Debian Bug report logs -
#895778
jruby: Several security vulnerabilities
Reported by: Markus Koschany <apo@debian.org>
Date: Sun, 15 Apr 2018 20:45:05 UTC
Severity: grave
Tags: security
Found in versions jruby/9.1.13.0-1, jruby/1.7.26-1
Fixed in versions jruby/9.1.17.0-1, jruby/1.7.26-1+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#895778; Package jruby.
(Sun, 15 Apr 2018 20:45:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 15 Apr 2018 20:45:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: jruby
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for jruby. Apparently
rubygems is embedded into jruby which makes it vulnerable to.
CVE-2018-1000079[0]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Directory Traversal vulnerability in gem installation that can result
| in the gem could write to arbitrary filesystem locations during
| installation. This attack appear to be exploitable via the victim must
| install a malicious gem. This vulnerability appears to have been fixed
| in 2.7.6.
CVE-2018-1000078[1]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Cross Site Scripting (XSS) vulnerability in gem server display of
| homepage attribute that can result in XSS. This attack appear to be
| exploitable via the victim must browse to a malicious gem on a
| vulnerable gem server. This vulnerability appears to have been fixed
| in 2.7.6.
CVE-2018-1000077[2]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Improper Input Validation vulnerability in ruby gems specification
| homepage attribute that can result in a malicious gem could set an
| invalid homepage URL. This vulnerability appears to have been fixed in
| 2.7.6.
CVE-2018-1000076[3]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Improper Verification of Cryptographic Signature vulnerability in
| package.rb that can result in a mis-signed gem could be installed, as
| the tarball would contain multiple gem signatures.. This vulnerability
| appears to have been fixed in 2.7.6.
CVE-2018-1000075[4]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| infinite loop caused by negative size vulnerability in ruby gem
| package tar header that can result in a negative size could cause an
| infinite loop.. This vulnerability appears to have been fixed in
| 2.7.6.
CVE-2018-1000074[5]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Deserialization of Untrusted Data vulnerability in owner command that
| can result in code execution. This attack appear to be exploitable via
| victim must run the `gem owner` command on a gem with a specially
| crafted YAML file. This vulnerability appears to have been fixed in
| 2.7.6.
CVE-2018-1000073[6]:
| RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
| 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5
| series: 2.5.0 and earlier, prior to trunk revision 62422 contains a
| Directory Traversal vulnerability in install_location function of
| package.rb that can result in path traversal when writing to a
| symlinked basedir outside of the root. This vulnerability appears to
| have been fixed in 2.7.6.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000079
[1] https://security-tracker.debian.org/tracker/CVE-2018-1000078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000078
[2] https://security-tracker.debian.org/tracker/CVE-2018-1000077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000077
[3] https://security-tracker.debian.org/tracker/CVE-2018-1000076
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000076
[4] https://security-tracker.debian.org/tracker/CVE-2018-1000075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000075
[5] https://security-tracker.debian.org/tracker/CVE-2018-1000074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000074
[6] https://security-tracker.debian.org/tracker/CVE-2018-1000073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000073
Please adjust the affected versions in the BTS as needed.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#895778; Package jruby.
(Sun, 15 Apr 2018 20:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 15 Apr 2018 20:51:03 GMT) (full text, mbox, link).
Message #10 received at 895778@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I intend to work on the patches for Jessie and Stretch. Unstable could
be a bit more complicated due to the FTBFS with OpenJDK 9.
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#895778; Package jruby.
(Mon, 16 Apr 2018 17:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Miguel Landaeta <nomadium@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 16 Apr 2018 17:33:02 GMT) (full text, mbox, link).
Message #15 received at 895778@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, Apr 15, 2018 at 10:48:10PM +0200, Markus Koschany wrote:
> I intend to work on the patches for Jessie and Stretch. Unstable could
> be a bit more complicated due to the FTBFS with OpenJDK 9.
Hi Markus,
Thanks for taking care of jessie and stretch.
I expect to be able to update jruby in unstable soon, although there
is some pending work to do, as I mentioned in #895837.
These days I'm more involved with that project as upstream, so I haven't
find enough time to work on this package yet.
Cheers,
Miguel.
