Version in base suite: 1.9.0+20060609-1etch4 Version in overlay suite: (not present) Base version: ruby1.9_1.9.0+20060609-1etch4 Target version: ruby1.9_1.9.0+20060609-1etch5 Base file: /org/ftp.debian.org/ftp/pool/main/r/ruby1.9/ruby1.9_1.9.0+20060609-1etch4.dsc Target file: /org/ftp.debian.org/queue/o-p-u-new/ruby1.9_1.9.0+20060609-1etch5.dsc debian/patches/090301_r22440_OCSP_basic_verify.dpatch | 37 +++ debian/patches/090712_CVE-2009-1904.dpatch | 219 ++++++++++++++++++ ruby1.9-1.9.0+20060609/debian/changelog | 16 + ruby1.9-1.9.0+20060609/debian/patches/00list | 2 4 files changed, 274 insertions(+) diff -u ruby1.9-1.9.0+20060609/debian/patches/00list ruby1.9-1.9.0+20060609/debian/patches/00list --- ruby1.9-1.9.0+20060609/debian/patches/00list +++ ruby1.9-1.9.0+20060609/debian/patches/00list @@ -12,0 +13,2 @@ +090301_r22440_OCSP_basic_verify +090712_CVE-2009-1904 diff -u ruby1.9-1.9.0+20060609/debian/changelog ruby1.9-1.9.0+20060609/debian/changelog --- ruby1.9-1.9.0+20060609/debian/changelog +++ ruby1.9-1.9.0+20060609/debian/changelog @@ -1,3 +1,19 @@ +ruby1.9 (1.9.0+20060609-1etch5) oldstable-security; urgency=high + + [ Daigo Moriwaki ] + * Added debian/patches/090301_r22440_OCSP_basic_verify.dpatch: It did not + properly check the return value from the OCSP_basic_verify function, which + might allow remote attackers to successfully present an invalid X.509 + certificate, possibly involving a revoked certificate. [CVE-2009-0642] + (ref: #513528) + + [ Akira Yamada ] + * Added debian/patches/090712_CVE-2009-1904.dpatch: It fixes the BigDecimal + DoS vulnerability (backported from 1.8.7-p172 and 1.8.7-p174). + (CVE-2009-1904; ref: #532689) + + -- akira yamada Fri, 24 Jul 2009 15:56:07 +0900 + ruby1.9 (1.9.0+20060609-1etch4) stable-security; urgency=high * updated debian/patches/104_rexml_dos.dpatch: only in patch2: unchanged: --- ruby1.9-1.9.0+20060609.orig/debian/patches/090712_CVE-2009-1904.dpatch +++ ruby1.9-1.9.0+20060609/debian/patches/090712_CVE-2009-1904.dpatch @@ -0,0 +1,219 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 090712_CVE-2009-1904.dpatch by akira yamada +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad ruby1.9-1.9.0+20060609~/ext/bigdecimal/bigdecimal.c ruby1.9-1.9.0+20060609/ext/bigdecimal/bigdecimal.c +--- ruby1.9-1.9.0+20060609~/ext/bigdecimal/bigdecimal.c 2005-09-16 16:22:49.000000000 +0900 ++++ ruby1.9-1.9.0+20060609/ext/bigdecimal/bigdecimal.c 2009-07-24 16:11:51.000000000 +0900 +@@ -175,17 +175,19 @@ + BigDecimal_dump(int argc, VALUE *argv, VALUE self) + { + ENTER(5); +- char sz[50]; + Real *vp; + char *psz; + VALUE dummy; ++ volatile VALUE dump; ++ + rb_scan_args(argc, argv, "01", &dummy); + GUARD_OBJ(vp,GetVpValue(self,1)); +- sprintf(sz,"%lu:",VpMaxPrec(vp)*VpBaseFig()); +- psz = ALLOCA_N(char,(unsigned int)VpNumOfChars(vp,"E")+strlen(sz)); +- sprintf(psz,"%s",sz); ++ dump = rb_str_new(0,VpNumOfChars(vp,"E")+50); ++ psz = RSTRING(dump)->ptr; ++ sprintf(psz,"%lu:",VpMaxPrec(vp)*VpBaseFig()); + VpToString(vp, psz+strlen(psz), 