[rubygem-rbovirt/el6] Fix unsafe use of rest-client (CVE-2014-0036).
Vít Ondruch
vondruch at fedoraproject.org
Thu Mar 6 11:33:31 UTC 2014
commit 17fa6361107694df5912797bb4f0d20fbd98be7a
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Mar 6 12:31:34 2014 +0100
Fix unsafe use of rest-client (CVE-2014-0036).
...ded-support-for-https-peer-authentication.patch | 230 ++++++++++++++++++++
rubygem-rbovirt.spec | 63 +++---
2 files changed, 265 insertions(+), 28 deletions(-)
---
diff --git a/rubygem-rbovirt-0.0.24-CVE-2014-0036-added-support-for-https-peer-authentication.patch b/rubygem-rbovirt-0.0.24-CVE-2014-0036-added-support-for-https-peer-authentication.patch
new file mode 100644
index 0000000..a9956b7
--- /dev/null
+++ b/rubygem-rbovirt-0.0.24-CVE-2014-0036-added-support-for-https-peer-authentication.patch
@@ -0,0 +1,230 @@
+From 65abc49a64443d16c88114c01f6ba210963cffae Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch at redhat.com>
+Date: Thu, 6 Mar 2014 12:19:34 +0100
+Subject: [PATCH] bla
+
+---
+ lib/rbovirt.rb | 46 ++++++++++++++++++++++++++-------
+ lib/restclient_ext/request.rb | 60 +++++++++++++++++++++++++++++++++++++++++++
+ spec/spec_helper.rb | 16 +++++++++++-
+ spec/unit/client_spec.rb | 24 +++++++++++++++++
+ 4 files changed, 136 insertions(+), 10 deletions(-)
+ create mode 100644 lib/restclient_ext/request.rb
+ create mode 100644 spec/unit/client_spec.rb
+
+diff --git a/lib/rbovirt.rb b/lib/rbovirt.rb
+index 72202b3..ce52c4c 100644
+--- a/lib/rbovirt.rb
++++ b/lib/rbovirt.rb
+@@ -11,6 +11,7 @@ require "ovirt/network"
+
+ require "nokogiri"
+ require "rest_client"
++require "restclient_ext/request"
+
+ module OVIRT
+
+@@ -28,13 +29,31 @@ module OVIRT
+
+ class Client
+
+- attr_reader :credentials, :api_entrypoint, :datacenter_id, :cluster_id
+-
+- def initialize(username, password, api_entrypoint, datacenter_id=nil, cluster_id=nil)
+- @credentials = { :username => username, :password => password }
+- @datacenter_id = datacenter_id
+- @cluster_id = cluster_id
++ attr_reader :credentials, :api_entrypoint, :datacenter_id, :cluster_id, :ca_cert_file, :ca_cert_store
++
++ # Construct a new ovirt client class.
++ # mandatory parameters
++ # username, password, api_entrypoint - for example 'me at internal', 'secret', 'https://example.com/api'
++ # optional parameters
++ # datacenter_id and cluster_id can be sent in this order for backward
++ # compatibility, or as a hash in the 4th parameter.
++ # datacenter_id - setting the datacenter at initialization will add a default scope to any subsequent call
++ # to the client to the specified datacenter.
++ # cluster_id - setting the cluster at initialization will add a default scope to any subsequent call
++ # to the client to the specified cluster.
++ #
++ def initialize(username, password, api_entrypoint, options={}, backward_compatibility_cluster=nil)
++ if !options.is_a?(Hash)
++ # backward compatibility optional parameters
++ options = {:datacenter_id => options,
++ :cluster_id => backward_compatibility_cluster}
++ end
+ @api_entrypoint = api_entrypoint
++ @credentials = { :username => username, :password => password }
++ @datacenter_id = options[:datacenter_id]
++ @cluster_id = options[:cluster_id]
++ @ca_cert_file = options[:ca_cert_file]
++ @ca_cert_store = options[:ca_cert_store]
+ end
+
+ def vm(vm_id, opts={})
+@@ -200,7 +219,7 @@ module OVIRT
+
+ def http_get(suburl, headers={})
+ begin
+- Nokogiri::XML(RestClient::Resource.new(@api_entrypoint)[suburl].get(http_headers(headers)))
++ Nokogiri::XML(rest_client(suburl).get(http_headers(headers)))
+ rescue
+ handle_fault $!
+ end
+@@ -208,7 +227,7 @@ module OVIRT
+
+ def http_post(suburl, body, headers={})
+ begin
+- Nokogiri::XML(RestClient::Resource.new(@api_entrypoint)[suburl].post(body, http_headers(headers)))
++ Nokogiri::XML(rest_client(suburl).post(body, http_headers(headers)))
+ rescue
+ handle_fault $!
+ end
+@@ -217,7 +236,7 @@ module OVIRT
+ def http_delete(suburl)
+ begin
+ headers = {:accept => 'application/xml'}.merge(auth_header)
+- Nokogiri::XML(RestClient::Resource.new(@api_entrypoint)[suburl].delete(headers))
++ Nokogiri::XML(rest_client(suburl).delete(headers))
+ rescue
+ handle_fault $!