--
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#895778; Package jruby.
(Sun, 29 Apr 2018 21:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sun, 29 Apr 2018 21:39:04 GMT) (full text, mbox, link).
Message #20 received at 895778@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Miguel,
I have prepared security updates for Jessie and Stretch. Unfortunately I
discovered that jruby in Jessie FTBFS at the moment. This is unrelated
to the patches.
Do you know how to resolve that?
generate-method-classes:
_gmc_internal_:
[echo] Generating invokers...
[java] Exception in thread "main" java.lang.ClassFormatError:
Duplicate method name&signature in class file
org/jruby/RubyFixnum$i_method_multi$RUBYINVOKER$to_s
[java] >---at java.lang.ClassLoader.defineClass1(Native Method)
[java] >---at java.lang.ClassLoader.defineClass(ClassLoader.java:803)
[java] >---at
org.jruby.util.JRubyClassLoader.defineClass(JRubyClassLoader.java:39)
[java] >---at
org.jruby.internal.runtime.methods.DumpingInvocationMethodFactory.endClass(DumpingInvocationMethodFactory.java:64)
[java] >---at
org.jruby.internal.runtime.methods.InvocationMethodFactory.getAnnotatedMethodClass(InvocationMethodFactory.java:721)
[java] >---at
org.jruby.anno.InvokerGenerator.main(InvokerGenerator.java:45)
I'm attaching the stretch debdiff to this bug report and push the
patches for Jessie.
Cheers,
Markus
[jruby_stretch.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]
Added blocking bug(s) of 895778: 895837
Request was from Miguel Landaeta <nomadium@debian.org>
to control@bugs.debian.org.
(Tue, 29 May 2018 21:03:05 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Tue, 12 Jun 2018 22:06:15 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Tue, 12 Jun 2018 22:06:15 GMT) (full text, mbox, link).
Message #27 received at 895778-close@bugs.debian.org (full text, mbox, reply):
Source: jruby
Source-Version: 1.7.26-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
jruby, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 895778@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jruby package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Apr 2018 22:24:33 +0200
Source: jruby
Binary: jruby
Architecture: source all
Version: 1.7.26-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
jruby - 100% pure-Java implementation of Ruby
Closes: 895778
Changes:
jruby (1.7.26-1+deb9u1) stretch-security; urgency=high
.
* Team upload.
* Fix CVE-2018-1000073: Directory Traversal vulnerability in install_location
function of package.rb that can result in path traversal when writing to a
symlinked basedir outside of the root.
* Fix CVE-2018-1000074: possible Unsafe Object Deserialization Vulnerability
in gem owner.
* Fix CVE-2018-1000075: Strictly interpret octal fields in tar headers to
avoid infinite loop
* Fix CVE-2018-1000076: Raise a security error when there are duplicate
files in a package
* Fix CVE-2018-1000077: Enforce URL validation on spec homepage attribute.
* Fix CVE-2018-1000078: Mitigate XSS vulnerability in homepage attribute
when displayed via gem server.
* Fix CVE-2018-1000079: Directory Traversal vulnerability in gem installation
that can result in writing to arbitrary filesystem locations during
installation of malicious gems.
