From 0b98fe29b34c6cf86547ea28f4a414ccef21240c Mon Sep 17 00:00:00 2001 From: Akira TAGOH Date: Oct 29 2007 12:53:12 +0000 Subject: - New upstream release. - ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes at trunk to enable the fix without any modifications on the users' scripts. Note that Net::HTTP#enable_post_connection_check isn't available anymore. If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE to Net::HTTP#verify_mode= instead of. --- diff --git a/.cvsignore b/.cvsignore index 99e711a..f855092 100644 --- a/.cvsignore +++ b/.cvsignore @@ -15,3 +15,4 @@ ruby-1.8.5-p12.tar.gz ruby-1.8.6.tar.bz2 ruby-1.8.6-p36.tar.bz2 ruby-1.8.6-p110.tar.bz2 +ruby-1.8.6-p111.tar.bz2 diff --git a/ruby-1.8.6-CVE-2007-5162.patch b/ruby-1.8.6-CVE-2007-5162.patch deleted file mode 100644 index d4e4d68..0000000 --- a/ruby-1.8.6-CVE-2007-5162.patch +++ /dev/null @@ -1,99 +0,0 @@ -diff -ruN ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb ---- ruby-1.8.6-p110.orig/ext/openssl/lib/openssl/ssl.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p110/ext/openssl/lib/openssl/ssl.rb 2007-10-04 22:38:48.000000000 +0900 -@@ -88,7 +88,7 @@ - end - } - end -- raise SSLError, "hostname not match" -+ raise SSLError, "hostname not match with the server certificate" - end - end - -diff -ruN ruby-1.8.6-p110.orig/lib/net/http.rb ruby-1.8.6-p110/lib/net/http.rb ---- ruby-1.8.6-p110.orig/lib/net/http.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p110/lib/net/http.rb 2007-10-04 22:41:34.000000000 +0900 -@@ -470,6 +470,7 @@ - @debug_output = nil - @use_ssl = false - @ssl_context = nil -+ @enable_post_connection_check = true - end - - def inspect -@@ -526,6 +527,9 @@ - false # redefined in net/https - end - -+ # specify enabling SSL server certificate and hostname checking. -+ attr_accessor :enable_post_connection_check -+ - # Opens TCP connection and HTTP session. - # - # When this method is called with block, gives a HTTP object -@@ -584,6 +588,14 @@ - HTTPResponse.read_new(@socket).value - end - s.connect -+ if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE -+ begin -+ s.post_connection_check(@address) -+ rescue OpenSSL::SSL::SSLError => ex -+ raise ex if @enable_post_connection_check -+ warn ex.message -+ end -+ end - end - on_connect - end -diff -ruN ruby-1.8.6-p110.orig/lib/open-uri.rb ruby-1.8.6-p110/lib/open-uri.rb ---- ruby-1.8.6-p110.orig/lib/open-uri.rb 2007-02-13 08:01:19.000000000 +0900 -+++ ruby-1.8.6-p110/lib/open-uri.rb 2007-10-04 22:42:18.000000000 +0900 -@@ -229,6 +229,7 @@ - if target.class == URI::HTTPS - require 'net/https' - http.use_ssl = true -+ http.enable_post_connection_check = true - http.verify_mode = OpenSSL::SSL::VERIFY_PEER - store = OpenSSL::X509::Store.new - store.set_default_paths -@@ -240,16 +241,6 @@ - - resp = nil - http.start { -- if target.class == URI::HTTPS -- # xxx: information hiding violation -- sock = http.instance_variable_get(:@socket) -- if sock.respond_to?