diff --git a/ruby-1.8.6.x-untainted_strings_can_be_tainted.patch b/ruby-1.8.6.x-untainted_strings_can_be_tainted.patch new file mode 100644 index 0000000..4aac432 --- /dev/null +++ b/ruby-1.8.6.x-untainted_strings_can_be_tainted.patch @@ -0,0 +1,23 @@ +--- ruby-1.8.6-p420/error.c.tainted 2008-08-04 12:16:55.000000000 +0900 ++++ ruby-1.8.6-p420/error.c 2011-02-21 04:44:14.000000000 +0900 +@@ -404,7 +404,6 @@ + VALUE mesg = rb_attr_get(exc, rb_intern("mesg")); + + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); +- if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); + return mesg; + } + +@@ -668,10 +667,9 @@ + if (NIL_P(mesg)) return rb_class_name(CLASS_OF(exc)); + StringValue(str); + if (str != mesg) { +- rb_iv_set(exc, "mesg", mesg = str); ++ OBJ_INFECT(str, mesg); + } +- if (OBJ_TAINTED(exc)) OBJ_TAINT(mesg); +- return mesg; ++ return str; + } + + /* diff --git a/ruby-1.8.7p334-symlink-race-in-FileUtils-remove_entry_secure.patch b/ruby-1.8.7p334-symlink-race-in-FileUtils-remove_entry_secure.patch new file mode 100644 index 0000000..8e03e3d --- /dev/null +++ b/ruby-1.8.7p334-symlink-race-in-FileUtils-remove_entry_secure.patch @@ -0,0 +1,29 @@ +--- ruby-1.8.7-p330/lib/fileutils.rb 2010-06-08 15:31:50.000000000 +0900 ++++ ruby-1.8.7-p334/lib/fileutils.rb 2011-02-18 21:18:10.000000000 +0900 +@@ -658,10 +658,10 @@ + # removing directories. This requires the current process is the + # owner of the removing whole directory tree, or is the super user (root). + # +- # WARNING: You must ensure that *ALL* parent directories are not +- # world writable. Otherwise this method does not work. +- # Only exception is temporary directory like /tmp and /var/tmp, +- # whose permission is 1777. ++ # WARNING: You must ensure that *ALL* parent directories cannot be ++ # moved by other untrusted users. For example, parent directories ++ # should not be owned by untrusted users, and should not be world ++ # writable except when the sticky bit set. + # + # WARNING: Only the owner of the removing directory tree, or Unix super + # user (root) should invoke this method. Otherwise this method does not +@@ -704,6 +704,11 @@ + end + f.chown euid, -1 + f.chmod 0700 ++ unless fu_stat_identical_entry?(st, File.lstat(fullpath)) ++ # TOC-to-TOU attack? ++ File.unlink fullpath ++ return ++ end + } + # ---- tree root is frozen ---- + root = Entry_.new(path) diff --git a/ruby.spec b/ruby.spec index 16d1b1a..4ec1319 100644 --- a/ruby.spec +++ b/ruby.spec @@ -18,7 +18,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 1%{?dist} +Release: 2%{?dist} License: Ruby or GPLv2 URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -95,6 +95,12 @@ Patch37: ruby-1.8.x-ext_tk-flatten-level-revert.patch Patch38: ruby-1.8.x-null-class-must-be-Qnil.patch # Once revert this patch to apply Patch34 cleanly Patch39: ruby-1.8.6-openssl-digest-once-revert-for-simplify-patch.patch +# patch from ruby_1_8_7 branch (between 1.8.7p330 and 1.8.7p334) +# bug 678913, Symlink race condition in FileUtils.remove_entry_secure +Patch40: ruby-1.8.7p334-symlink-race-in-FileUtils-remove_entry_secure.patch +# Patch from ruby_1_8_7 branch, a bit modified for 1.8.6.x +# bug 678920, bypass of $SAFE mechanism in Exception#to_s +Patch41: ruby-1.8.6.x-untainted_strings_can_be_tainted.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -250,6 +256,8 @@ pushd %{name}-%{arcver} %patch36 -p1 %patch37 -p1 %patch38 -p1 +%patch40 -p1 +%patch41 -p1 popd %build @@ -640,6 +648,11 @@ rm -rf $RPM_BUILD_ROOT %{_emacs_sitestartdir}/ruby-mode-init.el %changelog +* Mon Feb 21 2011 Mamoru Tasaka - 1.8.6.420-2 +- Backport 2 fixes from 1.8.7p420 + - Symlink race condition in FileUtils.remove_entry_secure (bug 678913) + - bypass of $SAFE mechanism in Exception#to_s (bug 678920) + * Sun Dec 26 2010 Mamoru Tasaka - 1.8.6.420-1 - Update to 1.8.6 p420