
Cheers,
Santiago
signature.asc
Description: Digital signature
Re: Ruby 1.9.1 Squeeze package for test
On Sun, Jun 28, 2015 at 02:12:48PM +0200, Santiago Ruano Rincón wrote:
[..snip..]
> > Apart from that I noticed this behaviour change due to the fix for
> > CVE-2013-0269 (based on [1]):
> >
> > Squeeze version:
> > # cat < >
> > require 'json'
> > p JSON.parse('{"json_class":"foo"}')['json_class']
> > EOF
> > Outputs: /usr/lib/ruby/1.9.1/json/common.rb:39:in `const_defined?':
> > wrong constant name foo (NameError)
> > from /usr/lib/ruby/1.9.1/json/common.rb:39:in `block in deep_const_get'
> > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `each'
> > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `inject'
> > from /usr/lib/ruby/1.9.1/json/common.rb:36:in `deep_const_get'
> > from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse'
> > from /usr/lib/ruby/1.9.1/json/common.rb:146:in `parse'
> > from -:2:in `'
> >
> > Your fixed version:
> >
> > # cat < > require 'json'
> > p JSON.parse('{"json_class":"foo"}')['json_class']
> > EOF
> > Outputs: "foo"
> >
>
> This is the same behavior I get from the wheezy's version.
>
> % cat < require 'json'
> p JSON.parse('{"json_class":"foo"}')['json_class']
> EOF
> "foo"
>
> Actually, I had to backport more code from wheezy.
>
> > I just wonder if there could be any code out there that relies on the
> > first version throwing NameError and if we'd need to mention this in the
> > DLA?
>
> For the moment, I have been unable to find any code or to throw the
> NameError.
> Moreover, I've realised that the test_json_rails results on 4 failures
> from 7 tests. But json/add/rails.rb was removed before the wheezy
> version. What do you think? Maybe we could find a more suitable
> solution?
Since this is in line with Wheezy (and upstream) I think the solution is
fine but maybe we should mention the behaviour change in NEWS.Debian?
Cheers,
-- Guido
--
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150629114231.gc3...@bogon.m.sigxcpu.org
