upload jekyll
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello.
I've prepared security for jekyll. Debdiff is attached, please review
and upload. A test specific to this issue is also ported. I will
release the DLA once it is uploaded.
- --abhijith
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlu1gxkACgkQhj1N8u2c
KO/dag//epxefVKvQetZPrRbje1pNKbHTU/yvUM5PnuC3IBaqGYi/tkHse+MxGSK
yLBSYY93GnVvOis20h8fp2GlJ4RkXz1xMezI8oiReCju6tQGbivkc4l6V6NOEnvA
5PHyTuWC1e9sdKKZBwXpQXGQrEaOfWqVA9qyCf+4pfAC02oucyWFF/T96pTVQRA2
Lz6GbEicTeRXoNmUNLj1uWfL5UH9sV2NLu/Necda+QddksGi+Shjmag12QScIe9o
cUmH56cRU8R7EmOQoV6ReiQNnJzBR+eJfwoi1SFcxjriUN3WcffVEp9BtoVA9Odl
ye3im4bY2n3HmBvpkezoQjE/9/lcDxiHZriuoX93DzuAruzFrS2OK75pnJ4nPcRt
nNAJ2QnW/L5BGKrGy7wNct3pyoVWFEemfcGYY+s7oTKs+lldYr5z/HlOIvVGFuJU
1HioYDPhFGl7D9vfNxmX8TJ3lerLNTCEK8WJwmPHLluUnu/wcwvphSAXAsjS17WO
ueK4iMChXfubkokcLHAuIXPOu4n7DTjaLVZjUpDtoCFOPfDNczI+awuo0Z3vhD/0
b1D25x95ptOMCqN8+HGV+BHYUV8y+0TgIXsGT+SRxo1N0z5RyvmzDQSlSECzR8uk
mkYUtWAVmNHV6JHL/OKMMutQ6vLQv2X0Cq1JaUtVbjtcAgJ5DBo=
=ckUi
-----END PGP SIGNATURE-----
diff -Nru jekyll-2.2.0+dfsg/debian/changelog jekyll-2.2.0+dfsg/debian/changelog
--- jekyll-2.2.0+dfsg/debian/changelog 2014-11-09 16:34:50.000000000 +0100
+++ jekyll-2.2.0+dfsg/debian/changelog 2018-10-02 16:21:08.000000000 +0200
@@ -1,3 +1,14 @@
+jekyll (2.2.0+dfsg-2+deb8u1) jessie-security; urgency=medium
+
+ * Non-maintainer upload by the Debian LTS Security Team.
+ * Fix CVE-2018-17567: arbitrary file reads with the use of 'include:'
+ setting in the config file. (Closes: #909933)
+ * New files added to port symlink test:
+ + test/fixtures/test-theme/
+ + test/source/symlink-test/symlinked-file
+
+ -- Abhijith PA <abhijith@disroot.org> Tue, 02 Oct 2018 19:51:08 +0530
+
jekyll (2.2.0+dfsg-2) unstable; urgency=medium
* Team upload.
diff -Nru jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_1.patch jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_1.patch
--- jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_1.patch 1970-01-01 01:00:00.000000000 +0100
+++ jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_1.patch 2018-10-02 16:21:08.000000000 +0200
@@ -0,0 +1,99 @@
+Author: Abhijith PA <abhijith@disroot.org>
+Date: Wed Oct 3 21:32:28 2018 +0530
+
+...files added for the symlink test.
+
+diff --git a/test/fixtures/test-theme/_includes/include.html b/test/fixtures/test-theme/_includes/include.html
+new file mode 100644
+index 0000000..9860839
+--- /dev/null
++++ b/test/fixtures/test-theme/_includes/include.html
+@@ -0,0 +1 @@
++<span class="sample">include.html from test-theme</span>
+diff --git a/test/fixtures/test-theme/_layouts/default.html b/test/fixtures/test-theme/_layouts/default.html
+new file mode 100644
+index 0000000..902c61c
+--- /dev/null
++++ b/test/fixtures/test-theme/_layouts/default.html
+@@ -0,0 +1 @@
++default.html from test-theme: {{ content }}
+diff --git a/test/fixtures/test-theme/_sass/test-theme-black.scss b/test/fixtures/test-theme/_sass/test-theme-black.scss
+new file mode 100644
+index 0000000..a1e07da
+--- /dev/null
++++ b/test/fixtures/test-theme/_sass/test-theme-black.scss
+@@ -0,0 +1,3 @@
++.sample {
++ color: black;
++}
+diff --git a/test/fixtures/test-theme/_sass/test-theme-red.scss b/test/fixtures/test-theme/_sass/test-theme-red.scss
+new file mode 100644
+index 0000000..0307e17
+--- /dev/null
++++ b/test/fixtures/test-theme/_sass/test-theme-red.scss
+@@ -0,0 +1,3 @@
++.sample {
++ color: red;
++}
+diff --git a/test/fixtures/test-theme/_symlink b/test/fixtures/test-theme/_symlink
+new file mode 120000
+index 0000000..d2d6aac
+--- /dev/null
++++ b/test/fixtures/test-theme/_symlink
+@@ -0,0 +1 @@
++_layouts
+\ No newline at end of file
+diff --git a/test/fixtures/test-theme/assets/application.coffee b/test/fixtures/test-theme/assets/application.coffee
+new file mode 100644
+index 0000000..02f3351
+--- /dev/null
++++ b/test/fixtures/test-theme/assets/application.coffee
+@@ -0,0 +1,3 @@
++---
++---
++alert "From your theme."
