[rubygems/f18] Patch for CVE-2013-4363
Mamoru Tasaka
mtasaka at fedoraproject.org
Tue Sep 24 21:12:58 UTC 2013
commit a4b3b95eccdb1ab9419e73f11b01223b54a241a6
Author: Mamoru TASAKA <mtasaka at fedoraproject.org>
Date: Mon Sep 23 11:28:39 2013 +0900
Patch for CVE-2013-4363
check_CVE-2013-4287.rb | 29 ++++++++++++++++++++++++++
check_CVE-2013-4363.rb | 29 ++++++++++++++++++++++++++
rubygems-1.8.26-CVE-2013-4363.patch | 39 +++++++++++++++++++++++++++++++++++
rubygems.spec | 21 ++++++++++++++++++-
4 files changed, 117 insertions(+), 1 deletions(-)
---
diff --git a/check_CVE-2013-4287.rb b/check_CVE-2013-4287.rb
new file mode 100644
index 0000000..a643b57
--- /dev/null
+++ b/check_CVE-2013-4287.rb
@@ -0,0 +1,29 @@
+require 'benchmark'
+require 'rubygems'
+
+valid = Benchmark.measure do
+ Gem::Version.new '1.22.333.4444.55555.666666.7777777'
+end
+
+puts 'Valid version time:'
+puts valid
+
+invalid = Benchmark.measure do
+ begin
+ Gem::Version.new '1.22.333.4444.55555.666666.7777777.'
+ rescue
+ end
+end
+
+puts 'Invalid version time:'
+puts invalid
+
+n = (valid.real - invalid.real).abs
+
+if 0.1 < n then
+ puts 'You are vulnerable to CVE-2013-4287.'
+ exit(1)
+else
+ puts 'You are NOT vulnerable to CVE-2013-4287.'
+end
+
diff --git a/check_CVE-2013-4363.rb b/check_CVE-2013-4363.rb
new file mode 100644
index 0000000..7843fcd
--- /dev/null
+++ b/check_CVE-2013-4363.rb
@@ -0,0 +1,29 @@
+require 'benchmark'
+require 'rubygems'
+
+valid = Benchmark.measure do
+ Gem::Version.new '111111111111111111111111'
+end
+
+puts 'Valid version time:'
+puts valid
+
+invalid = Benchmark.measure do
+ begin
+ Gem::Version.new '111111111111111111111111.'
+ rescue
+ end
+end
+
+puts 'Invalid version time:'
+puts invalid
+
+n = (valid.real - invalid.real).abs
+
+if 0.1 < n then
+ puts 'You are vulnerable to CVE-2013-XXXX.'
+ exit(1)
+else
+ puts 'You are NOT vulnerable to CVE-2013-XXXX.'
+end
+
diff --git a/rubygems-1.8.26-CVE-2013-4363.patch b/rubygems-1.8.26-CVE-2013-4363.patch
new file mode 100644
index 0000000..1a211ce
--- /dev/null
+++ b/rubygems-1.8.26-CVE-2013-4363.patch
@@ -0,0 +1,39 @@
+diff --git a/lib/rubygems/version.rb b/lib/rubygems/version.rb
+index 3c7da6b..de915d0 100644
+--- a/lib/rubygems/version.rb
++++ b/lib/rubygems/version.rb
+@@ -146,7 +146,7 @@ class Gem::Version
+ include Comparable
+
+ VERSION_PATTERN = '[0-9]+(?>\.[0-9a-zA-Z]+)*' # :nodoc:
+- ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})*\s*\z/ # :nodoc:
++ ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/ # :nodoc:
+
+ ##
+ # A string representation of this Version.
+diff --git a/test/rubygems/test_gem_version.rb b/test/rubygems/test_gem_version.rb
+index 3c26cf8..5d5bf6c 100644
+--- a/test/rubygems/test_gem_version.rb
++++ b/test/rubygems/test_gem_version.rb
+@@ -67,12 +67,18 @@ class TestGemVersion < Gem::TestCase
+ end
+
+ def test_initialize_bad
+- ["junk", "1.0\n2.0"].each do |bad|
+- e = assert_raises ArgumentError do
++ %W[
++ junk
++ 1.0\n2.0
++ 1..2
++ 1.2\ 3.4
++ 1-2-3
++ ].each do |bad|
++ e = assert_raises ArgumentError, bad do
+ Gem::Version.new bad
+ end
+
+- assert_equal "Malformed version number string #{bad}", e.message
++ assert_equal "Malformed version number string #{bad}", e.message, bad
+ end
+ end
+
diff --git a/rubygems.spec b/rubygems.spec
index 8122069..1b94d59 100644
--- a/rubygems.spec
+++ b/rubygems.spec
@@ -26,12 +26,20 @@
Summary: The Ruby standard for packaging ruby libraries
Name: rubygems
Version: 1.8.25
-Release: 7%{?dist}
+Release: 8%{?dist}
Group: Development/Libraries
License: Ruby or MIT
URL: https://rubygems.org/
Source0: http://production.cf.rubygems.org/rubygems/%{name}-%{version}.tgz
+# http://seclists.org/oss-sec/2013/q3/att-576/check_CVE-2013-4287_rb.bin
+# Slightly modified for exit status
+Source10: check_CVE-2013-4287.rb
+# http://seclists.org/oss-sec/2013/q3/att-621/check_CVE-2013-XXXX_rb.bin
+# Slightly modified for exit status,
+# Also modified to match:
+# http://seclists.org/oss-sec/2013/q3/605
+Source11: check_CVE-2013-4363.rb
# Sources from the works by Vít Ondruch <vondruch at redhat.com>
# Please keep Source100 and Patch{105,109} in sync with ruby.spec
@@ -55,6 +63,9 @@ Patch3: rubygems-1.8.5-show-rdoc-process-verbosely.patch
# Note that 1.8.26 uses minitest ~> 4.0 for test suite, which is
# not available on F-18, so we cannot easily update to 1.8.26
Patch4: rubygems-1.8.25-CVE-2013-4287.patch
+# http://seclists.org/oss-sec/2013/q3/att-634/CVE-2013-XXXX_1_8.patch
+# Kill for broken test part
+Patch5: rubygems-1.8.26-CVE-2013-4363.patch
# Patches from the works by Vít Ondruch <vondruch at redhat.com>
# Fix the uninstaller, so that it doesn't say that gem doesn't exist
@@ -105,6 +116,7 @@ Macros and development tools for packagin RubyGems.
%patch1 -p1 -b .insync
%patch3 -p1 -b .rdoc_v
%patch4 -p1 -b .cve-2013-4287
+%patch5 -p1 -b .cve-2013-4363
#%%patch6 -p1 -b .load_path
%endif
%patch105 -p1 -b .uninst
@@ -203,6 +215,10 @@ done
export RUBYOPT
testrb test
+
+# CVE vulnerability check
+ruby -Ilib %{SOURCE10}
+ruby -Ilib %{SOURCE11}
%endif
%files
@@ -232,6 +248,9 @@ testrb test
%config(noreplace) %{_sysconfdir}/rpm/macros.rubygems
%changelog
+* Mon Sep 23 2013 Mamoru TASAKA <mtasaka at fedoraproject.org> - 1.8.25-8
+- Patch for CVE-2013-4363
+
* Tue Sep 10 2013 Mamoru TASAKA <mtasaka at fedoraproject.org> - 1.8.25-7
- Backport from 1.8.26 to fix CVE-2013-4287
More information about the scm-commits
mailing list