Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-activesupport-3.2 This version fixes one security problem (CVE-2012-3464), closing one RC bug (#684517). The debdiff between the version in testing and this one, which was just uploaded to unstable, is attached. unblock ruby-activesupport-3.2/3.2.6-4 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
diff -Nru ruby-activesupport-3.2-3.2.6/debian/changelog ruby-activesupport-3.2-3.2.6/debian/changelog --- ruby-activesupport-3.2-3.2.6/debian/changelog 2012-06-24 18:58:16.000000000 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/changelog 2012-08-10 14:23:44.000000000 -0300 @@ -1,3 +1,10 @@ +ruby-activesupport-3.2 (3.2.6-4) unstable; urgency=high + + * debian/patches/CVE-2012-3464.patch: fixes potential XSS vulnerability. + CVE-2012-3464 (Closes: #684517). + + -- Antonio Terceiro <terceiro@debian.org> Fri, 10 Aug 2012 14:10:41 -0300 + ruby-activesupport-3.2 (3.2.6-3) unstable; urgency=low * Bump build dependency on gem2deb to >= 0.3.0~ diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2012-3464.patch ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2012-3464.patch --- ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2012-3464.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2012-3464.patch 2012-08-10 14:10:25.000000000 -0300 @@ -0,0 +1,32 @@ +Description: [PATCH] html_escape should escape single quotes + This patch was adapted by Antonio Terceiro <terceiro@debian.org> to + activesupport 3.2.6, which was the version in testing at the time. +Author: Santiago Pastorino <santiago@wyeworks.com> + +--- + +Origin: upstream +Bug: https://github.com/rails/rails/issues/7215 +Reviewed-By: Antonio Terceiro <terceiro@debian.org> +Last-Update: 2012-08-10 + +--- ruby-activesupport-3.2-3.2.6.orig/lib/active_support/core_ext/string/output_safety.rb ++++ ruby-activesupport-3.2-3.2.6/lib/active_support/core_ext/string/output_safety.rb +@@ -3,7 +3,7 @@ require 'active_support/core_ext/kernel/ + + class ERB + module Util +- HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"' } ++ HTML_ESCAPE = { '&' => '&', '>' => '>', '<' => '<', '"' => '"', "'" => ''' } + JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' } + + # Detect whether 1.9 can transcode with XML escaping. +@@ -22,7 +22,7 @@ class ERB + if s.html_safe? + s + else +- s.encode(s.encoding, :xml => :attr)[1...-1].html_safe ++ s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe + end + end + else diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/series ruby-activesupport-3.2-3.2.6/debian/patches/series --- ruby-activesupport-3.2-3.2.6/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/patches/series 2012-08-10 14:07:22.000000000 -0300 @@ -0,0 +1 @@ +CVE-2012-3464.patch
Attachment:
signature.asc
Description: Digital signature