(Closes: #895778)
Checksums-Sha1:
77a1a63dbd114dc1889acfc4f70629f3a0b78e8b 3212 jruby_1.7.26-1+deb9u1.dsc
e1a304da12f6cc5db9d2a9a6f6f885c82b568bed 10228992 jruby_1.7.26.orig.tar.gz
aeb515f6e7112b82ab19f0e7eb08494d492f6622 92000 jruby_1.7.26-1+deb9u1.debian.tar.xz
6b19ad31fa00fe64a865a0fbb3c841df27e93509 49204708 jruby_1.7.26-1+deb9u1_all.deb
3760127488659ec0ac376f5093858c3b0bef0c1b 17605 jruby_1.7.26-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
ec52c2bb87310172b117dcc67d43f858bf56b481d14f2a91556d58c97da87308 3212 jruby_1.7.26-1+deb9u1.dsc
37bfdbf6bbf1fba7d1976d381517e86506790bd8f4a43a870c1e76de29b082ad 10228992 jruby_1.7.26.orig.tar.gz
c9f823ac388e1cd0b22ea3d22bc7cbfaf722632d9c05dbb26fa4e39fc1e16874 92000 jruby_1.7.26-1+deb9u1.debian.tar.xz
7c5196fa3dc7a4287e9e0ecdc23db16d45512dc5f788eec3e5d17b6743f89f75 49204708 jruby_1.7.26-1+deb9u1_all.deb
e3f45ef92ba375652cd47450642ef613eadb79c4ba23ee706ee7778b263d1ebf 17605 jruby_1.7.26-1+deb9u1_amd64.buildinfo
Files:
40fdd7260a9af15595a0a7f8efdb5b92 3212 ruby optional jruby_1.7.26-1+deb9u1.dsc
c8d965f03ebb9b97e168bc40d81a9b91 10228992 ruby optional jruby_1.7.26.orig.tar.gz
f491676ad338441619efe57c7de067d8 92000 ruby optional jruby_1.7.26-1+deb9u1.debian.tar.xz
29843476714c9158a6e0b57c087d30a5 49204708 ruby optional jruby_1.7.26-1+deb9u1_all.deb
9dd3df6943fc4809566218bd2176602b 17605 ruby optional jruby_1.7.26-1+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlsXtG9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkYpYP/0hShTSlDpIbfV3WC0xwcDoksiCq+erc6WlM
WvoaP4v4G5638qKlav703iqRvxHjTuqCF5vSIvKIZtA83XlVkKtAviFrH6TE+lBF
UxJ7SZ/If/HqySs09TF4vmKzxBwtmnjpXsIqjKCVavMo7gT4IV5q4KqHkEOaQTlo
XbG1/vDNW+Wjtn89qPfBDtSGksRVhtZuS5OX4ceDn5ApqP4s+oy4F8xEnbS8Vu/1
VOYJy77G5wLFEsQKP7tvk0D/ptnQ+Z2+lNwQxDhtdOWsGyjLMaWGTppPXJEiAyMC
O3+j5rKWKMc3o/qqN5GZsRpYA1ZxBBBVEECYvX/ocmohPaYqE9HQQbTaIvNmrVKF
vyb13XBky9GGRJNyZ6so62t5UdkYsEJm/g0jkMWucx+0aOGhSFKhy3CumTt8S1L/
hcVNSKw2adSqwJL4buMJYYltV5Nt64xzFXyjy1C7youhd1Urw//ZiYdH/y5EvkwC
nRJRqkE1IHHjD4K9eH5PUDhPo99/6UR8bmYrobgRvXq+JIXanyxRDfa+vxDVBQIl
SmZA+ARLRKF27eGAtK3pVTmaeHBuT5QXo1yZJLry8lLXbSKAGmve6zjT9TXN+an9
7VF0kdE06m3fwsSo2ktPihwv92O0wxUgaLF5h631WEAKaS9V/CcOq48ePRUGJ2g+
B2Ide6eE
=BK+l
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Jul 2018 07:32:37 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Mon, 18 Feb 2019 21:54:04 GMT) (full text, mbox, link).
Added indication that 895778 affects 9.1.13.0-1^
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Mon, 18 Feb 2019 21:54:06 GMT) (full text, mbox, link).
Added indication that 895778 affects 9.1.13.0-1
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Mon, 18 Feb 2019 21:54:08 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 19 Mar 2019 07:31:36 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 24 Mar 2019 07:54:02 GMT) (full text, mbox, link).
Marked as found in versions jruby/9.1.13.0-1 and reopened.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 24 Mar 2019 07:54:04 GMT) (full text, mbox, link).
Marked as fixed in versions jruby/9.1.17.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 24 Mar 2019 07:57:03 GMT) (full text, mbox, link).
Marked as found in versions jruby/1.7.26-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 24 Mar 2019 07:57:05 GMT) (full text, mbox, link).
Removed indication that 895778 affects 9.1.13.0-1 and 9.1.13.0-1^
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 24 Mar 2019 07:57:07 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 24 Mar 2019 08:03:06 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Sun, 24 Mar 2019 08:03:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 22 Apr 2019 07:26:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:43:44 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon