rpms/ruby/devel ruby-1.8.6.x-CVE-2009-4492.patch, NONE, 1.1 ruby.spec, 1.145, 1.146
Mamoru Tasaka
mtasaka at fedoraproject.org
Tue Jan 12 19:02:42 UTC 2010
- Previous message: rpms/ruby/F-12 ruby-1.8.6-p383-mkmf-use-shared.patch, NONE, 1.1 ruby-1.8.6.x-CVE-2009-4492.patch, NONE, 1.1 ruby.spec, 1.144, 1.145
- Next message: rpms/gdb/F-12 gdb-6.6-buildid-locate-rpm.patch, 1.6, 1.7 gdb.spec, 1.417, 1.418
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mtasaka
Update of /cvs/extras/rpms/ruby/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23009/devel
Modified Files:
ruby.spec
Added Files:
ruby-1.8.6.x-CVE-2009-4492.patch
Log Message:
* Wed Jan 13 2010 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 1.8.6.383-6
- CVE-2009-4492 ruby WEBrick log escape sequence (bug 554485)
ruby-1.8.6.x-CVE-2009-4492.patch:
accesslog.rb | 12 ++++++++++--
httprequest.rb | 6 +-----
httpresponse.rb | 2 +-
httpstatus.rb | 31 ++++++++++++++++++-------------
httputils.rb | 4 ++--
5 files changed, 32 insertions(+), 23 deletions(-)
--- NEW FILE ruby-1.8.6.x-CVE-2009-4492.patch ---
Index: lib/webrick/httpstatus.rb
===================================================================
--- lib/webrick/httpstatus.rb (revision 26273)
+++ lib/webrick/httpstatus.rb (revision 26274)
@@ -12,7 +12,17 @@
module HTTPStatus
- class Status < StandardError; end
+ class Status < StandardError
+ def initialize(message=self.class, *rest)
+ super(AccessLog.escape(message), *rest)
+ end
+ class << self
+ attr_reader :code, :reason_phrase
+ end
+ def code() self::class::code end
+ def reason_phrase() self::class::reason_phrase end
+ alias to_i code
+ end
class Info < Status; end
class Success < Status; end
class Redirect < Status; end
@@ -68,6 +78,7 @@
CodeToError = {}
StatusMessage.each{|code, message|
+ message.freeze
var_name = message.gsub(/[ \-]/,'_').upcase
err_name = message.gsub(/[ \-]/,'')
@@ -79,18 +90,12 @@
when 500...600; parent = ServerError
end
- eval %-
- RC_#{var_name} = #{code}
- class #{err_name} < #{parent}
- def self.code() RC_#{var_name} end
- def self.reason_phrase() StatusMessage[code] end
- def code() self::class::code end
- def reason_phrase() self::class::reason_phrase end
- alias to_i code
- end
- -
-
- CodeToError[code] = const_get(err_name)
+ const_set("RC_#{var_name}", code)
+ err_class = Class.new(parent)
+ err_class.instance_variable_set(:@code, code)
+ err_class.instance_variable_set(:@reason_phrase, message)
+ const_set(err_name, err_class)
+ CodeToError[code] = err_class
}
def reason_phrase(code)
Index: lib/webrick/httprequest.rb
===================================================================
--- lib/webrick/httprequest.rb (revision 26273)
+++ lib/webrick/httprequest.rb (revision 26274)
@@ -242,11 +242,7 @@
@raw_header << line
end
end
- begin
- @header = HTTPUtils::parse_header(@raw_header)
- rescue => ex
- raise HTTPStatus::BadRequest, ex.message
- end
+ @header = HTTPUtils::parse_header(@raw_header.join)
end
def parse_uri(str, scheme="http")
Index: lib/webrick/httpresponse.rb
===================================================================
--- lib/webrick/httpresponse.rb (revision 26273)
+++ lib/webrick/httpresponse.rb (revision 26274)
@@ -132,7 +132,7 @@
end
end
- # Determin the message length (RFC2616 -- 4.4 Message Length)
+ # Determine the message length (RFC2616 -- 4.4 Message Length)
if @status == 304 || @status == 204 || HTTPStatus::info?(@status)
@header.delete('content-length')
@body = ""
Index: lib/webrick/httputils.rb
===================================================================
--- lib/webrick/httputils.rb (revision 26273)
+++ lib/webrick/httputils.rb (revision 26274)
@@ -128,11 +128,11 @@
when /^\s+(.*?)\s*\z/om
value = $1
unless field
- raise "bad header '#{line.inspect}'."