+diff --git a/test/fixtures/test-theme/assets/base.js b/test/fixtures/test-theme/assets/base.js
+new file mode 100644
+index 0000000..00c238e
+--- /dev/null
++++ b/test/fixtures/test-theme/assets/base.js
+@@ -0,0 +1 @@
++alert("From your theme.");
+diff --git a/test/fixtures/test-theme/assets/img/another-logo.png b/test/fixtures/test-theme/assets/img/another-logo.png
+new file mode 120000
+index 0000000..bd36e71
+--- /dev/null
++++ b/test/fixtures/test-theme/assets/img/another-logo.png
+@@ -0,0 +1 @@
++logo.png
+\ No newline at end of file
+diff --git a/test/fixtures/test-theme/assets/img/logo.png b/test/fixtures/test-theme/assets/img/logo.png
+new file mode 100644
+index 0000000..95f0a3b
+Binary files /dev/null and b/test/fixtures/test-theme/assets/img/logo.png differ
+diff --git a/test/fixtures/test-theme/assets/style.scss b/test/fixtures/test-theme/assets/style.scss
+new file mode 100644
+index 0000000..47c4a2f
+--- /dev/null
++++ b/test/fixtures/test-theme/assets/style.scss
+@@ -0,0 +1,3 @@
++---
++---
++@import "test-theme-{{ site.theme-color | default: "red" }}";
+diff --git a/test/fixtures/test-theme/test-theme.gemspec b/test/fixtures/test-theme/test-theme.gemspec
+new file mode 100644
+index 0000000..970e1b8
+--- /dev/null
++++ b/test/fixtures/test-theme/test-theme.gemspec
+@@ -0,0 +1,11 @@
++# frozen_string_literal: true
++
++Gem::Specification.new do |s|
++ s.name = "test-theme"
++ s.version = "0.1.0"
++ s.licenses = ["MIT"]
++ s.summary = "This is a theme used to test Jekyll"
++ s.authors = ["Jekyll"]
++ s.files = ["lib/example.rb"]
++ s.homepage = "https://github.com/jekyll/jekyll";
++end
diff -Nru jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_2.patch jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_2.patch
--- jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_2.patch 1970-01-01 01:00:00.000000000 +0100
+++ jekyll-2.2.0+dfsg/debian/patches/CVE-2018-17567_and_test_ported_2.patch 2018-10-02 16:21:08.000000000 +0200
@@ -0,0 +1,149 @@
+Description: CVE-2018-17567
+ Arbitrary file reads with the cunning use of the include: setting in the config
+ file. By simply including a symlink in the include array allowed the symlinked
+ file to be read into the build when they shouldn’t actually be read in any
+ circumstance
+
+ This patch also include symlink test ported from 3.6 to 2.2.0
+
+
+Author: Abhijith PA <abhijith@disroot.org>
+Bug-Debian: https://bugs.debian.org/909933
+Origin: https://github.com/jekyll/jekyll/commit/31300cb1f434e1e59bc98285d16dfcc574b4ed3e
+Last-Update: 2018-10-03
+
+Index: jekyll-2.2.0+dfsg/lib/jekyll/entry_filter.rb
+===================================================================
+--- jekyll-2.2.0+dfsg.orig/lib/jekyll/entry_filter.rb
++++ jekyll-2.2.0+dfsg/lib/jekyll/entry_filter.rb
+@@ -29,6 +29,13 @@ module Jekyll
+ unless included?(e)
+ special?(e) || backup?(e) || excluded?(e) || symlink?(e)
+ end
++
++ # Reject this entry if it is a symlink.
++ next true if symlink?(e)
++ # Do not reject this entry if it is included.
++ next false if included?(e)
++ # Reject this entry if it is special, a backup file, or excluded.
