Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby1.9.1 This release adds a patch from upstream to fix CVE-2012-4522 (Debian bug #690670). A debdiff against the package in testing is attached. unblock ruby1.9.1/1.9.3.194-3 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog --- ruby1.9.1-1.9.3.194/debian/changelog 2012-10-06 16:29:43.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/changelog 2012-10-16 10:28:42.000000000 -0300 @@ -1,3 +1,11 @@ +ruby1.9.1 (1.9.3.194-3) unstable; urgency=high + + * debian/patches/CVE-2012-4522.patch: avoid vulnerability with strings + containing NUL bytes passed to file creation methods. This fixes + CVE-2012-4522 (Closes: #690670). + + -- Antonio Terceiro <terceiro@debian.org> Tue, 16 Oct 2012 10:27:20 -0300 + ruby1.9.1 (1.9.3.194-2) unstable; urgency=low * debian/patches/20120927-cve_2011_1005.patch: patch sent by upstream; diff -Nru ruby1.9.1-1.9.3.194/debian/patches/CVE-2012-4522.patch ruby1.9.1-1.9.3.194/debian/patches/CVE-2012-4522.patch --- ruby1.9.1-1.9.3.194/debian/patches/CVE-2012-4522.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/patches/CVE-2012-4522.patch 2012-10-16 10:26:48.000000000 -0300 @@ -0,0 +1,36 @@ +Description: path name must not contain NUL bytes. + This is a fix for CVE-2012-4522. +Author: Nobuyoshi Nakada <nobu@ruby-lang.org> +Bug-Debian: http://bugs.debian.org/690670 +Origin: upstream, https://github.com/ruby/ruby/commit/7085db45e4f15a58f9a82c8815bcc31364e0fde1 +Reviewed-By: Antonio Terceiro <terceiro@debian.org> + +--- ruby1.9.1-1.9.3.194.orig/file.c ++++ ruby1.9.1-1.9.3.194/file.c +@@ -174,6 +174,9 @@ rb_get_path_check(VALUE obj, int level) + rb_raise(rb_eEncCompatError, "path name must be ASCII-compatible (%s): %s", + rb_enc_name(enc), RSTRING_PTR(tmp)); + } ++ ++ StringValueCStr(tmp); ++ + return rb_str_new4(tmp); + } + +--- ruby1.9.1-1.9.3.194.orig/test/ruby/test_file.rb ++++ ruby1.9.1-1.9.3.194/test/ruby/test_file.rb +@@ -189,4 +189,14 @@ class TestFile < Test::Unit::TestCase + assert_equal(File.chmod(0666, file), 1, bug5671) + end + end ++ ++ def test_open_nul ++ Dir.mktmpdir(__method__.to_s) do |tmpdir| ++ path = File.join(tmpdir, "foo") ++ assert_raise(ArgumentError) do ++ open(path + "\0bar", "w") {} ++ end ++ assert_file_not(:exist?, path) ++ end ++ end + end diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series --- ruby1.9.1-1.9.3.194/debian/patches/series 2012-09-30 17:40:56.000000000 -0300 +++ ruby1.9.1-1.9.3.194/debian/patches/series 2012-10-16 10:24:26.000000000 -0300 @@ -17,3 +17,4 @@ hurd-path-max.diff 20120517-r35434.patch 20120927-cve_2011_1005.patch +CVE-2012-4522.patch
Attachment:
signature.asc
Description: Digital signature