diff --git a/backport-CVE-2024-27281-Filter-marshaled-objects.patch b/backport-CVE-2024-27281-Filter-marshaled-objects.patch new file mode 100644 index 0000000000000000000000000000000000000000..10121508aa8c207e0d74ea711a21d8c46a147f6d --- /dev/null +++ b/backport-CVE-2024-27281-Filter-marshaled-objects.patch @@ -0,0 +1,95 @@ +From 32ff6ba0bebd8ea26f569da5fd23be2937f6a644 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Tue, 20 Feb 2024 17:30:25 +0900 +Subject: [PATCH] Filter marshaled objects + +Reference:https://github.com/ruby/rdoc/commit/32ff6ba0bebd8ea26f569da5fd23be2937f6a644 +--- + lib/rdoc/store.rb | 45 ++++++++++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb +index 999aa76..8851549 100644 +--- a/lib/rdoc/store.rb ++++ b/lib/rdoc/store.rb +@@ -539,9 +539,7 @@ class RDoc::Store + def load_cache + #orig_enc = @encoding + +- open cache_path, 'rb' do |io| +- @cache = Marshal.load io.read +- end ++ @cache = marshal_load(cache_path) + + load_enc = @cache[:encoding] + +@@ -596,9 +594,7 @@ class RDoc::Store + def load_class_data klass_name + file = class_file klass_name + +- open file, 'rb' do |io| +- Marshal.load io.read +- end ++ marshal_load(file) + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, klass_name) + error.set_backtrace e.backtrace +@@ -611,14 +607,10 @@ class RDoc::Store + def load_method klass_name, method_name + file = method_file klass_name, method_name + +- open file, 'rb' do |io| +- obj = Marshal.load io.read +- obj.store = self +- obj.parent = +- find_class_or_module(klass_name) || load_class(klass_name) unless +- obj.parent +- obj +- end ++ obj = marshal_load(file) ++ obj.store = self ++ obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name) ++ obj + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, klass_name + method_name) + error.set_backtrace e.backtrace +@@ -631,11 +623,9 @@ class RDoc::Store + def load_page page_name + file = page_file page_name + +- open file, 'rb' do |io| +- obj = Marshal.load io.read +- obj.store = self +- obj +- end ++ obj = marshal_load(file) ++ obj.store = self ++ obj + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, page_name) + error.set_backtrace e.backtrace +@@ -965,4 +955,21 @@ class RDoc::Store + @unique_modules + end + ++ private ++ def marshal_load(file) ++ File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)} ++ end ++ ++ MarshalFilter = proc do |obj| ++ case obj ++ when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text ++ else ++ unless obj.class.name.start_with("RDoc::") ++ raise TypeError, "not permitted class: #{obj.class.name}" ++ end ++ end ++ obj ++ end ++ private_constant :MarshalFilter ++ + end +-- +2.33.0 + diff --git a/backport-CVE-2024-27281-Fix-NoMethodError-for-start_with.patch b/backport-CVE-2024-27281-Fix-NoMethodError-for-start_with.patch new file mode 100644 index 0000000000000000000000000000000000000000..ccbe86986c43dd79aa3398fdaf6cd950992e3220 --- /dev/null +++ b/backport-CVE-2024-27281-Fix-NoMethodError-for-start_with.patch @@ -0,0 +1,26 @@ +From a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Thu, 21 Mar 2024 13:18:13 +0900 +Subject: [PATCH] Fix NoMethodError for start_with + +Reference:https://github.com/ruby/rdoc/commit/a5de13bf0f0c26f8e764e82b5bf4bf8bffc7198e +--- + lib/rdoc/store.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb +index 8851549..07d03e9 100644 +--- a/lib/rdoc/store.rb ++++ b/lib/rdoc/store.rb +@@ -964,7 +964,7 @@ class RDoc::Store + case obj + when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text + else +- unless obj.class.name.start_with("RDoc::") ++ unless obj.class.name.start_with?