Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-activesupport-3.2 This version fixes one security problem (CVE-2012-3464), closing one RC bug (#684517). The debdiff between the version in testing and this one, which was just uploaded to unstable, is attached. unblock ruby-activesupport-3.2/3.2.6-4 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
diff -Nru ruby-activesupport-3.2-3.2.6/debian/changelog ruby-activesupport-3.2-3.2.6/debian/changelog
--- ruby-activesupport-3.2-3.2.6/debian/changelog 2012-06-24 18:58:16.000000000 -0300
+++ ruby-activesupport-3.2-3.2.6/debian/changelog 2012-08-10 14:23:44.000000000 -0300
@@ -1,3 +1,10 @@
+ruby-activesupport-3.2 (3.2.6-4) unstable; urgency=high
+
+ * debian/patches/CVE-2012-3464.patch: fixes potential XSS vulnerability.
+ CVE-2012-3464 (Closes: #684517).
+
+ -- Antonio Terceiro <terceiro@debian.org> Fri, 10 Aug 2012 14:10:41 -0300
+
ruby-activesupport-3.2 (3.2.6-3) unstable; urgency=low
* Bump build dependency on gem2deb to >= 0.3.0~
diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2012-3464.patch ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2012-3464.patch
--- ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2012-3464.patch 1969-12-31 21:00:00.000000000 -0300
+++ ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2012-3464.patch 2012-08-10 14:10:25.000000000 -0300
@@ -0,0 +1,32 @@
+Description: [PATCH] html_escape should escape single quotes
+ This patch was adapted by Antonio Terceiro <terceiro@debian.org> to
+ activesupport 3.2.6, which was the version in testing at the time.
+Author: Santiago Pastorino <santiago@wyeworks.com>
+
+---
+
+Origin: upstream
+Bug: https://github.com/rails/rails/issues/7215
+Reviewed-By: Antonio Terceiro <terceiro@debian.org>
+Last-Update: 2012-08-10
+
+--- ruby-activesupport-3.2-3.2.6.orig/lib/active_support/core_ext/string/output_safety.rb
++++ ruby-activesupport-3.2-3.2.6/lib/active_support/core_ext/string/output_safety.rb
+@@ -3,7 +3,7 @@ require 'active_support/core_ext/kernel/
+
+ class ERB
+ module Util
+- HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' }
++ HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' }
+ JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
+
+ # Detect whether 1.9 can transcode with XML escaping.
+@@ -22,7 +22,7 @@ class ERB
+ if s.html_safe?
+ s
+ else
+- s.encode(s.encoding, :xml => :attr)[1...-1].html_safe
++ s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
+ end
+ end
+ else
diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/series ruby-activesupport-3.2-3.2.6/debian/patches/series
--- ruby-activesupport-3.2-3.2.6/debian/patches/series 1969-12-31 21:00:00.000000000 -0300
+++ ruby-activesupport-3.2-3.2.6/debian/patches/series 2012-08-10 14:07:22.000000000 -0300
@@ -0,0 +1 @@
+CVE-2012-3464.patch
Attachment:
signature.asc
Description: Digital signature