+ end
+@@ -229,6 +248,15 @@ module OVIRT
+ { :authorization => "Basic " + encoded_credentials }
+ end
+
++ def rest_client(suburl)
++ if (URI.parse(@api_entrypoint)).scheme == 'https'
++ verify_options = {:verify_ssl => OpenSSL::SSL::VERIFY_PEER}
++ verify_options[:ssl_cert_store] = ca_cert_store if ca_cert_store
++ verify_options[:ssl_ca_file] = ca_cert_file if ca_cert_file
++ end
++ RestClient::Resource.new(@api_entrypoint, verify_options)[suburl]
++ end
++
+ def base_url
+ url = URI.parse(@api_entrypoint)
+ "#{url.scheme}://#{url.host}:#{url.port}"
+diff --git a/lib/restclient_ext/request.rb b/lib/restclient_ext/request.rb
+new file mode 100644
+index 0000000..0070b6b
+--- /dev/null
++++ b/lib/restclient_ext/request.rb
+@@ -0,0 +1,60 @@
++# rest-client extension
++module RestClient
++ # This class enhance the rest-client request by accepting a parameter for ca certificate store,
++ # this file can be removed once https://github.com/rest-client/rest-client/pull/254
++ # get merged upstream.
++ #
++ # :ssl_cert_store - an x509 certificate store.
++ class Request
++
++ def transmit uri, req, payload, & block
++ setup_credentials req
++
++ net = net_http_class.new(uri.host, uri.port)
++ net.use_ssl = uri.is_a?(URI::HTTPS)
++ if (@verify_ssl == false) || (@verify_ssl == OpenSSL::SSL::VERIFY_NONE)
++ net.verify_mode = OpenSSL::SSL::VERIFY_NONE
++ elsif @verify_ssl.is_a? Integer
++ net.verify_mode = @verify_ssl
++ net.verify_callback = lambda do |preverify_ok, ssl_context|
++ if (!preverify_ok) || ssl_context.error != 0
++ err_msg = "SSL Verification failed -- Preverify: #{preverify_ok}, Error: #{ssl_context.error_string} (#{ssl_context.error})"
++ raise SSLCertificateNotVerified.new(err_msg)
++ end
++ true
++ end
++ end
++ net.cert = @ssl_client_cert if @ssl_client_cert
++ net.key = @ssl_client_key if @ssl_client_key
++ net.ca_file = @ssl_ca_file if @ssl_ca_file
++ net.cert_store = args[:ssl_cert_store] if args[:ssl_cert_store]
++ net.read_timeout = @timeout if @timeout
++ net.open_timeout = @open_timeout if @open_timeout
++
++ # disable the timeout if the timeout value is -1
++ net.read_timeout = nil if @timeout == -1
++ net.out_timeout = nil if @open_timeout == -1
++
++ RestClient.before_execution_procs.each do |before_proc|
++ before_proc.call(req, args)
++ end
++
++ log_request
++
++ net.start do |http|
++ if @block_response
++ http.request(req, payload ? payload.to_s : nil, & @block_response)
++ else
++ res = http.request(req, payload ? payload.to_s : nil) { |http_response| fetch_body(http_response) }
++ log_response res
++ process_result res, & block
++ end
++ end
++ rescue EOFError
++ raise RestClient::ServerBrokeConnection
++ rescue Timeout::Error
++ raise RestClient::RequestTimeout
++ end
++
++ end
++end
+diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
+index 1cff319..78c2586 100644
+--- a/spec/spec_helper.rb
++++ b/spec/spec_helper.rb
+@@ -4,4 +4,18 @@
+ require 'rspec'
+ require 'rbovirt'
+
+-module OVIRT::RSpec end
++module OVIRT::RSpec
++
++ # get ovirt ca certificate public key
++ # * url - ovirt server url
++ def self.ca_cert(url)
++ ca_url = URI.parse(url)
++ ca_url.path = "/ca.crt"
++ http = Net::HTTP.new(ca_url.host, ca_url.port)
++ http.use_ssl = (ca_url.scheme == 'https')
++ http.verify_mode = OpenSSL::SSL::VERIFY_NONE
++ request = Net::HTTP::Get.new(ca_url.path)
++ http.request(request).body
++ end
++
++end
+diff --git a/spec/unit/client_spec.rb b/spec/unit/client_spec.rb
+new file mode 100644
+index 0000000..ad85df1
+--- /dev/null
++++ b/spec/unit/client_spec.rb
+@@ -0,0 +1,24 @@
++require "#{File.dirname(__FILE__)}/../spec_helper"
++
++describe OVIRT::Client do
++ context 'client initialization' do
++ it 'should accept no option' do