("RDoc::") + raise TypeError, "not permitted class: #{obj.class.name}" + end + end +-- +2.33.0 + diff --git a/backport-CVE-2024-27281-Use-safe_load-for-.rdoc_options.patch b/backport-CVE-2024-27281-Use-safe_load-for-.rdoc_options.patch new file mode 100644 index 0000000000000000000000000000000000000000..3ac31d0eb260a6a92177fd39a8fc519959451f04 --- /dev/null +++ b/backport-CVE-2024-27281-Use-safe_load-for-.rdoc_options.patch @@ -0,0 +1,67 @@ +From 60a6d74ebdbb7d585e379526e5639932fdca2904 Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Tue, 20 Feb 2024 17:59:57 +0900 +Subject: [PATCH] Use safe_load and safe_load_file for .rdoc_options + +Reference:https://github.com/ruby/rdoc/commit/60a6d74ebdbb7d585e379526e5639932fdca2904 +Conflict: +(1)"return RDoc::Options.new if options == falseā€ not change, it not exists. +It was introduced in https://github.com/ruby/rdoc/commit/0c8cb25b +(2) use safe_load not safe_load_file, safe_load_file not exists. It was +introduced in https://github.com/ruby/ruby/commit/c2a60fec +(3) use "whitelist_classes=" not "permitted_classes: ", refer to +https://github.com/ruby/psych/commit/682abf20 +--- + lib/rdoc/rdoc.rb | 3 ++- + test/rdoc/test_rdoc_options.rb | 6 +++--- + 2 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb +index 0095eb7..c0e17d3 100644 +--- a/lib/rdoc/rdoc.rb ++++ b/lib/rdoc/rdoc.rb +@@ -162,8 +162,9 @@ class RDoc::RDoc + RDoc.load_yaml + + begin +- options = YAML.load_file '.rdoc_options' ++ options = YAML.safe_load File.read('.rdoc_options'), whitelist_classes=[RDoc::Options, Symbol] + rescue Psych::SyntaxError ++ raise RDoc::Error, "#{options_file} is not a valid rdoc options file" + end + + raise RDoc::Error, "#{options_file} is not a valid rdoc options file" unless +diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb +index 400ed9a..247c7c8 100644 +--- a/test/rdoc/test_rdoc_options.rb ++++ b/test/rdoc/test_rdoc_options.rb +@@ -145,7 +145,7 @@ class TestRDocOptions < RDoc::TestCase + + @options.encoding = Encoding::IBM437 + +- options = YAML.load YAML.dump @options ++ options = YAML.safe_load(YAML.dump(@options), whitelist_classes=[RDoc::Options, Symbol]) + + assert_equal Encoding::IBM437, options.encoding + end +@@ -161,7 +161,7 @@ rdoc_include: + - /etc + YAML + +- options = YAML.load yaml ++ options = YAML.safe_load(yaml, whitelist_classes=[RDoc::Options, Symbol]) + + assert_empty options.rdoc_include + assert_empty options.static_path +@@ -729,7 +729,7 @@ rdoc_include: + + assert File.exist? '.rdoc_options' + +- assert_equal @options, YAML.load(File.read('.rdoc_options')) ++ assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), whitelist_classes=[RDoc::Options, Symbol]) + end + end + +-- +2.33.0 + diff --git a/ruby.spec b/ruby.spec index 57c0550c9667860d835629bac5d7abc2bb35e9d4..b0ca24c1ff1ab0324511fba0dadcf5bd4089a2cc 100644 --- a/ruby.spec +++ b/ruby.spec @@ -1,6 +1,6 @@ Name: ruby Version: 2.5.8 -Release: 121 +Release: 122 Summary: Object-oriented scripting language interpreter License: (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD URL: https://www.ruby-lang.org/ @@ -57,6 +57,9 @@ Patch6013: backport-0001-CVE-2023-28756.patch Patch6014: backport-0002-CVE-2023-28756.patch Patch6015: backport-CVE-2023-36617.patch Patch6016: backport-CVE-2024-27280.patch +Patch6017: backport-CVE-2024-27281-Filter-marshaled-objects.patch +Patch6018: backport-CVE-2024-27281-Use-safe_load-for-.rdoc_options.patch +Patch6019: backport-CVE-2024-27281-Fix-NoMethodError-for-start_with.patch Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -594,6 +597,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13} %exclude %{gem_dir}/gems/xmlrpc-0.3.0/.* %changelog +* Sat Mar 30 2024 shixuantong - 2.5.8-122 +- fix CVE-2024-27281 + * Tue Mar 26 2024 shixuantong - 2.5.8-121 - fix CVE-2024-27280