(:io) -- sock = sock.io # 1.9 -- else -- sock = sock.instance_variable_get(:@socket) # 1.8 -- end -- sock.post_connection_check(target_host) -- end - req = Net::HTTP::Get.new(request_uri, header) - if options.include? :http_basic_authentication - user, pass = options[:http_basic_authentication] -diff -ruN ruby-1.8.6-p110.orig/version.h ruby-1.8.6-p110/version.h ---- ruby-1.8.6-p110.orig/version.h 2007-09-23 09:01:50.000000000 +0900 -+++ ruby-1.8.6-p110/version.h 2007-10-04 22:42:37.000000000 +0900 -@@ -1,15 +1,15 @@ - #define RUBY_VERSION "1.8.6" --#define RUBY_RELEASE_DATE "2007-09-23" -+#define RUBY_RELEASE_DATE "2007-09-24" - #define RUBY_VERSION_CODE 186 --#define RUBY_RELEASE_CODE 20070923 --#define RUBY_PATCHLEVEL 110 -+#define RUBY_RELEASE_CODE 20070924 -+#define RUBY_PATCHLEVEL 111 - - #define RUBY_VERSION_MAJOR 1 - #define RUBY_VERSION_MINOR 8 - #define RUBY_VERSION_TEENY 6 - #define RUBY_RELEASE_YEAR 2007 - #define RUBY_RELEASE_MONTH 9 --#define RUBY_RELEASE_DAY 23 -+#define RUBY_RELEASE_DAY 24 - - #ifdef RUBY_EXTERN - RUBY_EXTERN const char ruby_version[]; diff --git a/ruby-1.8.6.111-CVE-2007-5162.patch b/ruby-1.8.6.111-CVE-2007-5162.patch new file mode 100644 index 0000000..5ed628d --- /dev/null +++ b/ruby-1.8.6.111-CVE-2007-5162.patch @@ -0,0 +1,97 @@ +diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb +--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/ftptls.rb 2007-02-13 08:01:19.000000000 +0900 ++++ ruby-1.8.6-p111/ext/openssl/lib/net/ftptls.rb 2007-10-29 21:10:24.000000000 +0900 +@@ -29,13 +29,23 @@ require 'net/ftp' + + module Net + class FTPTLS < FTP ++ def connect(host, port=FTP_PORT) ++ @hostname = host ++ super ++ end ++ + def login(user = "anonymous", passwd = nil, acct = nil) ++ store = OpenSSL::X509::Store.new ++ store.set_default_paths + ctx = OpenSSL::SSL::SSLContext.new('SSLv23') ++ ctx.cert_store = store ++ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.key = nil + ctx.cert = nil + voidcmd("AUTH TLS") + @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx) + @sock.connect ++ @sock.post_connection_check(@hostname) + super(user, passwd, acct) + voidcmd("PBSZ 0") + end +diff -pruN ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb +--- ruby-1.8.6-p111.orig/ext/openssl/lib/net/telnets.rb 2007-02-13 08:01:19.000000000 +0900 ++++ ruby-1.8.6-p111/ext/openssl/lib/net/telnets.rb 2007-10-29 21:13:03.000000000 +0900 +@@ -134,6 +134,9 @@ module Net + @sock.verify_callback = @options['VerifyCallback'] + @sock.verify_depth = @options['VerifyDepth'] + @sock.connect ++ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE ++ @sock.post_connection_check(@options['Host']) ++ end + @ssl = true + end + '' +diff -pruN ruby-1.8.6-p111.orig/lib/net/http.rb ruby-1.8.6-p111/lib/net/http.rb +--- ruby-1.8.6-p111.orig/lib/net/http.rb 2007-09-24 17:12:24.000000000 +0900 ++++ ruby-1.8.6-p111/lib/net/http.rb 2007-10-29 21:12:12.000000000 +0900 +@@ -470,7 +470,6 @@ module Net #:nodoc: + @debug_output = nil + @use_ssl = false + @ssl_context = nil +- @enable_post_connection_check = false + end + + def inspect +@@ -527,9 +526,6 @@ module Net #:nodoc: + false # redefined in net/https + end + +- # specify enabling SSL server certificate and hostname checking. +- attr_accessor :enable_post_connection_check +- + # Opens TCP connection and HTTP session. + # + # When this method is called with block, gives a HTTP object +@@ -589,12 +585,7 @@ module Net #:nodoc: + end + s.connect + if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE +- begin +- s.post_connection_check(@address) +- rescue OpenSSL::SSL::SSLError => ex +- raise ex if @enable_post_connection_check +- warn ex.message +- end ++ s.post_connection_check(@address) + end + end + on_connect +diff -pruN ruby-1.8.6-p111.orig/lib/net/imap.rb ruby-1.8.6-p111/lib/net/imap.rb +--- ruby-1.8.6-p111.orig/lib/net/imap.rb 2007-08-22 08:28:09.000000000 +0900 ++++ ruby-1.8.6-p111/lib/net/imap.rb 2007-10-29 21:14:38.000000000 +0900 +@@ -900,6 +900,7 @@ module Net + end + @sock = SSLSocket.new(@sock, context) + @sock.connect # start ssl session. ++ @sock.post_connection_check(@host) if verify + else + @usessl = false + end +diff -pruN ruby-1.8.6-p111.orig/lib/open-uri.rb ruby-1.8.6-p111/lib/open-uri.rb +--- ruby-1.8.6-p111.orig/lib/open-uri.rb 2007-09-24 17:12:24.000000000 +0900 ++++ ruby-1.8.6-p111/lib/open-uri.rb 2007-10-29 21:16:03.000000000 +0900 +@@ -229,7 +229,6 @@ module OpenURI + if target.class == URI::HTTPS + require 'net/https' + http.use_ssl = true +- http.enable_post_connection_check = true + http.verify_mode = OpenSSL::SSL::VERIFY_PEER + store = OpenSSL::X509::Store.new + store.set_default_paths diff --git a/ruby.spec b/ruby.spec index eacf5ae..f9e8ae8 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,7 +1,7 @@ %define manver 1.4.6 %define rubyxver 1.8 %define rubyver 1.8.6 -%define _patchlevel 110 +%define _patchlevel 111 %define dotpatchlevel %{?_patchlevel:.%{_patchlevel}} %define patchlevel %{?_patchlevel:-p%{_patchlevel}} %define sitedir %{_libdir}/ruby/site_ruby @@ -11,7 +11,7 @@ Name: ruby Version: %{rubyver}%{?dotpatchlevel} -Release: 2%{?dist} +Release: 1%{?dist} License: Ruby or GPL+ URL: http://www.ruby-lang.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -36,7 +36,7 @@ Patch20: ruby-rubyprefix.patch Patch21: ruby-deprecated-sitelib-search-path.patch Patch22: ruby-deprecated-search-path.patch Patch23: ruby-multilib.patch -Patch24: ruby-1.8.6-CVE-2007-5162.patch +Patch24: ruby-1.8.6.111-CVE-2007-5162.patch Summary: An interpreter of object-oriented scripting language Group: Development/Languages @@ -180,10 +180,6 @@ export CFLAGS --disable-rpath \ --with-ruby-prefix=%{_prefix}/lib -%ifarch ppc -cp Makefile Makefile.orig -sed -e 's/^EXTMK_ARGS[[:space:]].*=\(.*\) --$/EXTMK_ARGS=\1 --disable-tcl-thread --/' Makefile.orig > Makefile -%endif make RUBY_INSTALL_NAME=ruby %{?_smp_mflags} %ifarch ia64 # Miscompilation? Buggy code? @@ -467,6 +463,14 @@ rm -rf tmp-ruby-docs %endif %changelog +* Mon Oct 29 2007 Akira TAGOH - 1.8.6.111-1 +- New upstream release. +- ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes + at trunk to enable the fix without any modifications on the users' scripts. + Note that Net::HTTP#enable_post_connection_check isn't available anymore. + If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE + to Net::HTTP#verify_mode= instead of. + * Mon Oct 15 2007 Akira TAGOH - 1.8.6.110-2 - Enable pthread support for ppc too. (#201452) - Fix unexpected dependencies appears in ruby-libs. (#253325) diff --git a/sources b/sources index effd85c..840df49 100644 --- a/sources +++ b/sources @@ -2,5 +2,4 @@ d65e3a216d6d345a2a6f1aa8758c2f75 ruby-refm-rdp-1.8.1-ja-html.tar.gz 7f3e181c0be9a1579e43a5a8b26372d6 rubyfaq-990927.tar.bz2 8aa2e2da327dc43ff6e46e634eb657b6 rubyfaq-jp-990927.tar.bz2 -eb7f25818cb6993839b38d1f21bd4ea1 ruby-1.8.6-p36.tar.bz2 -39cbf0cc610e636983cb3311bef3f2d0 ruby-1.8.6-p110.tar.bz2 +e1d38b7d4f1be55726d6927a3395ce3b ruby-1.8.6-p111.tar.bz2