jruby: CVE-2011-4838

Related Vulnerabilities: CVE-2011-4838  

Debian Bug report logs - #686867
jruby: CVE-2011-4838

version graph

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Thu, 6 Sep 2012 20:09:01 UTC

Severity: grave

Tags: patch, security

Fixed in version jruby/1.5.6-4

Done: tony mancill <tmancill@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#686867; Package jruby. (Thu, 06 Sep 2012 20:09:04 GMT) (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 06 Sep 2012 20:09:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jruby: CVE-2011-4838
Date: Thu, 06 Sep 2012 22:03:58 +0200
Package: jruby
Severity: grave
Tags: security
Justification: user security hole

Hi,
jruby in Wheezy is still affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838                                                                                            
http://www.nruns.com/_downloads/advisory28122011.pdf                                                                                                                                        

Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea?

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#686867; Package jruby. (Tue, 18 Sep 2012 22:21:06 GMT) (full text, mbox, link).


Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 18 Sep 2012 22:21:06 GMT) (full text, mbox, link).


Message #10 received at 686867@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 686867@bugs.debian.org, control@bugs.debian.org
Subject: Re: jruby: CVE-2011-4838
Date: Wed, 19 Sep 2012 00:17:43 +0200
[Message part 1 (text/plain, inline)]
tags 686867 patch
thanks

On Thu, Sep 06, 2012 at 10:03:58PM +0200, Moritz Muehlenhoff wrote:
> Package: jruby
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> jruby in Wheezy is still affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838                                                                                            
> http://www.nruns.com/_downloads/advisory28122011.pdf                                                                         > 
> Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea?

Wheezy has 1.5.6, not 1.6.5.

Anyway, I've extracted the patch, it's attached.

Cheers,
        Moritz
[CVE-2011-4838.patch (text/x-diff, attachment)]

Added tag(s) patch. Request was from Moritz Mühlenhoff <jmm@inutil.org> to control@bugs.debian.org. (Tue, 18 Sep 2012 22:21:08 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#686867; Package jruby. (Thu, 20 Sep 2012 04:21:06 GMT) (full text, mbox, link).


Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 20 Sep 2012 04:21:06 GMT) (full text, mbox, link).


Message #17 received at 686867@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>
To: jmm@inutil.org, 686867@bugs.debian.org
Cc: henrich@debian.org
Subject: Re: Bug#686867: jruby: CVE-2011-4838
Date: Wed, 19 Sep 2012 21:16:51 -0700
[Message part 1 (text/plain, inline)]
On 09/18/2012 03:17 PM, Moritz Mühlenhoff wrote:
> tags 686867 patch
> thanks
> 
> On Thu, Sep 06, 2012 at 10:03:58PM +0200, Moritz Muehlenhoff wrote:
>> Package: jruby
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Hi,
>> jruby in Wheezy is still affected by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4838                                                                                            
>> http://www.nruns.com/_downloads/advisory28122011.pdf                                                                         > 
>> Since Wheezy already has 1.6.5, updating to 1.6.5.1 seems like a good idea?
> 
> Wheezy has 1.5.6, not 1.6.5.
> 
> Anyway, I've extracted the patch, it's attached.
> 
> Cheers,
>         Moritz

Hello Moritz,

Thank you for attaching the patch.  I have it applying cleanly and am in
the process of preparing an upload.  However, currently the jruby
package is FTBFS due to an issue with one of its build-deps, nailgun,
which is installing a bad symlink.

> $ ls -al /usr/share/java/nailgun*
> -rw-r--r-- 1 root root 25607 Jul 18 22:54 /usr/share/java/nailgun-0.9.0.jar
> -rw-r--r-- 1 root root  7048 Jul 18 22:54 /usr/share/java/nailgun-examples-0.9.0.jar
> lrwxrwxrwx 1 root root    17 Jul 18 22:54 /usr/share/java/nailgun.jar -> nailgun-0.7.1.jar

Anyway, that's a separate bug. Just wanted to comment that this bug is
being worked on.

Cheers,
tony




[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#686867; Package jruby. (Thu, 20 Sep 2012 14:09:06 GMT) (full text, mbox, link).


Acknowledgement sent to Hideki Yamane <henrich@debian.or.jp>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 20 Sep 2012 14:09:06 GMT) (full text, mbox, link).


Message #22 received at 686867@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>
To: tony mancill <tmancill@debian.org>
Cc: jmm@inutil.org, 686867@bugs.debian.org
Subject: Re: Bug#686867: jruby: CVE-2011-4838
Date: Thu, 20 Sep 2012 23:05:38 +0900
On Wed, 19 Sep 2012 21:16:51 -0700
tony mancill <tmancill@debian.org> wrote:
> Thank you for attaching the patch.  I have it applying cleanly and am in
> the process of preparing an upload.  However, currently the jruby
> package is FTBFS due to an issue with one of its build-deps, nailgun,
> which is installing a bad symlink.
> 
> > $ ls -al /usr/share/java/nailgun*
> > -rw-r--r-- 1 root root 25607 Jul 18 22:54 /usr/share/java/nailgun-0.9.0.jar
> > -rw-r--r-- 1 root root  7048 Jul 18 22:54 /usr/share/java/nailgun-examples-0.9.0.jar
> > lrwxrwxrwx 1 root root    17 Jul 18 22:54 /usr/share/java/nailgun.jar -> nailgun-0.7.1.jar

 It's my mistake that using static version for symlink... sorry for the mess.
 And a bit confusion for versioning, so prepared fix as below.
 If it seems to be okay, I'll upload to unstable.


diff -Nru nailgun-0.7.1+trunk95/debian/changelog nailgun-0.9.0+trunk95/debian/changelog
--- nailgun-0.7.1+trunk95/debian/changelog	2012-07-19 07:54:01.000000000 +0900
+++ nailgun-0.9.0+trunk95/debian/changelog	2012-09-20 23:01:12.000000000 +0900
@@ -1,3 +1,12 @@
+nailgun (0.9.0+trunk95-1) unstable; urgency=low
+
+  * Bump up version number since it produces jar files with version as 
+    0.9.0. Nothing changed in upstream source.
+  * debian/nailgun.links
+    - fix symlink, don't use static version number.
+
+ -- Hideki Yamane <henrich@debian.org>  Thu, 20 Sep 2012 22:58:48 +0900
+
 nailgun (0.7.1+trunk95-1) unstable; urgency=medium
 
   * Taken from Subversion repository
@@ -8,7 +17,7 @@
   * debian/patches
     - refresh all two patches
     - add "name_define_as_ng-nailgun_ng.c.patch" to avoid
-      ClassNotFoundException (Closes: LP#793859)
+      ClassNotFoundException (LP: #793859)
     - add "Makefile_enable_hardening.patch" to enable hardening
   * debian/rules
     - enable hardening
diff -Nru nailgun-0.7.1+trunk95/debian/nailgun.links nailgun-0.9.0+trunk95/debian/nailgun.links
--- nailgun-0.7.1+trunk95/debian/nailgun.links	2010-08-23 04:33:49.000000000 +0900
+++ nailgun-0.9.0+trunk95/debian/nailgun.links	2012-09-20 22:57:45.000000000 +0900
@@ -1 +1 @@
-usr/share/java/nailgun-0.7.1.jar	usr/share/java/nailgun.jar
+usr/share/java/nailgun-*.jar	usr/share/java/nailgun.jar




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#686867; Package jruby. (Thu, 20 Sep 2012 14:15:05 GMT) (full text, mbox, link).


Acknowledgement sent to Hideki Yamane <henrich@debian.or.jp>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 20 Sep 2012 14:15:05 GMT) (full text, mbox, link).


Message #27 received at 686867@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>
To: Hideki Yamane <henrich@debian.or.jp>
Cc: tony mancill <tmancill@debian.org>, jmm@inutil.org, 686867@bugs.debian.org
Subject: Re: Bug#686867: jruby: CVE-2011-4838
Date: Thu, 20 Sep 2012 23:11:15 +0900
On Thu, 20 Sep 2012 23:05:38 +0900
Hideki Yamane <henrich@debian.or.jp> wrote:
> > > $ ls -al /usr/share/java/nailgun*

 previous one is wrong, send again...
 (I misunderstood debian/package.link extract * to correspond file)


diff -Nru nailgun-0.7.1+trunk95/debian/changelog nailgun-0.9.0+trunk95/debian/changelog
--- nailgun-0.7.1+trunk95/debian/changelog	2012-07-19 07:54:01.000000000 +0900
+++ nailgun-0.9.0+trunk95/debian/changelog	2012-09-20 23:08:33.000000000 +0900
@@ -1,3 +1,12 @@
+nailgun (0.9.0+trunk95-1) unstable; urgency=low
+
+  * Bump up version number since it produces jar files with version as 
+    0.9.0. Nothing changed in upstream source.
+  * debian/nailgun.links
+    - fix symlink, change to 0.9.0
+
+ -- Hideki Yamane <henrich@debian.org>  Thu, 20 Sep 2012 22:58:48 +0900
+
 nailgun (0.7.1+trunk95-1) unstable; urgency=medium
 
   * Taken from Subversion repository
@@ -8,7 +17,7 @@
   * debian/patches
     - refresh all two patches
     - add "name_define_as_ng-nailgun_ng.c.patch" to avoid
-      ClassNotFoundException (Closes: LP#793859)
+      ClassNotFoundException (LP: #793859)
     - add "Makefile_enable_hardening.patch" to enable hardening
   * debian/rules
     - enable hardening
diff -Nru nailgun-0.7.1+trunk95/debian/nailgun.links nailgun-0.9.0+trunk95/debian/nailgun.links
--- nailgun-0.7.1+trunk95/debian/nailgun.links	2010-08-23 04:33:49.000000000 +0900
+++ nailgun-0.9.0+trunk95/debian/nailgun.links	2012-09-20 23:07:51.000000000 +0900
@@ -1 +1 @@
-usr/share/java/nailgun-0.7.1.jar	usr/share/java/nailgun.jar
+usr/share/java/nailgun-0.9.0.jar	usr/share/java/nailgun.jar



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#686867; Package jruby. (Thu, 20 Sep 2012 19:15:06 GMT) (full text, mbox, link).


Acknowledgement sent to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 20 Sep 2012 19:15:06 GMT) (full text, mbox, link).


Message #32 received at 686867@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>
To: Hideki Yamane <henrich@debian.or.jp>
Cc: jmm@inutil.org, 686867@bugs.debian.org
Subject: Re: Bug#686867: jruby: CVE-2011-4838
Date: Thu, 20 Sep 2012 12:10:30 -0700
[Message part 1 (text/plain, inline)]
On 09/20/2012 07:05 AM, Hideki Yamane wrote:
>  It's my mistake that using static version for symlink... sorry for the mess.
>  And a bit confusion for versioning, so prepared fix as below.
>  If it seems to be okay, I'll upload to unstable.

Hello Hideki,

Thank you for the quick response.  The 2nd patch you supplied looks good
to me.

Also, I determined that I can build the jruby package successfully
against the nailgun package in wheezy, which I think might be preferable
anyway since this is a security bug that is being targeted for wheezy
(right?).  The dependency on nailgun is a build-dep only, meaning that
it doesn't appear in the jruby Depends, and jruby is an architecture
"any" package.

Moritz, for this bug with respect to wheezy, would you prefer that an
updated package be uploaded to unstable + an unblock request, or would
this be a case for targeting testing-security?

Thank you,
tony


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#686867; Package jruby. (Thu, 20 Sep 2012 19:57:03 GMT) (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Thu, 20 Sep 2012 19:57:03 GMT) (full text, mbox, link).


Message #37 received at 686867@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: tony mancill <tmancill@debian.org>
Cc: Hideki Yamane <henrich@debian.or.jp>, 686867@bugs.debian.org
Subject: Re: Bug#686867: jruby: CVE-2011-4838
Date: Thu, 20 Sep 2012 21:51:23 +0200
On Thu, Sep 20, 2012 at 12:10:30PM -0700, tony mancill wrote:
> On 09/20/2012 07:05 AM, Hideki Yamane wrote:
> >  It's my mistake that using static version for symlink... sorry for the mess.
> >  And a bit confusion for versioning, so prepared fix as below.
> >  If it seems to be okay, I'll upload to unstable.
> 
> Hello Hideki,
> 
> Thank you for the quick response.  The 2nd patch you supplied looks good
> to me.
> 
> Also, I determined that I can build the jruby package successfully
> against the nailgun package in wheezy, which I think might be preferable
> anyway since this is a security bug that is being targeted for wheezy
> (right?).  The dependency on nailgun is a build-dep only, meaning that
> it doesn't appear in the jruby Depends, and jruby is an architecture
> "any" package.
> 
> Moritz, for this bug with respect to wheezy, would you prefer that an
> updated package be uploaded to unstable + an unblock request, or would
> this be a case for targeting testing-security?

testing-security doesn't work currently (only testing-proposed-updates works),
so getting this via unstable (urgency=medium) and an unblock request is the
way to go forward.

