[rubygem-sprockets/f21] Fix CVE-2014-7819 (rhbz#1164331)

Wed Nov 19 14:13:57 UTC 2014

commit 2983ec9d4019149eb9a0569489a4beb60ae15a6d
Author: Josef Stribny <jstribny at redhat.com>
Date:   Wed Nov 19 12:45:54 2014 +0100

    Fix CVE-2014-7819 (rhbz#1164331)

 rubygem-sprockets-2.12.3-CVE-2014-7819.patch |   91 ++++++++++++++++++++++++++
 rubygem-sprockets.spec                       |   21 ++++++-
 2 files changed, 111 insertions(+), 1 deletions(-)
---

diff --git a/rubygem-sprockets-2.12.3-CVE-2014-7819.patch b/rubygem-sprockets-2.12.3-CVE-2014-7819.patch
new file mode 100644
index 0000000..bc5b8f6
--- /dev/null
+++ b/rubygem-sprockets-2.12.3-CVE-2014-7819.patch
@@ -0,0 +1,91 @@
+From 5603069848b97400757637229497256b28c10e31 Mon Sep 17 00:00:00 2001
+From: Josef Stribny <jstribny at redhat.com>
+Date: Tue, 18 Nov 2014 17:54:08 +0100
+Subject: [PATCH] Check for absolute paths in server URL before passing to find
+
+---
+ lib/sprockets/server.rb | 14 +++++++-------
+ test/test_server.rb     | 22 ++++++++++++++++++++--
+ 2 files changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/lib/sprockets/server.rb b/lib/sprockets/server.rb
+index e9c2e59..e71f413 100644
+--- a/lib/sprockets/server.rb
++++ b/lib/sprockets/server.rb
+@@ -33,16 +33,16 @@ module Sprockets
+       # Extract the path from everything after the leading slash
+       path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
+ 
+-      # URLs containing a `".."` are rejected for security reasons.
+-      if forbidden_request?(path)
+-        return forbidden_response
+-      end
+-
+       # Strip fingerprint
+       if fingerprint = path_fingerprint(path)
+         path = path.sub("-#{fingerprint}", '')
+       end
+ 
++      # URLs containing a `".."` are rejected for security reasons.
++      if forbidden_request?(path)
++        return forbidden_response
++      end
++
+       # Look up the asset.
+       asset = find_asset(path, :bundle => !body_only?(env))
+ 
+@@ -90,7 +90,7 @@ module Sprockets
+         #
+         #     http://example.org/assets/../../../etc/passwd
+         #
+-        path.include?("..")
++        path.include?("..") || Pathname.new(path).absolute?
+       end
+ 
+       # Returns a 403 Forbidden response tuple
+@@ -222,7 +222,7 @@ module Sprockets
+       #     # => "0aa2105d29558f3eb790d411d7d8fb66"
+       #
+       def path_fingerprint(path)
+-        path[/-([0-9a-f]{7,40})\.[^.]+$/, 1]
++        path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1]
+       end
+ 
+       # URI.unescape is deprecated on 1.9. We need to use URI::Parser
+diff --git a/test/test_server.rb b/test/test_server.rb
+index 41e263d..c5f6a74 100644
+--- a/test/test_server.rb
++++ b/test/test_server.rb
+@@ -183,10 +183,28 @@ class TestServer < Sprockets::TestCase
+   end
+ 
+   test "illegal require outside load path" do
+-    get "/assets/../config/passwd"
++    get "/assets//etc/passwd"
+     assert_equal 403, last_response.status
+ 
+-    get "/assets/%2e%2e/config/passwd"
++    get "/assets/%2fetc/passwd"
++    assert_equal 403, last_response.status
++
++    get "/assets//%2fetc/passwd"
++    assert_equal 403, last_response.status
++
++    get "/assets/%2f/etc/passwd"
++    assert_equal 403, last_response.status
++
++    get "/assets/../etc/passwd"
++    assert_equal 403, last_response.status
++
++    get "/assets/%2e%2e/etc/passwd"
++    assert_equal 403, last_response.status
++
++    get "/assets/.-0000000./etc/passwd"
++    assert_equal 403, last_response.status
++
++    get "/assets/.-0000000./etc/passwd"
+     assert_equal 403, last_response.status
+   end
+ 
+-- 
+1.9.3
diff --git a/rubygem-sprockets.spec b/rubygem-sprockets.spec
index fd483c1..b474d20 100644
--- a/rubygem-sprockets.spec
+++ b/rubygem-sprockets.spec
@@ -4,7 +4,7 @@
 Summary: Rack-based asset packaging system
 Name: rubygem-%{gem_name}
 Version: 2.12.1
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://getsprockets.org/
@@ -22,6 +22,8 @@ Patch1: rubygem-sprockets-2.12.1-Tests-need-to-be-test_.patch
 Patch2: rubygem-sprockets-2.12.1-assert_raise-assert_raises.patch
 # https://github.com/sstephenson/sprockets/commit/9be057ce5804492c7c5bd1b20ba7da49c5538740
 Patch3: rubygem-sprockets-2.12.1-assert_no_equal-is-gone.patch
+# Fix CVE-2014-7819: Arbitrary file existence disclosure
+Patch4: rubygem-sprockets-2.12.3-CVE-2014-7819.patch
 BuildRequires: ruby(release)
 BuildRequires: rubygems-devel
 BuildRequires: ruby
@@ -63,6 +65,13 @@ Documentation for %{name}
 %setup -q -c -T
 %gem_install -n %{SOURCE0}
 
+# Install test files
+tar xzf %{SOURCE1} -C .%{gem_instdir}
+
+pushd .%{gem_instdir}
+%patch0 -p1
+popd
+
 %build
 
 %install
@@ -85,11 +94,16 @@ cat %{PATCH0} | patch -p1
 cat %{PATCH1} | patch -p1
 cat %{PATCH2} | patch -p1
 cat %{PATCH3} | patch -p1
+cat %{PATCH4} | patch -p1
 
 # Where does the one additional new line come from? It is probably coused by
 # some version differences, should not have influence on functionality.
 sed -i 's|function() {\\n  (|function() {\\n\\n  (|' test/test_environment.rb
 
+# 4 errors due to missing Gems "eco" and "ejs"
+# 1 failure in test "read ASCII asset"(EncodingTest).
+# https://github.com/sstephenson/sprockets/issues/418
+#testrb -Ilib test | grep '447 tests, 1164 assertions, 1 failures, 4 errors, 0 skips'
 ruby -Ilib:test -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
 popd
 
@@ -100,6 +114,8 @@ popd
 %{gem_instdir}/bin
 %{gem_libdir}
 %exclude %{gem_cache}
+# Not part of upstream release
+%exclude %{gem_instdir}/test
 %{gem_spec}
 
 %files doc
@@ -107,6 +123,9 @@ popd
 %doc %{gem_docdir}
 
 %changelog
+* Tue Nov 18 2014 Josef Stribny <jstribny at redhat.com> - 2.12.1-3
+- Fix CVE-2014-7819 (rhbz#1164331)
+
 * Thu Jun 19 2014 Vít Ondruch <vondruch at redhat.com> - 2.12.1-2
 - Filter tilt requires.
 
