From 34f44629e9ba1167cfcf03edeae24b819162072d Mon Sep 17 00:00:00 2001 From: shixuantong Date: Tue, 18 Jun 2024 10:08:04 +0800 Subject: [PATCH] fix CVE-2024-35221 --- backport-0001-CVE-2024-35221.patch | 35 +++++++++++ backport-0002-CVE-2024-35221.patch | 39 ++++++++++++ backport-0003-CVE-2024-35221.patch | 47 ++++++++++++++ backport-0004-CVE-2024-35221.patch | 37 +++++++++++ backport-0005-CVE-2024-35221.patch | 32 ++++++++++ ...s-Drop-to-support-Psych-3.0-bundled-.patch | 62 +++++++++++++++++++ ruby.spec | 11 +++- 7 files changed, 262 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2024-35221.patch create mode 100644 backport-0002-CVE-2024-35221.patch create mode 100644 backport-0003-CVE-2024-35221.patch create mode 100644 backport-0004-CVE-2024-35221.patch create mode 100644 backport-0005-CVE-2024-35221.patch create mode 100644 backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch diff --git a/backport-0001-CVE-2024-35221.patch b/backport-0001-CVE-2024-35221.patch new file mode 100644 index 0000000..dbe2fc6 --- /dev/null +++ b/backport-0001-CVE-2024-35221.patch @@ -0,0 +1,35 @@ +From c2812fb616a9a0f31bbc3906a8ec9bad9faec498 Mon Sep 17 00:00:00 2001 +From: Samuel Giddins +Date: Wed, 7 Feb 2024 12:26:31 -0800 +Subject: [PATCH] [rubygems/rubygems] Control whether YAML aliases are enabled + in Gem::SafeYAML.safe_load via a constant + +https://github.com/rubygems/rubygems/commit/6bedb1cb79 + +Reference:https://github.com/ruby/ruby/commit/c2812fb616a9a0f31bbc3906a8ec9bad9faec498 +Conflict:use YAML module not Psych module. +--- + lib/rubygems/safe_yaml.rb | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb +index 3a1ae3b..c536a45 100644 +--- a/lib/rubygems/safe_yaml.rb ++++ b/lib/rubygems/safe_yaml.rb +@@ -24,8 +24,11 @@ module Gem + runtime + ].freeze + ++ ALIASES = true # :nodoc: ++ private_constant :ALIASES ++ + def self.safe_load(input) +- ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true) ++ ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: ALIASES) + end + + def self.load(input) +-- +2.33.0 + + diff --git a/backport-0002-CVE-2024-35221.patch b/backport-0002-CVE-2024-35221.patch new file mode 100644 index 0000000..798af0f --- /dev/null +++ b/backport-0002-CVE-2024-35221.patch @@ -0,0 +1,39 @@ +From 5dcc7a03267216feaa587017ef5d6d075b62f75b Mon Sep 17 00:00:00 2001 +From: Samuel Giddins +Date: Fri, 9 Feb 2024 10:15:40 -0800 +Subject: [PATCH] [rubygems/rubygems] Use a writer method on the module instead + of a constant + +https://github.com/rubygems/rubygems/commit/240d84eea3 + +Reference:https://github.com/ruby/ruby/commit/5dcc7a03267216feaa587017ef5d6d075b62f75b +Conflict:use YAML module not Psych module. +--- + lib/rubygems/safe_yaml.rb | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb +index c536a45..9cf7c13 100644 +--- a/lib/rubygems/safe_yaml.rb ++++ b/lib/rubygems/safe_yaml.rb +@@ -24,11 +24,13 @@ module Gem + runtime + ].freeze + +- ALIASES = true # :nodoc: +- private_constant :ALIASES ++ @aliases_enabled = true ++ def self.aliases_enabled=(value) ++ @aliases_enabled = !!value ++ end + + def self.safe_load(input) +- ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: ALIASES) ++ ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: @aliases_enabled) + end + + def self.load(input) +-- +2.33.0 + + diff --git a/backport-0003-CVE-2024-35221.patch b/backport-0003-CVE-2024-35221.patch new file mode 100644 index 0000000..86f2c08 --- /dev/null +++ b/backport-0003-CVE-2024-35221.patch @@ -0,0 +1,47 @@ +From 466ed0e1ace6ebf069d444d666f0db3f9224a4b9 Mon Sep 17 00:00:00 2001 +From: Samuel Giddins +Date: Sat, 10 Feb 2024 19:52:13 -0800 +Subject: [PATCH] [rubygems/rubygems] Add a test for safe yaml + +https://github.com/rubygems/rubygems/commit/148deade0a + +Reference:https://github.com/ruby/ruby/commit/466ed0e1ace6ebf069d444d666f0db3f9224a4b9 +Conflict:NA +--- + test/rubygems/test_gem_safe_yaml.rb | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + create mode 100644 test/rubygems/test_gem_safe_yaml.rb + +diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb +new file mode 100644 +index 0000000000..4f7e400132 +--- /dev/null ++++ b/test/rubygems/test_gem_safe_yaml.rb +@@ -0,0 +1,23 @@ ++# frozen_string_literal: true ++ ++require_relative "helper" ++ ++Gem.load_yaml ++ ++class TestGemSafeYAML < Gem::TestCase ++ def test_aliases_enabled_by_default ++ assert_predicate Gem::SafeYAML, :aliases_enabled? ++ assert_equal({ "a" => "a", "b" => "a" }, Gem::SafeYAML.safe_load("a: &a a\nb: *a\n")) ++ end ++ ++ def test_aliases_disabled ++ aliases_enabled = Gem::SafeYAML.aliases_enabled? ++ Gem::SafeYAML.aliases_enabled = false ++ refute_predicate Gem::SafeYAML, :aliases_enabled? ++ assert_raise Psych::AliasesNotEnabled do ++ Gem::SafeYAML.safe_load("a: &a\nb: *a\n") ++ end ++ ensure ++ Gem::SafeYAML.aliases_enabled = aliases_enabled ++ end ++end +-- +2.33.0 + + diff --git a/backport-0004-CVE-2024-35221.patch b/backport-0004-CVE-2024-35221.patch new file mode 100644 index 0000000..52b4a7f --- /dev/null +++ b/backport-0004-CVE-2024-35221.patch @@ -0,0 +1,37 @@ +From 997470b7b697d267109571d81081453acc73a2f9 Mon Sep 17 00:00:00 2001 +From: Samuel Giddins +Date: Wed, 14 Feb 2024 00:50:52 -0800 +Subject: [PATCH] [rubygems/rubygems] Commit missing new method + +https://github.com/rubygems/rubygems/commit/5265b4ce3d + +Reference:https://github.com/ruby/ruby/commit/997470b7b697d267109571d81081453acc73a2f9 +Conflict:NA +--- + lib/rubygems/safe_yaml.rb | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb +index 9cf7c13..5f710b4 100644 +--- a/lib/rubygems/safe_yaml.rb ++++ b/lib/rubygems/safe_yaml.rb +@@ -25,10 +25,14 @@ module Gem + ].freeze + + @aliases_enabled = true +- def self.aliases_enabled=(value) ++ def self.aliases_enabled=(value) # :nodoc: + @aliases_enabled = !!value + end + ++ def self.aliases_enabled? # :nodoc: ++ @aliases_enabled ++ end ++ + def self.safe_load(input) + ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: @aliases_enabled) + end +-- +2.33.0 + + diff --git a/backport-0005-CVE-2024-35221.patch b/backport-0005-CVE-2024-35221.patch new file mode 100644 index 0000000..ffe0c09 --- /dev/null +++ b/backport-0005-CVE-2024-35221.patch @@ -0,0 +1,32 @@ +From 8bc51a393acfb5af4e446799e51f73e61b0cfc8e Mon Sep 17 00:00:00 2001 +From: Samuel Giddins +Date: Tue, 20 Feb 2024 11:03:28 -0800 +Subject: [PATCH] [rubygems/rubygems] Check for correct exception on older + psych versions + +https://github.com/rubygems/rubygems/commit/52de6eccf5 + +Reference:https://github.com/ruby/ruby/commit/8bc51a393acfb5af4e446799e51f73e61b0cfc8e +Conflict:NA +--- + test/rubygems/test_gem_safe_yaml.rb | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/test/rubygems/test_gem_safe_yaml.rb b/test/rubygems/test_gem_safe_yaml.rb +index 4f7e400132..02df9f97da 100644 +--- a/test/rubygems/test_gem_safe_yaml.rb ++++ b/test/rubygems/test_gem_safe_yaml.rb +@@ -14,7 +14,8 @@ def test_aliases_disabled + aliases_enabled = Gem::SafeYAML.aliases_enabled? + Gem::SafeYAML.aliases_enabled = false + refute_predicate Gem::SafeYAML, :aliases_enabled? +- assert_raise Psych::AliasesNotEnabled do ++ expected_error = defined?