puppetlabs · joshcooper · Aug 31, 2024 · Aug 29, 2024
@@ -43,6 +43,9 @@
  pkg.apply_patch "#{base}/uri-redos-cve-2023-36617.patch"
  pkg.apply_patch "#{base}/stringio_cve-2024-27280.patch"
 
+ pkg.apply_patch "#{base}/0001-Filter-marshaled-objects-ruby30.patch"
+ pkg.apply_patch "#{base}/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch"
+
  if platform.is_cross_compiled?
  unless platform.is_macos?
  pkg.apply_patch "#{base}/uri_generic_remove_safe_nav_operator_r2.5.patch"

@@ -0,0 +1,94 @@
+From 6a35becc9ac9f4b27b1d5b5b1fb8cf7aa9b49d5d Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Tue, 20 Feb 2024 17:30:25 +0900
+Subject: [PATCH] Filter marshaled objects
+
+---
+ lib/rdoc/store.rb | 45 ++++++++++++++++++++++++++-------------------
+ 1 file changed, 26 insertions(+), 19 deletions(-)
+
+diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb
+index 5ba671ca1b..5b663d73fb 100644
+--- a/lib/rdoc/store.rb
++++ b/lib/rdoc/store.rb
+@@ -556,9 +556,7 @@ def load_all
+ def load_cache
+ #orig_enc = @encoding
+
+- File.open cache_path, 'rb' do |io|
+- @cache = Marshal.load io.read
+- end
++ @cache = marshal_load(cache_path)
+
+ load_enc = @cache[:encoding]
+
+@@ -615,9 +613,7 @@ def load_class klass_name
+ def load_class_data klass_name
+ file = class_file klass_name
+
+- File.open file, 'rb' do |io|
+- Marshal.load io.read
+- end
++ marshal_load(file)
+ rescue Errno::ENOENT => e
+ error = MissingFileError.new(self, file, klass_name)
+ error.set_backtrace e.backtrace
+@@ -630,14 +626,10 @@ def load_class_data klass_name
+ def load_method klass_name, method_name
+ file = method_file klass_name, method_name
+
+- File.open file, 'rb' do |io|
+- obj = Marshal.load io.read
+- obj.store = self
+- obj.parent =
+- find_class_or_module(klass_name) || load_class(klass_name) unless
+- obj.parent
+- obj
+- end
++ obj = marshal_load(file)
++ obj.store = self
++ obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
++ obj
+ rescue Errno::ENOENT => e
+ error = MissingFileError.new(self, file, klass_name + method_name)
+ error.set_backtrace e.backtrace
+@@ -650,11 +642,9 @@ def load_method klass_name, method_name
+ def load_page page_name
+ file = page_file page_name
+
+- File.open file, 'rb' do |io|
+- obj = Marshal.load io.read
+- obj.store = self
+- obj
+- end
++ obj = marshal_load(file)
++ obj.store = self
++ obj
+ rescue Errno::ENOENT => e
+ error = MissingFileError.new(self, file, page_name)
+ error.set_backtrace e.backtrace
+@@ -976,4 +966,21 @@ def unique_modules
+ @unique_modules
+ end
+
++ private
++ def marshal_load(file)
++ File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
++ end
++
++ MarshalFilter = proc do |obj|
++ case obj
++ when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
++ else
++ unless obj.class.name.start_with("RDoc::")
++ raise TypeError, "not permitted class: #{obj.class.name}"
++ end
++ end
++ obj
++ end
++ private_constant :MarshalFilter
++
+ end
+-- 
+2.43.2
+
@@ -0,0 +1,57 @@
+author Marc Deslauriers <marc.deslauriers@ubuntu.com> 2024-06-19 10:33:00 -0400
+committer git-ubuntu importer <ubuntu-devel-discuss@lists.ubuntu.com> 2024-06-26 12:22:56 +0000
+commit 7584287c1cf59926252197badedde2cbc08e084c (patch)
+tree 246e4fa465245f04c53f82cfb8cfeda7ea843db4
+parent 7128299adb87ba73094732751d96621648db1bce (diff)
+[PATCH] Use safe_load and safe_load_file for .rdoc_options
+Gbp-Pq: CVE-2024-27281-2.patch.
+Diffstat
+-rw-r--r-- lib/rdoc/rdoc.rb 3
+-rw-r--r-- test/rdoc/test_rdoc_options.rb 6
+2 files changed, 5 insertions, 4 deletions
+diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
+index 605172ae..f6105c68 100644
+--- a/lib/rdoc/rdoc.rb
++++ b/lib/rdoc/rdoc.rb
+@@ -156,8 +156,9 @@ class RDoc::RDoc
+ RDoc.load_yaml
+
+ begin
+- options = YAML.load_file '.rdoc_options'
++ options = YAML.safe_load_file '.rdoc_options', permitted_classes: [RDoc::Options, Symbol]
+ rescue Psych::SyntaxError
++ raise RDoc::Error, "#{options_file} is not a valid rdoc options file"
+ end
+
+ raise RDoc::Error, "#{options_file} is not a valid rdoc options file" unless
+diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb
+index 140c4afc..f547f5bf 100644
+--- a/test/rdoc/test_rdoc_options.rb
++++ b/test/rdoc/test_rdoc_options.rb
+@@ -145,7 +145,7 @@ class TestRDocOptions < RDoc::TestCase
+
+ @options.encoding = Encoding::IBM437
+
+- options = YAML.load YAML.dump @options
++ options = YAML.safe_load(YAML.dump(@options), permitted_classes: [RDoc::Options, Symbol])
+
+ assert_equal Encoding::IBM437, options.encoding
+ end
+@@ -161,7 +161,7 @@ rdoc_include:
+ - /etc
+ YAML
+
+- options = YAML.load yaml
++ options = YAML.safe_load(yaml, permitted_classes: [RDoc::Options, Symbol])
+
+ assert_empty options.rdoc_include
+ assert_empty options.static_path
+@@ -749,7 +749,7 @@ rdoc_include:
+
+ assert File.exist? '.rdoc_options'
+
+- assert_equal @options, YAML.load(File.read('.rdoc_options'))
++ assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), permitted_classes: [RDoc::Options, Symbol])
+ end
+ end
+