++ special?(e) || backup?(e) || excluded?(e)
+ end
+ end
+
+Index: jekyll-2.2.0+dfsg/test/helper.rb
+===================================================================
+--- jekyll-2.2.0+dfsg.orig/test/helper.rb
++++ jekyll-2.2.0+dfsg/test/helper.rb
+@@ -36,6 +36,14 @@ class Test::Unit::TestCase
+ test_dir('source', *subdirs)
+ end
+
++ def theme_dir(*subdirs)
++ test_dir("fixtures", "test-theme", *subdirs)
++ end
++
++ def fixture_site(overrides = {})
++ Jekyll::Site.new(site_configuration(overrides))
++ end
++
+ def clear_dest
+ FileUtils.rm_rf(dest_dir)
+ end
+Index: jekyll-2.2.0+dfsg/test/source/symlink-test/symlinked-file-outside-source
+===================================================================
+--- /dev/null
++++ jekyll-2.2.0+dfsg/test/source/symlink-test/symlinked-file-outside-source
+@@ -0,0 +1 @@
++/etc/passwd
+Index: jekyll-2.2.0+dfsg/test/test_entry_filter.rb
+===================================================================
+--- jekyll-2.2.0+dfsg.orig/test/test_entry_filter.rb
++++ jekyll-2.2.0+dfsg/test/test_entry_filter.rb
+@@ -6,7 +6,7 @@ class TestEntryFilter < Test::Unit::Test
+ stub(Jekyll).configuration do
+ Jekyll::Configuration::DEFAULTS.merge({'source' => source_dir, 'destination' => dest_dir})
+ end
+- @site = Site.new(Jekyll.configuration)
++ @site = fixture_site
+ end
+
+ should "filter entries" do
+@@ -69,7 +69,7 @@ class TestEntryFilter < Test::Unit::Test
+ stub(Jekyll).configuration do
+ Jekyll::Configuration::DEFAULTS.merge({'source' => source_dir, 'destination' => dest_dir, 'safe' => true})
+ end
+- site = Site.new(Jekyll.configuration)
++ site = fixture_site
+
+ site.read_directories("symlink-test")
+ assert_equal [], site.pages
+@@ -80,11 +80,21 @@ class TestEntryFilter < Test::Unit::Test
+ stub(Jekyll).configuration do
+ Jekyll::Configuration::DEFAULTS.merge({'source' => source_dir, 'destination' => dest_dir, 'safe' => false})
+ end
+- site = Site.new(Jekyll.configuration)
+
++ @site.reader.read_directories("symlink-test")
++ refute_equal [], @site.pages
++ refute_equal [], @site.static_files
++ end
++
++ should "include only safe symlinks in safe mode even when included" do
++ # no support for symlinks on Windows
++ site = fixture_site("safe" => true, "include" => ["symlinked-file-outside-source"])
+ site.read_directories("symlink-test")
+- assert_not_equal [], site.pages
+- assert_not_equal [], site.static_files
++
++ # rubocop:disable Performance/FixedSize
++ assert_equal %w(main.scss symlinked-file).length, site.pages.length
++ refute_includes site.static_files.map(&:name), "symlinked-file-outside-source"
++ # rubocop:enable Performance/FixedSize
+ end
+ end
+
+Index: jekyll-2.2.0+dfsg/test/test_layout_reader.rb
+===================================================================
+--- jekyll-2.2.0+dfsg.orig/test/test_layout_reader.rb
++++ jekyll-2.2.0+dfsg/test/test_layout_reader.rb
+@@ -30,5 +30,40 @@ class TestLayoutReader < Test::Unit::Tes
+ assert_equal LayoutReader.new(@site).layout_directory, source_dir("blah/_layouts")
+ end
+ end
++
++context "when a layout is a symlink" do
++ setup do
++ FileUtils.ln_sf("/etc/passwd", source_dir("_layouts", "symlink.html"))
++ @site = fixture_site(
++ "safe" => true,
++ "include" => ["symlink.html"]
++ )
++ end
++ teardown do
++ FileUtils.rm(source_dir("_layouts", "symlink.html"))
++ end
++ should "only read the layouts which are in the site" do
++ layouts = LayoutReader.new(@site).read
++ refute layouts.key?("symlink"), "Should not read the symlinked layout"
++ end
++ end
++ context "with a theme" do
++ setup do
++ FileUtils.ln_sf("/etc/passwd", theme_dir("_layouts", "theme-symlink.html"))
++ @site = fixture_site(
++ "include" => ["theme-symlink.html"],
++ "theme" => "test-theme",
++ "safe" => true
++ )
++ end
++ teardown do
++ FileUtils.rm(theme_dir("_layouts", "theme-symlink.html"))
++ end
++ should "not read a symlink'd theme" do
++ layouts = LayoutReader.new(@site).read
++ refute layouts.key?("theme-symlink"), \
++ "Should not read symlinked layout from theme"
++ end
++ end
+ end
+ end
diff -Nru jekyll-2.2.0+dfsg/debian/patches/series jekyll-2.2.0+dfsg/debian/patches/series
--- jekyll-2.2.0+dfsg/debian/patches/series 2014-11-09 16:17:02.000000000 +0100
+++ jekyll-2.2.0+dfsg/debian/patches/series 2018-10-02 16:21:08.000000000 +0200
@@ -6,3 +6,6 @@
0007-Add-newline-in-test_coffee_script.patch
0008-Update-test-for-newer-RDiscount.patch
activesupport4
+CVE-2018-17567_and_test_ported_1.patch
+CVE-2018-17567_and_test_ported_2.patch
+
Reply to: