From 8954d1b3b4d349435eba0ae9cd0e3df64ce32000 Mon Sep 17 00:00:00 2001 From: Maqsood Ahmad Date: Thu, 29 Aug 2024 18:34:08 +0530 Subject: [PATCH] (PA-6282) RDoc vulnerability in Puppet7/Ruby 2.7.8 (CVE-2024-27281) --- configs/components/ruby-2.7.8.rb | 3 + ...0001-Filter-marshaled-objects-ruby30.patch | 94 +++++++++++++++++++ ...-and-safe_load_file-for-rdoc_options.patch | 57 +++++++++++ 3 files changed, 154 insertions(+) create mode 100644 resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch create mode 100644 resources/patches/ruby_27/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch diff --git a/configs/components/ruby-2.7.8.rb b/configs/components/ruby-2.7.8.rb index 3ef82786b..f708889a9 100644 --- a/configs/components/ruby-2.7.8.rb +++ b/configs/components/ruby-2.7.8.rb @@ -43,6 +43,9 @@ pkg.apply_patch "#{base}/uri-redos-cve-2023-36617.patch" pkg.apply_patch "#{base}/stringio_cve-2024-27280.patch" + pkg.apply_patch "#{base}/0001-Filter-marshaled-objects-ruby30.patch" + pkg.apply_patch "#{base}/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch" + if platform.is_cross_compiled? unless platform.is_macos? pkg.apply_patch "#{base}/uri_generic_remove_safe_nav_operator_r2.5.patch" diff --git a/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch b/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch new file mode 100644 index 000000000..7741d321b --- /dev/null +++ b/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch @@ -0,0 +1,94 @@ +From 6a35becc9ac9f4b27b1d5b5b1fb8cf7aa9b49d5d Mon Sep 17 00:00:00 2001 +From: Hiroshi SHIBATA +Date: Tue, 20 Feb 2024 17:30:25 +0900 +Subject: [PATCH] Filter marshaled objects + +--- + lib/rdoc/store.rb | 45 ++++++++++++++++++++++++++------------------- + 1 file changed, 26 insertions(+), 19 deletions(-) + +diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb +index 5ba671ca1b..5b663d73fb 100644 +--- a/lib/rdoc/store.rb ++++ b/lib/rdoc/store.rb +@@ -556,9 +556,7 @@ def load_all + def load_cache + #orig_enc = @encoding + +- File.open cache_path, 'rb' do |io| +- @cache = Marshal.load io.read +- end ++ @cache = marshal_load(cache_path) + + load_enc = @cache[:encoding] + +@@ -615,9 +613,7 @@ def load_class klass_name + def load_class_data klass_name + file = class_file klass_name + +- File.open file, 'rb' do |io| +- Marshal.load io.read +- end ++ marshal_load(file) + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, klass_name) + error.set_backtrace e.backtrace +@@ -630,14 +626,10 @@ def load_class_data klass_name + def load_method klass_name, method_name + file = method_file klass_name, method_name + +- File.open file, 'rb' do |io| +- obj = Marshal.load io.read +- obj.store = self +- obj.parent = +- find_class_or_module(klass_name) || load_class(klass_name) unless +- obj.parent +- obj +- end ++ obj = marshal_load(file) ++ obj.store = self ++ obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name) ++ obj + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, klass_name + method_name) + error.set_backtrace e.backtrace +@@ -650,11 +642,9 @@ def load_method klass_name, method_name + def load_page page_name + file = page_file page_name + +- File.open file, 'rb' do |io| +- obj = Marshal.load io.read +- obj.store = self +- obj +- end ++ obj = marshal_load(file) ++ obj.store = self ++ obj + rescue Errno::ENOENT => e + error = MissingFileError.new(self, file, page_name) + error.set_backtrace e.backtrace +@@ -976,4 +966,21 @@ def unique_modules + @unique_modules + end + ++ private ++ def marshal_load(file) ++ File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)} ++ end ++ ++ MarshalFilter = proc do |obj| ++ case obj ++ when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text ++ else ++ unless obj.class.name.start_with("RDoc::") ++ raise TypeError, "not permitted class: #{obj.class.name}" ++ end ++ end ++ obj ++ end ++ private_constant :MarshalFilter ++ + end +-- +2.43.2 + diff --git a/resources/patches/ruby_27/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch b/resources/patches/ruby_27/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch new file mode 100644 index 000000000..70bd18b84 --- /dev/null +++ b/resources/patches/ruby_27/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch @@ -0,0 +1,57 @@ +author Marc Deslauriers 2024-06-19 10:33:00 -0400 +committer git-ubuntu importer 2024-06-26 12:22:56 +0000 +commit 7584287c1cf59926252197badedde2cbc08e084c (patch) +tree 246e4fa465245f04c53f82cfb8cfeda7ea843db4 +parent 7128299adb87ba73094732751d96621648db1bce (diff) +[PATCH] Use safe_load and safe_load_file for .rdoc_options +Gbp-Pq: CVE-2024-27281-2.patch. +Diffstat +-rw-r--r-- lib/rdoc/rdoc.rb 3 +-rw-r--r-- test/rdoc/test_rdoc_options.rb 6 +2 files changed, 5 insertions, 4 deletions +diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb +index 605172ae..f6105c68 100644 +--- a/lib/rdoc/rdoc.rb ++++ b/lib/rdoc/rdoc.rb +@@ -156,8 +156,9 @@ class RDoc::RDoc + RDoc.load_yaml + + begin +- options = YAML.load_file '.rdoc_options' ++ options = YAML.safe_load_file '.rdoc_options', permitted_classes: [RDoc::Options, Symbol] + rescue Psych::SyntaxError ++ raise RDoc::Error, "#{options_file} is not a valid rdoc options file" + end + + raise RDoc::Error, "#{options_file} is not a valid rdoc options file" unless +diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb +index 140c4afc..f547f5bf 100644 +--- a/test/rdoc/test_rdoc_options.rb ++++ b/test/rdoc/test_rdoc_options.rb +@@ -145,7 +145,7 @@ class TestRDocOptions < RDoc::TestCase + + @options.encoding = Encoding::IBM437 + +- options = YAML.load YAML.dump @options ++ options = YAML.safe_load(YAML.dump(@options), permitted_classes: [RDoc::Options, Symbol]) + + assert_equal Encoding::IBM437, options.encoding + end +@@ -161,7 +161,7 @@ rdoc_include: + - /etc + YAML + +- options = YAML.load yaml ++ options = YAML.safe_load(yaml, permitted_classes: [RDoc::Options, Symbol]) + + assert_empty options.rdoc_include + assert_empty options.static_path +@@ -749,7 +749,7 @@ rdoc_include: + + assert File.exist? '.rdoc_options' + +- assert_equal @options, YAML.load(File.read('.rdoc_options')) ++ assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), permitted_classes: [RDoc::Options, Symbol]) + end + end +