From: Markus Koschany <apo@debian.org> Date: Sun, 29 Apr 2018 21:34:44 +0200 Subject: CVE-2018-1000075 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778 Origin: https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83 --- lib/ruby/shared/rubygems/package/tar_header.rb | 23 +++++++++++++--------- .../rubygems/test_gem_package_tar_header.rb | 20 +++++++++++++++++++ 2 files changed, 34 insertions(+), 9 deletions(-) diff --git a/lib/ruby/shared/rubygems/package/tar_header.rb b/lib/ruby/shared/rubygems/package/tar_header.rb index f9ab13a..9b457ec 100644 --- a/lib/ruby/shared/rubygems/package/tar_header.rb +++ b/lib/ruby/shared/rubygems/package/tar_header.rb @@ -103,25 +103,30 @@ class Gem::Package::TarHeader fields = header.unpack UNPACK_FORMAT new :name => fields.shift, - :mode => fields.shift.oct, - :uid => fields.shift.oct, - :gid => fields.shift.oct, - :size => fields.shift.oct, - :mtime => fields.shift.oct, - :checksum => fields.shift.oct, + :mode => strict_oct(fields.shift), + :uid => strict_oct(fields.shift), + :gid => strict_oct(fields.shift), + :size => strict_oct(fields.shift), + :mtime => strict_oct(fields.shift), + :checksum => strict_oct(fields.shift), :typeflag => fields.shift, :linkname => fields.shift, :magic => fields.shift, - :version => fields.shift.oct, + :version => strict_oct(fields.shift), :uname => fields.shift, :gname => fields.shift, - :devmajor => fields.shift.oct, - :devminor => fields.shift.oct, + :devmajor => strict_oct(fields.shift), + :devminor => strict_oct(fields.shift), :prefix => fields.shift, :empty => empty end + def self.strict_oct(str) + return str.oct if str =~ /\A[0-7]*\z/ + raise ArgumentError, "#{str.inspect} is not an octal string" + end + ## # Creates a new TarHeader using +vals+ diff --git a/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb b/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb index 5d85543..0ddb440 100644 --- a/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb +++ b/test/externals/ruby1.9/rubygems/test_gem_package_tar_header.rb @@ -126,5 +126,25 @@ group\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000 assert_equal '012467', @tar_header.checksum end + def test_from_bad_octal + test_cases = [ + "00000006,44\000", # bogus character + "00000006789\000", # non-octal digit + "+0000001234\000", # positive sign + "-0000001000\000", # negative sign + "0x000123abc\000", # radix prefix + ] + + test_cases.each do |val| + header_s = @tar_header.to_s + # overwrite the size field + header_s[124, 12] = val + io = TempIO.new header_s + assert_raises ArgumentError do + new_header = Gem::Package::TarHeader.from io + end + end + end + end