Cheers,
        Moritz



Reply sent to tony mancill <tmancill@debian.org>:
You have taken responsibility. (Thu, 20 Sep 2012 22:21:03 GMT) (full text, mbox, link).


Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Thu, 20 Sep 2012 22:21:03 GMT) (full text, mbox, link).


Message #42 received at 686867-close@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>
To: 686867-close@bugs.debian.org
Subject: Bug#686867: fixed in jruby 1.5.6-4
Date: Thu, 20 Sep 2012 22:17:59 +0000
Source: jruby
Source-Version: 1.5.6-4

We believe that the bug you reported is fixed in the latest version of
jruby, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 686867@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated jruby package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 20 Sep 2012 13:36:31 -0700
Source: jruby
Binary: jruby
Architecture: source all
Version: 1.5.6-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description: 
 jruby      - 100% pure-Java implementation of Ruby
Closes: 686867
Changes: 
 jruby (1.5.6-4) unstable; urgency=medium
 .
   * Team upload.
   * Add patch for CVE-2011-4838 (Closes: #686867)
     - Thanks to Moritz Muehlenhoff
Checksums-Sha1: 
 9753adb8aa9532f77beb71108dcddf1962f939e2 2281 jruby_1.5.6-4.dsc
 900afd94a1301d6ecbff3993f01d551e496eb01e 29503 jruby_1.5.6-4.debian.tar.gz
 a4b68b42e72e9deb049bdf54467c34b18f5cd385 8912168 jruby_1.5.6-4_all.deb
Checksums-Sha256: 
 e56f79085cb8429be292bb1288a24dac15308b6e2810dd086806290e4ecf84a7 2281 jruby_1.5.6-4.dsc
 b704d051e046b718db6eb32d7d31541a47cd47d3558242681f867ebff9141d60 29503 jruby_1.5.6-4.debian.tar.gz
 8fd0f27a65164c610e2d09ad4126e6cd088b5a19a384cb543ea9cff9c0419473 8912168 jruby_1.5.6-4_all.deb
Files: 
 7e0ca248c7dbb64d03429b540e740bc7 2281 ruby optional jruby_1.5.6-4.dsc
 c2729773cfbe2ce044a497fe4b7159dc 29503 ruby optional jruby_1.5.6-4.debian.tar.gz
 7024648f4b05c9273ab1fb1d4803968b 8912168 ruby optional jruby_1.5.6-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJQW5ChAAoJECHSBYmXSz6WBRAQAJiiZwnJh86fRAs+FoEDSJGe
h8h0SQfOumGFQ8sqx3siMskLRlBTEkaIUDuqyRqMqTyHWLzaZE+uG2DpmQ/8vAXt
eKQWnWKEAbE5eZAsNIy+MpbaSkjbtATvlnizKwiO+9xKqTg9FYaC1dBh46h7cNIu
C0d+J++XtYjBI+aJQILdh0HFP6wNQBGv9Wyy52fwdF9Wv5s+Ny8zUmh4dqjPCCg4
U8spIUdcEyQhsqjnwVjnJAvNXoo/dhQPoJ5xED6oGHQCZwl+nEj/mI8nlKh4zpCr
qilr7b3dZ2tfZE1VJrjAQlY5LPuqJiJC6A4h+5ResrDpiQPJZSX0Gwc1oVjGu6p8
iBdXUFQFU25/JKLVS19ABsVPb1WT26Jh/YfmvvIaXXY6Yxh8zaHOieuqxZsOWo7Q
OVlIZHTz/KZtOz480LfgCt8DkUKaHUpD2nh4HciEfhXzyuhAB7Wl4ZVs9yUoy7XX
wRM58bBXV4AU67WQ/R1c2j/z3JbffnCe3dWElFtkzQGJQOPFKFnFO+qhaoSpakXl
msFmlpIqvBYNxrG25KoBUiKIkj4ARSHDu3OEhDdu5KEfs4YCdYj7+jkG1yhohDVo
dHiuh9tGFDKkaFwK1DdTrqsE3SydVDlzeckLs5JoISWvjqhMc4+pOzLN3D88CXlZ
cm9W6aD4foY6Gs1qZYYW
=HMfK
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 02 Jun 2013 08:11:30 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 12:58:23 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.