++ OVIRT::Client::new('mockuser','mockpass','http://example.com/api')
++ end
++
++ it 'should accept no datacenter_id in options' do
++ OVIRT::Client::new('mockuser','mockpass','http://example.com/api', :datacenter_id => '123123')
++ end
++
++ it 'should support backward compatibility' do
++ OVIRT::Client::new('mockuser','mockpass','http://example.com/api', '123123', '123123')
++ end
++
++ it 'should support options hash in 4th parameter' do
++ OVIRT::Client::new('mockuser','mockpass','http://example.com/api',
++ {:datacenter_id => '123123',
++ :cluster_id => '123123',
++ :ca_cert_file => 'ca_cert.pem'})
++ end
++ end
++end
+--
+1.8.5.3
+
diff --git a/rubygem-rbovirt.spec b/rubygem-rbovirt.spec
index 709b3fd..7cdefee 100644
--- a/rubygem-rbovirt.spec
+++ b/rubygem-rbovirt.spec
@@ -1,30 +1,31 @@
-%global gemname rbovirt
+%global gem_name rbovirt
-%global gemdir %(ruby -rubygems -e 'puts Gem::dir' 2>/dev/null)
-%global geminstdir %{gemdir}/gems/%{gemname}-%{version}
%global rubyabi 1.8
Summary: A Ruby client for oVirt REST API
-Name: rubygem-%{gemname}
+Name: rubygem-%{gem_name}
Version: 0.0.6
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Languages
License: MIT
URL: http://github.com/abenari/rbovirt
-Source0: http://rubygems.org/gems/%{gemname}-%{version}.gem
+Source0: http://rubygems.org/gems/%{gem_name}-%{version}.gem
+# Fix unsafe use of rest-client (CVE-2014-0036).
+# https://github.com/abenari/rbovirt/commit/494028e14948d89ab331e79d6e64fdfeec5bae4c
+Patch1: rubygem-rbovirt-0.0.24-CVE-2014-0036-added-support-for-https-peer-authentication.patch
Requires: ruby(abi) = %{rubyabi}
Requires: ruby(rubygems)
Requires: ruby
Requires: rubygem(nokogiri)
Requires: rubygem(rest-client)
BuildRequires: ruby(abi) = %{rubyabi}
-BuildRequires: ruby(rubygems)
+BuildRequires: rubygems-devel
BuildRequires: ruby
BuildRequires: rubygem(rspec)
BuildRequires: rubygem(nokogiri)
BuildRequires: rubygem(rest-client)
BuildArch: noarch
-Provides: rubygem(%{gemname}) = %{version}
+Provides: rubygem(%{gem_name}) = %{version}
%description
A Ruby client for oVirt REST API
@@ -41,19 +42,21 @@ Documentation for %{name}
%prep
%setup -q -c -T
-mkdir -p .%{gemdir}
-gem install --local --install-dir .%{gemdir} \
- --force %{SOURCE0}
+%gem_install -n %{SOURCE0}
+
+pushd .%{gem_instdir}
+%patch1 -p1
+popd
%build
%install
-mkdir -p %{buildroot}%{gemdir}
-cp -a .%{gemdir}/* \
- %{buildroot}%{gemdir}/
+mkdir -p %{buildroot}%{gem_dir}
+cp -a .%{gem_dir}/* \
+ %{buildroot}%{gem_dir}/
%check
-pushd .%{geminstdir}
+pushd .%{gem_instdir}
# Fix for RSpec 1.x.
sed -i -e "s|require 'rspec'|require 'spec'|" spec/spec_helper.rb
@@ -65,23 +68,27 @@ popd
%files
-%dir %{geminstdir}
-%doc %{geminstdir}/LICENSE.txt
-%exclude %{geminstdir}/.document
-%{geminstdir}/lib
-%exclude %{gemdir}/cache/%{gemname}-%{version}.gem
-%{gemdir}/specifications/%{gemname}-%{version}.gemspec
+%dir %{gem_instdir}
+%doc %{gem_instdir}/LICENSE.txt
+%exclude %{gem_instdir}/.document
+%{gem_libdir}
+%exclude %{gem_cache}
+%{gem_spec}
%files doc
-%doc %{gemdir}/doc/%{gemname}-%{version}
-%doc %{geminstdir}/README.rdoc
-%{geminstdir}/VERSION
-%{geminstdir}/Gemfile
-%{geminstdir}/Rakefile
-%{geminstdir}/%{gemname}.gemspec
-%{geminstdir}/spec/
+%doc %{gem_docdir}
+%doc %{gem_instdir}/README.rdoc
+%{gem_instdir}/VERSION
+%{gem_instdir}/Gemfile
+%{gem_instdir}/Rakefile
+%{gem_instdir}/%{gem_name}.gemspec
+%{gem_instdir}/spec/
%changelog
+* Thu Mar 06 2014 Vít Ondruch <vondruch at redhat.com> - 0.0.6-2
+- Fix unsafe use of rest-client (CVE-2014-0036).
+- Use rubygem-devel.
+
* Thu Feb 16 2012 Vít Ondruch <vondruch at redhat.com> - 0.0.6-1
- Update to rbovirt 0.0.6.
More information about the scm-commits
mailing list