(Psych::AliasesNotEnabled) ? Psych::AliasesNotEnabled : Psych::BadAlias ++ assert_raise expected_error do + Gem::SafeYAML.safe_load("a: &a\nb: *a\n") + end + ensure +-- +2.33.0 + + diff --git a/backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch b/backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch new file mode 100644 index 0000000..7dc29eb --- /dev/null +++ b/backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch @@ -0,0 +1,62 @@ +From 3926ad578c312ddd2ff5221b96ef077b9e24e612 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Thu, 9 Mar 2023 15:42:07 +0900 +Subject: [PATCH] [rubygems/rubygems] Drop to support Psych 3.0 bundled at Ruby + 2.5 + +https://github.com/rubygems/rubygems/commit/a6650c2c96 + +Reference:https://github.com/ruby/ruby/commit/3926ad578c312ddd2ff5221b96ef077b9e24e612 +Conflict:use YAML module not Psych module. +--- + lib/rubygems/safe_yaml.rb | 32 +++++--------------------------- + 1 file changed, 5 insertions(+), 27 deletions(-) + +diff --git a/lib/rubygems/safe_yaml.rb b/lib/rubygems/safe_yaml.rb +index e905052..702d3c7 100644 +--- a/lib/rubygems/safe_yaml.rb ++++ b/lib/rubygems/safe_yaml.rb +@@ -24,34 +24,12 @@ module Gem + runtime + ].freeze + +- if ::YAML.respond_to? :safe_load +- def self.safe_load(input) +- if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.1.0.pre1') +- ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true) +- else +- ::YAML.safe_load(input, PERMITTED_CLASSES, PERMITTED_SYMBOLS, true) +- end +- end +- +- def self.load(input) +- if Gem::Version.new(Psych::VERSION) >= Gem::Version.new('3.1.0.pre1') +- ::YAML.safe_load(input, permitted_classes: [::Symbol]) +- else +- ::YAML.safe_load(input, [::Symbol]) +- end +- end +- else +- unless Gem::Deprecate.skip +- warn "YAML safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)." +- end +- +- def self.safe_load(input, *args) +- ::YAML.load input +- end ++ def self.safe_load(input) ++ ::YAML.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true) ++ end + +- def self.load(input) +- ::YAML.load input +- end ++ def self.load(input) ++ ::YAML.safe_load(input, permitted_classes: [::Symbol]) + end + end + end +-- +2.33.0 + + diff --git a/ruby.spec b/ruby.spec index 8df4587..d8eba7c 100644 --- a/ruby.spec +++ b/ruby.spec @@ -33,7 +33,7 @@ Name: ruby Version: %{ruby_version} -Release: 134 +Release: 135 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/en/ @@ -194,6 +194,12 @@ Patch6022: backport-0002-CVE-2024-27281.patch Patch6023: backport-0003-CVE-2024-27281.patch Patch6024: backport-CVE-2024-27282.patch Patch6025: backport-Dump-plain-objects-as-RDoc-Options.patch +Patch6026: backport-rubygems-rubygems-Drop-to-support-Psych-3.0-bundled-.patch +Patch6027: backport-0001-CVE-2024-35221.patch +Patch6028: backport-0002-CVE-2024-35221.patch +Patch6029: backport-0003-CVE-2024-35221.patch +Patch6030: backport-0004-CVE-2024-35221.patch +Patch6031: backport-0005-CVE-2024-35221.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -1192,6 +1198,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed %changelog +* Tue Jun 18 2024 shixuantong - 3.0.3-135 +- fix CVE-2024-35221 + * Mon May 27 2024 shixuantong - 3.0.3-134 - Dump plain objects as RDoc::Options so that the generated .rdoc_options file is loadable -- Gitee