0, 0); +- return rb_str_new2(psz); ++ rb_str_resize(dump, strlen(psz)); ++ return dump; + } + + static VALUE +@@ -342,6 +344,7 @@ + ENTER(5); + int e,n,i,nf; + U_LONG v,b,j; ++ volatile VALUE str; + char *psz,*pch; + Real *p; + +@@ -349,14 +352,14 @@ + + /* Infinity or NaN not converted. */ + if(VpIsNaN(p)) { +- VpException(VP_EXCEPTION_NaN,"Computation results to 'NaN'(Not a Number)",0); +- return Qnil; ++ VpException(VP_EXCEPTION_NaN,"Computation results to 'NaN'(Not a Number)",1); ++ return Qnil; /* not reached */ + } else if(VpIsPosInf(p)) { +- VpException(VP_EXCEPTION_INFINITY,"Computation results to 'Infinity'",0); +- return Qnil; ++ VpException(VP_EXCEPTION_INFINITY,"Computation results to 'Infinity'",1); ++ return Qnil; /* not reached */ + } else if(VpIsNegInf(p)) { +- VpException(VP_EXCEPTION_INFINITY,"Computation results to '-Infinity'",0); +- return Qnil; ++ VpException(VP_EXCEPTION_INFINITY,"Computation results to '-Infinity'",1); ++ return Qnil; /* not reached */ + } + + e = VpExponent10(p); +@@ -366,7 +369,8 @@ + e = VpGetSign(p)*p->frac[0]; + return INT2FIX(e); + } +- psz = ALLOCA_N(char,(unsigned int)(e+nf+2)); ++ str = rb_str_new(0, e+nf+2); ++ psz = RSTRING(str)->ptr; + + n = (e+nf-1)/nf; + pch = psz; +@@ -406,15 +410,22 @@ + Real *p; + double d, d2; + S_LONG e; ++ char *buf; ++ volatile VALUE str; + + GUARD_OBJ(p,GetVpValue(self,1)); + if(VpVtoD(&d, &e, p)!=1) return rb_float_new(d); ++ if (e > DBL_MAX_10_EXP) goto erange; ++ str = rb_str_new(0, VpNumOfChars(p,"E")); ++ buf = RSTRING(str)->ptr; ++ VpToString(p, buf, 0, 0); + errno = 0; + d2 = pow(10.0,(double)e); + if((errno == ERANGE && e>0) || (d2>1.0 && (fabs(d) > (DBL_MAX / d2)))) { ++ erange: + VpException(VP_EXCEPTION_OVERFLOW,"BigDecimal to Float conversion",0); +- if(d>0.0) return rb_float_new(DBL_MAX); +- else return rb_float_new(-DBL_MAX); ++ if(d>0.0) d = VpGetDoublePosInf(); ++ else d = VpGetDoubleNegInf(); + } + return rb_float_new(d*d2); + } +@@ -1051,6 +1062,7 @@ + int fmt=0; /* 0:E format */ + int fPlus=0; /* =0:default,=1: set ' ' before digits ,set '+' before digits. */ + Real *vp; ++ volatile VALUE str; + char *psz; + char ch; + U_LONG nc; +@@ -1087,14 +1099,16 @@ + } + if(mc>0) nc += (nc + mc - 1) / mc + 1; + +- psz = ALLOCA_N(char,(unsigned int)nc); ++ str = rb_str_new(0, nc); ++ psz = RSTRING(str)->ptr; + + if(fmt) { + VpToFString(vp, psz, mc, fPlus); + } else { + VpToString (vp, psz, mc, fPlus); + } +- return rb_str_new2(psz); ++ rb_str_resize(str, strlen(psz)); ++ return str; + } + + static VALUE +@@ -1102,24 +1116,29 @@ + { + ENTER(5); + Real *vp; +- VALUE obj,obj1; ++ VALUE obj,str; + S_LONG e; + S_LONG s; + char *psz1; + + GUARD_OBJ(vp,GetVpValue(self,1)); +- psz1 = ALLOCA_N(char,(unsigned int)VpNumOfChars(vp,"E")); ++ str = rb_str_new(0, VpNumOfChars(vp,"E")); ++ psz1 = RSTRING(str)->ptr; + VpSzMantissa(vp,psz1); + s = 1; + if(psz1[0]=='-') { +- s = -1; ++psz1; ++ int len = strlen(psz1+1); ++ ++ memmove(psz1, psz1+1, len); ++ psz1[len] = '\0'; ++ s = -1; + } + if(psz1[0]=='N') s=0; /* NaN */ + e = VpExponent10(vp); +- obj1 = rb_str_new2(psz1); + obj = rb_ary_new2(4); + rb_ary_push(obj, INT2FIX(s)); +- rb_ary_push(obj, obj1); ++ rb_ary_push(obj, str); ++ rb_str_resize(str, strlen(psz1)); + rb_ary_push(obj, INT2FIX(10)); + rb_ary_push(obj, INT2NUM(e)); + return obj; +@@ -1137,20 +1156,22 @@ + { + ENTER(5); + Real *vp; +- VALUE obj; ++ volatile VALUE obj; + unsigned int nc; +- char *psz1; +- char *pszAll; ++ char *psz, *tmp; + + GUARD_OBJ(vp,GetVpValue(self,1)); + nc = VpNumOfChars(vp,"E"); + nc +=(nc + 9) / 10; + +- psz1 = ALLOCA_N(char,nc); +- pszAll = ALLOCA_N(char,nc+256); +- VpToString(vp, psz1, 10, 0); +- sprintf(pszAll,"#",self,psz1,VpPrec(vp)*VpBaseFig(),VpMaxPrec(vp)*VpBaseFig()); +- obj = rb_str_new2(pszAll); ++ obj = rb_str_new(0, nc+256); ++ psz = RSTRING(obj)->ptr; ++ sprintf(psz,"#",VpPrec(vp)*VpBaseFig(),VpMaxPrec(vp)*VpBaseFig()); ++ rb_str_resize(obj, strlen(psz)); + return obj; + } + +@@ -1880,6 +1901,7 @@ + int sign=1; + Real *vp = NULL; + U_LONG mf = VpGetPrecLimit(); ++ volatile VALUE buf; + + mx = (mx + BASE_FIG - 1) / BASE_FIG + 1; /* Determine allocation unit. */ + if(szVal) { +@@ -1906,7 +1928,8 @@ + } + + /* Skip all spaces */ +- psz = ALLOCA_N(char,strlen(szVal)+1); ++ buf = rb_str_new(0,strlen(szVal)+1); ++ psz = RSTRING(buf)->ptr; + i = 0; + ipn = 0; + while(psz[i]=szVal[ipn]) { +@@ -2988,7 +3011,7 @@ + nc += fprintf(fp, "0."); + n = a->Prec; + for(i=0;i < n;++i) { +- m = BASE1; ++ m = BASE1; + e = a->frac[i]; + while(m) { + nn = e / m; only in patch2: unchanged: --- ruby1.9-1.9.0+20060609.orig/debian/patches/090301_r22440_OCSP_basic_verify.dpatch +++ ruby1.9-1.9.0+20060609/debian/patches/090301_r22440_OCSP_basic_verify.dpatch @@ -0,0 +1,37 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 090301_r22440_OCSP_basic_verify.dpatch by akira yamada +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad ruby1.9-1.9.0+20060609~/ext/openssl/ossl_ocsp.c ruby1.9-1.9.0+20060609/ext/openssl/ossl_ocsp.c +--- ruby1.9-1.9.0+20060609~/ext/openssl/ossl_ocsp.c 2005-01-23 05:26:29.000000000 +0900 ++++ ruby1.9-1.9.0+20060609/ext/openssl/ossl_ocsp.c 2009-07-24 15:52:45.000000000 +0900 +@@ -589,22 +589,22 @@ + static VALUE + ossl_ocspbres_verify(int argc, VALUE *argv, VALUE self) + { +- VALUE certs, store, flags; ++ VALUE certs, store, flags, result; + OCSP_BASICRESP *bs; + STACK_OF(X509) *x509s; + X509_STORE *x509st; +- int flg, result; ++ int flg; + + rb_scan_args(argc, argv, "21", &certs, &store, &flags); + x509st = GetX509StorePtr(store); + flg = NIL_P(flags) ? 0 : INT2NUM(flags); + x509s = ossl_x509_ary2sk(certs); + GetOCSPBasicRes(self, bs); +- result = OCSP_basic_verify(bs, x509s, x509st, flg); ++ result = OCSP_basic_verify(bs, x509s, x509st, flg) > 0 ? Qtrue : Qfalse; + sk_X509_pop_free(x509s, X509_free); + if(!result) rb_warn("%s", ERR_error_string(ERR_peek_error(), NULL)); + +- return result ? Qtrue : Qfalse; ++ return result; + } + + /*