+ raise HTTPStatus::BadRequest, "bad header '#{line}'."
end
header[field][-1] << " " << value
else
- raise "bad header '#{line.inspect}'."
+ raise HTTPStatus::BadRequest, "bad header '#{line}'."
end
}
header.each{|key, values|
Index: lib/webrick/accesslog.rb
===================================================================
--- lib/webrick/accesslog.rb (revision 26273)
+++ lib/webrick/accesslog.rb (revision 26274)
@@ -53,15 +53,23 @@
when ?e, ?i, ?n, ?o
raise AccessLogError,
"parameter is required for \"#{spec}\"" unless param
- params[spec][param] || "-"
+ param = params[spec][param] ? escape(param) : "-"
when ?t
params[spec].strftime(param || CLF_TIME_FORMAT)
when ?%
"%"
else
- params[spec]
+ escape(params[spec].to_s)
end
}
end
+
+ def escape(data)
+ if data.tainted?
+ data.gsub(/[[:cntrl:]\\]+/) {$&.dump[1...-1]}.untaint
+ else
+ data
+ end
+ end
end
end
Index: ruby.spec
===================================================================
RCS file: /cvs/extras/rpms/ruby/devel/ruby.spec,v
retrieving revision 1.145
retrieving revision 1.146
diff -u -p -r1.145 -r1.146
--- ruby.spec 9 Dec 2009 09:57:10 -0000 1.145
+++ ruby.spec 12 Jan 2010 19:02:42 -0000 1.146
@@ -16,7 +16,7 @@
Name: ruby
Version: %{rubyver}%{?dotpatchlevel}
-Release: 5%{?dist}
+Release: 6%{?dist}
License: Ruby or GPLv2
URL: http://www.ruby-lang.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -56,6 +56,8 @@ Patch31: ruby-1.8.6-p369-ri-gem_multipat
# Patch32 from ruby_1_8 branch
Patch32: ruby-1.8head-irb-save-history.patch
Patch33: ruby-1.8.6-p383-mkmf-use-shared.patch
+# Patch34 already applied in 1.8.6p388
+Patch34: ruby-1.8.6.x-CVE-2009-4492.patch
Summary: An interpreter of object-oriented scripting language
Group: Development/Languages
@@ -197,6 +199,7 @@ pushd %{name}-%{arcver}
%patch31 -p1
%patch32 -p0
%patch33 -p1
+%patch34 -p0
popd
%build
@@ -572,6 +575,9 @@ rm -rf $RPM_BUILD_ROOT
%{_emacs_sitestartdir}/ruby-mode-init.el
%changelog
+* Wed Jan 13 2010 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 1.8.6.383-6
+- CVE-2009-4492 ruby WEBrick log escape sequence (bug 554485)
+
* Wed Dec 9 2009 Mamoru Tasaka <mtasaka at ioa.s.u-tokyo.ac.jp> - 1.8.6.383-5
- Change mkmf.rb to use LIBRUBYARG_SHARED so that have_library() works
without libruby-static.a (bug 428384)
- Previous message: rpms/ruby/F-12 ruby-1.8.6-p383-mkmf-use-shared.patch, NONE, 1.1 ruby-1.8.6.x-CVE-2009-4492.patch, NONE, 1.1 ruby.spec, 1.144, 1.145
- Next message: rpms/gdb/F-12 gdb-6.6-buildid-locate-rpm.patch, 1.6, 1.7 gdb.spec, 1.417, 1.418
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list