RubyGems should use ca-certificates for SSL verification

Bug #1057926 reported by Tyler Hicks on 2012-09-28
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ruby1.9.1 (Ubuntu)
Medium
Unassigned
rubygems (Ubuntu)
Medium
Unassigned

Bug Description

In version 1.8.24, RubyGems added the ability to fetch gems over HTTPS while properly verifying the server's SSL certificate. To make it work out of the box, the upstream developers included a bundle of certificate authority certs in the upstream release.

That bundle made it into Debian and Ubuntu's rubygems-1.8.24-1 package, rather than the package being modified to use the ca-certificates.crt bundle provided by the ca-certificates package. This makes it more difficult to properly maintain the list of trusted CA certificates after the release of Quantal.

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: rubygems (not installed)
ProcVersionSignature: Ubuntu 3.5.0-15.23-generic 3.5.4
Uname: Linux 3.5.0-15-generic x86_64
ApportVersion: 2.5.2-0ubuntu4
Architecture: amd64
Date: Thu Sep 27 23:38:45 2012
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
SourcePackage: rubygems
UpgradeStatus: Upgraded to quantal on 2012-08-03 (55 days ago)

Tyler Hicks (tyhicks) wrote :
Tyler Hicks (tyhicks) wrote :

Successfully tested using test-rubygems.py from lp:qa-regression-testing which exercises the gem fetcher code and installs popular gem files from http://rubygems.org.

no longer affects: libgems-ruby (Ubuntu)
Changed in ruby1.9.1 (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)

The attachment "rubygems_1.8.24-1ubuntu1.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Tyler Hicks (tyhicks) wrote :

Successfully tested using test-ruby1.9.1.py from lp:qa-regression-testing which exercises the gem fetcher code and installs popular gem files from https://rubygems.org. There are two failures, but they are unrelated to these changes and the same two failures happen against the current ruby1.9.1 in the archive.

Note that this debdiff also includes a fix for CVE-2011-1005. test-ruby1.9.1.py contains a regression test for this vulnerability and it passes with this update (it fails against the current ruby1.9.1 in the archive).

Changed in ruby1.9.1 (Ubuntu):
status: In Progress → Confirmed
Changed in rubygems (Ubuntu):
status: In Progress → Confirmed
Changed in ruby1.9.1 (Ubuntu):
assignee: Tyler Hicks (tyhicks) → nobody
Changed in rubygems (Ubuntu):
assignee: Tyler Hicks (tyhicks) → nobody
Jamie Strandboge (jdstrand) wrote :

rubygems: ACK. Please forward this to Debian (eg submittodebian).

Changed in rubygems (Ubuntu):
status: Confirmed → In Progress
Jamie Strandboge (jdstrand) wrote :

ruby1.9.1: ACK. Please forward this to Debian. Thanks for your work on these! :)

Changed in ruby1.9.1 (Ubuntu):
status: Confirmed → In Progress
Jamie Strandboge (jdstrand) wrote :

rubygems uploaded.

Changed in rubygems (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rubygems - 1.8.24-1ubuntu1

---------------
rubygems (1.8.24-1ubuntu1) quantal; urgency=low

  * Make the RubyGems fetcher use distro-provided ca-certificates
    (LP: #1057926)
    - debian/control: Add ca-certificates to rubygems depends so that
      rubygems can perform certificate verification
    - debian/rules: Don't install SSL certificates from upstream sources
    - debian/patches/20120927-disable_upstream_certs.patch: Use
      /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
 -- Tyler Hicks <email address hidden> Thu, 27 Sep 2012 20:37:55 -0700

Changed in rubygems (Ubuntu):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

ruby1.9.1 uploaded

Changed in ruby1.9.1 (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby1.9.1 - 1.9.3.194-1ubuntu1

---------------
ruby1.9.1 (1.9.3.194-1ubuntu1) quantal; urgency=low

  * SECURITY UPDATE: Safe level bypass
    - debian/patches/20120927-cve_2011_1005.patch: Remove incorrect string
      taint in exception handling methods. Based on upstream patch.
    - CVE-2011-1005
  * Make the RubyGems fetcher use distro-provided ca-certificates
    (LP: #1057926)
    - debian/control: Add ca-certificates to libruby1.9.1 depends so that
      rubygems can perform certificate verification
    - debian/rules: Don't install SSL certificates from upstream sources
    - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
      /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.
 -- Tyler Hicks <email address hidden> Thu, 27 Sep 2012 20:37:54 -0700

Changed in ruby1.9.1 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments