(PA-6282) RDoc vulnerability in Puppet7/Ruby 2.7.8 (CVE-2024-27281)

puppetlabs · Aug 30, 2024 · 8954d1b · 8954d1b
1 parent 3224edb
commit 8954d1b
Show file tree

Hide file tree

Showing 3 changed files with 154 additions and 0 deletions.
diff --git a/configs/components/ruby-2.7.8.rb b/configs/components/ruby-2.7.8.rb
@@ -43,6 +43,9 @@
   pkg.apply_patch "#{base}/uri-redos-cve-2023-36617.patch"
   pkg.apply_patch "#{base}/stringio_cve-2024-27280.patch"
 
+  pkg.apply_patch "#{base}/0001-Filter-marshaled-objects-ruby30.patch"
+  pkg.apply_patch "#{base}/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch"
+
   if platform.is_cross_compiled?
     unless platform.is_macos?
       pkg.apply_patch "#{base}/uri_generic_remove_safe_nav_operator_r2.5.patch"

diff --git a/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch b/resources/patches/ruby_27/0001-Filter-marshaled-objects-ruby30.patch
@@ -0,0 +1,94 @@
+From 6a35becc9ac9f4b27b1d5b5b1fb8cf7aa9b49d5d Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <[email protected]>
+Date: Tue, 20 Feb 2024 17:30:25 +0900
+Subject: [PATCH] Filter marshaled objects
+
+---
+ lib/rdoc/store.rb | 45 ++++++++++++++++++++++++++-------------------
+ 1 file changed, 26 insertions(+), 19 deletions(-)
+
+diff --git a/lib/rdoc/store.rb b/lib/rdoc/store.rb
+index 5ba671ca1b..5b663d73fb 100644
+--- a/lib/rdoc/store.rb
++++ b/lib/rdoc/store.rb
+@@ -556,9 +556,7 @@ def load_all
+   def load_cache
+     #orig_enc = @encoding
+
+-    File.open cache_path, 'rb' do |io|
+-      @cache = Marshal.load io.read
+-    end
++    @cache = marshal_load(cache_path)
+
+     load_enc = @cache[:encoding]
+
+@@ -615,9 +613,7 @@ def load_class klass_name
+   def load_class_data klass_name
+     file = class_file klass_name
+
+-    File.open file, 'rb' do |io|
+-      Marshal.load io.read
+-    end
++    marshal_load(file)
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name)
+     error.set_backtrace e.backtrace
+@@ -630,14 +626,10 @@ def load_class_data klass_name
+   def load_method klass_name, method_name
+     file = method_file klass_name, method_name
+
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io.read
+-      obj.store = self
+-      obj.parent =
+-        find_class_or_module(klass_name) || load_class(klass_name) unless
+-          obj.parent
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj.parent ||= find_class_or_module(klass_name) || load_class(klass_name)
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, klass_name + method_name)
+     error.set_backtrace e.backtrace
+@@ -650,11 +642,9 @@ def load_method klass_name, method_name
+   def load_page page_name
+     file = page_file page_name
+
+-    File.open file, 'rb' do |io|
+-      obj = Marshal.load io.read
+-      obj.store = self
+-      obj
+-    end
++    obj = marshal_load(file)
++    obj.store = self
++    obj
+   rescue Errno::ENOENT => e
+     error = MissingFileError.new(self, file, page_name)
+     error.set_backtrace e.backtrace
+@@ -976,4 +966,21 @@ def unique_modules
+     @unique_modules
+   end
+
++  private
++  def marshal_load(file)
++    File.open(file, 'rb') {|io| Marshal.load(io, MarshalFilter)}
++  end
++
++  MarshalFilter = proc do |obj|
++    case obj
++    when true, false, nil, Array, Class, Encoding, Hash, Integer, String, Symbol, RDoc::Text
++    else
++      unless obj.class.name.start_with("RDoc::")
++        raise TypeError, "not permitted class: #{obj.class.name}"
++      end
++    end
++    obj
++  end
++  private_constant :MarshalFilter
++
+ end
+-- 
+2.43.2
+
diff --git a/resources/patches/ruby_27/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch b/resources/patches/ruby_27/0001-Use-safe_load-and-safe_load_file-for-rdoc_options.patch
@@ -0,0 +1,57 @@
+author	Marc Deslauriers <[email protected]>	2024-06-19 10:33:00 -0400
+committer	git-ubuntu importer <[email protected]>	2024-06-26 12:22:56 +0000
+commit	7584287c1cf59926252197badedde2cbc08e084c (patch)
+tree	246e4fa465245f04c53f82cfb8cfeda7ea843db4
+parent	7128299adb87ba73094732751d96621648db1bce (diff)
+[PATCH] Use safe_load and safe_load_file for .rdoc_options
+Gbp-Pq: CVE-2024-27281-2.patch.
+Diffstat
+-rw-r--r--	lib/rdoc/rdoc.rb	3
+-rw-r--r--	test/rdoc/test_rdoc_options.rb	6
+2 files changed, 5 insertions, 4 deletions
+diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
+index 605172ae..f6105c68 100644
+--- a/lib/rdoc/rdoc.rb
++++ b/lib/rdoc/rdoc.rb
+@@ -156,8 +156,9 @@ class RDoc::RDoc
+     RDoc.load_yaml
+
+     begin
+-      options = YAML.load_file '.rdoc_options'
++      options = YAML.safe_load_file '.rdoc_options', permitted_classes: [RDoc::Options, Symbol]
+     rescue Psych::SyntaxError
++      raise RDoc::Error, "#{options_file} is not a valid rdoc options file"
+     end
+
+     raise RDoc::Error, "#{options_file} is not a valid rdoc options file" unless
+diff --git a/test/rdoc/test_rdoc_options.rb b/test/rdoc/test_rdoc_options.rb
+index 140c4afc..f547f5bf 100644
+--- a/test/rdoc/test_rdoc_options.rb
++++ b/test/rdoc/test_rdoc_options.rb
+@@ -145,7 +145,7 @@ class TestRDocOptions < RDoc::TestCase
+
+     @options.encoding = Encoding::IBM437
+
+-    options = YAML.load YAML.dump @options
++    options = YAML.safe_load(YAML.dump(@options), permitted_classes: [RDoc::Options, Symbol])
+
+     assert_equal Encoding::IBM437, options.encoding
+   end
+@@ -161,7 +161,7 @@ rdoc_include:
+ - /etc
+     YAML
+
+-    options = YAML.load yaml
++    options = YAML.safe_load(yaml, permitted_classes: [RDoc::Options, Symbol])
+
+     assert_empty options.rdoc_include
+     assert_empty options.static_path
+@@ -749,7 +749,7 @@ rdoc_include:
+
+       assert File.exist? '.rdoc_options'
+
+-      assert_equal @options, YAML.load(File.read('.rdoc_options'))
++      assert_equal @options, YAML.safe_load(File.read('.rdoc_options'), permitted_classes: [RDoc::Options, Symbol])
+     end
+   end
+