[rubygem-sprockets/f21] Fix CVE-2014-7819 (rhbz#1164331)
Josef Stribny
jstribny at fedoraproject.org
Wed Nov 19 14:13:57 UTC 2014
commit 2983ec9d4019149eb9a0569489a4beb60ae15a6d
Author: Josef Stribny <jstribny at redhat.com>
Date: Wed Nov 19 12:45:54 2014 +0100
Fix CVE-2014-7819 (rhbz#1164331)
rubygem-sprockets-2.12.3-CVE-2014-7819.patch | 91 ++++++++++++++++++++++++++
rubygem-sprockets.spec | 21 ++++++-
2 files changed, 111 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-sprockets-2.12.3-CVE-2014-7819.patch b/rubygem-sprockets-2.12.3-CVE-2014-7819.patch
new file mode 100644
index 0000000..bc5b8f6
--- /dev/null
+++ b/rubygem-sprockets-2.12.3-CVE-2014-7819.patch
@@ -0,0 +1,91 @@
+From 5603069848b97400757637229497256b28c10e31 Mon Sep 17 00:00:00 2001
+From: Josef Stribny <jstribny at redhat.com>
+Date: Tue, 18 Nov 2014 17:54:08 +0100
+Subject: [PATCH] Check for absolute paths in server URL before passing to find
+
+---
+ lib/sprockets/server.rb | 14 +++++++-------
+ test/test_server.rb | 22 ++++++++++++++++++++--
+ 2 files changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/lib/sprockets/server.rb b/lib/sprockets/server.rb
+index e9c2e59..e71f413 100644
+--- a/lib/sprockets/server.rb
++++ b/lib/sprockets/server.rb
+@@ -33,16 +33,16 @@ module Sprockets
+ # Extract the path from everything after the leading slash
+ path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
+
+- # URLs containing a `".."` are rejected for security reasons.
+- if forbidden_request?(path)
+- return forbidden_response
+- end
+-
+ # Strip fingerprint
+ if fingerprint = path_fingerprint(path)
+ path = path.sub("-#{fingerprint}", '')
+ end
+
++ # URLs containing a `".."` are rejected for security reasons.
++ if forbidden_request?(path)
++ return forbidden_response
++ end
++
+ # Look up the asset.
+ asset = find_asset(path, :bundle => !body_only?(env))
+
+@@ -90,7 +90,7 @@ module Sprockets
+ #
+ # http://example.org/assets/../../../etc/passwd
+ #
+- path.include?("..")
++ path.include?("..") || Pathname.new(path).absolute?
+ end
+
+ # Returns a 403 Forbidden response tuple
+@@ -222,7 +222,7 @@ module Sprockets
+ # # => "0aa2105d29558f3eb790d411d7d8fb66"
+ #
+ def path_fingerprint(path)
+- path[/-([0-9a-f]{7,40})\.[^.]+$/, 1]
++ path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1]
+ end
+
+ # URI.unescape is deprecated on 1.9. We need to use URI::Parser
+diff --git a/test/test_server.rb b/test/test_server.rb
+index 41e263d..c5f6a74 100644
+--- a/test/test_server.rb
++++ b/test/test_server.rb
+@@ -183,10 +183,28 @@ class TestServer < Sprockets::TestCase
+ end
+
+ test "illegal require outside load path" do
+- get "/assets/../config/passwd"
++ get "/assets//etc/passwd"
+ assert_equal 403, last_response.status
+
+- get "/assets/%2e%2e/config/passwd"
++ get "/assets/%2fetc/passwd"
++ assert_equal 403, last_response.status
++
++ get "/assets//%2fetc/passwd"
++ assert_equal 403, last_response.status
++
++ get "/assets/%2f/etc/passwd"
++ assert_equal 403, last_response.status
++
++ get "/assets/../etc/passwd"
++ assert_equal 403, last_response.status
++
++ get "/assets/%2e%2e/etc/passwd"
++ assert_equal 403, last_response.status
++
++ get "/assets/.-0000000./etc/passwd"
++ assert_equal 403, last_response.status
++
++ get "/assets/.-0000000./etc/passwd"
+ assert_equal 403, last_response.status
+ end
+
+--
+1.9.3
diff --git a/rubygem-sprockets.spec b/rubygem-sprockets.spec
index fd483c1..b474d20 100644
--- a/rubygem-sprockets.spec
+++ b/rubygem-sprockets.spec
@@ -4,7 +4,7 @@
Summary: Rack-based asset packaging system
Name: rubygem-%{gem_name}
Version: 2.12.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Group: Development/Languages
License: MIT
URL: http://getsprockets.org/
@@ -22,6 +22,8 @@ Patch1: rubygem-sprockets-2.12.1-Tests-need-to-be-test_.patch
Patch2: rubygem-sprockets-2.12.1-assert_raise-assert_raises.patch
# https://github.com/sstephenson/sprockets/commit/9be057ce5804492c7c5bd1b20ba7da49c5538740
Patch3: rubygem-sprockets-2.12.1-assert_no_equal-is-gone.patch
+# Fix CVE-2014-7819: Arbitrary file existence disclosure
+Patch4: rubygem-sprockets-2.12.3-CVE-2014-7819.patch
BuildRequires: ruby(release)
BuildRequires: rubygems-devel
BuildRequires: ruby
@@ -63,6 +65,13 @@ Documentation for %{name}
%setup -q -c -T
%gem_install -n %{SOURCE0}
+# Install test files
+tar xzf %{SOURCE1} -C .%{gem_instdir}
+
+pushd .%{gem_instdir}
+%patch0 -p1
+popd
+
%build
%install
@@ -85,11 +94,16 @@ cat %{PATCH0} | patch -p1
cat %{PATCH1} | patch -p1
cat %{PATCH2} | patch -p1
cat %{PATCH3} | patch -p1
+cat %{PATCH4} | patch -p1
# Where does the one additional new line come from? It is probably coused by
# some version differences, should not have influence on functionality.
sed -i 's|function() {\\n (|function() {\\n\\n (|' test/test_environment.rb
+# 4 errors due to missing Gems "eco" and "ejs"
+# 1 failure in test "read ASCII asset"(EncodingTest).
+# https://github.com/sstephenson/sprockets/issues/418
+#testrb -Ilib test | grep '447 tests, 1164 assertions, 1 failures, 4 errors, 0 skips'
ruby -Ilib:test -e 'Dir.glob "./test/**/test_*.rb", &method(:require)'
popd
@@ -100,6 +114,8 @@ popd
%{gem_instdir}/bin
%{gem_libdir}
%exclude %{gem_cache}
+# Not part of upstream release
+%exclude %{gem_instdir}/test
%{gem_spec}
%files doc
@@ -107,6 +123,9 @@ popd
%doc %{gem_docdir}
%changelog
+* Tue Nov 18 2014 Josef Stribny <jstribny at redhat.com> - 2.12.1-3
+- Fix CVE-2014-7819 (rhbz#1164331)
+
* Thu Jun 19 2014 Vít Ondruch <vondruch at redhat.com> - 2.12.1-2
- Filter tilt requires.
More information about the scm-commits
mailing list