Bug#690818: marked as done (unblock: ruby1.9.1/1.9.3.194-3)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#690818: marked as done (unblock: ruby1.9.1/1.9.3.194-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 18 Oct 2012 05:21:06 +0000
Message-id: <[🔎] handler.690818.D690818.135053747127243.ackdone@bugs.debian.org>
References: <1350537376.24093.16.camel@jacala.jungle.funky-badger.org> <[🔎] 20121017230042.GA29419@debian.org>

Your message dated Thu, 18 Oct 2012 06:16:16 +0100
with message-id <1350537376.24093.16.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#690818: unblock: ruby1.9.1/1.9.3.194-3
has caused the Debian Bug report #690818,
regarding unblock: ruby1.9.1/1.9.3.194-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
690818: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690818
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: ruby1.9.1/1.9.3.194-3
From: Antonio Terceiro <terceiro@debian.org>
Date: Wed, 17 Oct 2012 20:00:42 -0300
Message-id: <[🔎] 20121017230042.GA29419@debian.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby1.9.1

This release adds a patch from upstream to fix CVE-2012-4522 (Debian bug
#690670).

A debdiff against the package in testing is attached.

unblock ruby1.9.1/1.9.3.194-3

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog
--- ruby1.9.1-1.9.3.194/debian/changelog	2012-10-06 16:29:43.000000000 -0300
+++ ruby1.9.1-1.9.3.194/debian/changelog	2012-10-16 10:28:42.000000000 -0300
@@ -1,3 +1,11 @@
+ruby1.9.1 (1.9.3.194-3) unstable; urgency=high
+
+  * debian/patches/CVE-2012-4522.patch: avoid vulnerability with strings
+    containing NUL bytes passed to file creation methods. This fixes
+    CVE-2012-4522 (Closes: #690670).
+
+ -- Antonio Terceiro <terceiro@debian.org>  Tue, 16 Oct 2012 10:27:20 -0300
+
 ruby1.9.1 (1.9.3.194-2) unstable; urgency=low
 
   * debian/patches/20120927-cve_2011_1005.patch: patch sent by upstream;
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/CVE-2012-4522.patch ruby1.9.1-1.9.3.194/debian/patches/CVE-2012-4522.patch
--- ruby1.9.1-1.9.3.194/debian/patches/CVE-2012-4522.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby1.9.1-1.9.3.194/debian/patches/CVE-2012-4522.patch	2012-10-16 10:26:48.000000000 -0300
@@ -0,0 +1,36 @@
+Description: path name must not contain NUL bytes.
+ This is a fix for CVE-2012-4522.
+Author: Nobuyoshi Nakada  <nobu@ruby-lang.org>
+Bug-Debian: http://bugs.debian.org/690670
+Origin: upstream, https://github.com/ruby/ruby/commit/7085db45e4f15a58f9a82c8815bcc31364e0fde1
+Reviewed-By: Antonio Terceiro <terceiro@debian.org>
+
+--- ruby1.9.1-1.9.3.194.orig/file.c
++++ ruby1.9.1-1.9.3.194/file.c
+@@ -174,6 +174,9 @@ rb_get_path_check(VALUE obj, int level)
+ 	rb_raise(rb_eEncCompatError, "path name must be ASCII-compatible (%s): %s",
+ 		 rb_enc_name(enc), RSTRING_PTR(tmp));
+     }
++
++    StringValueCStr(tmp);
++
+     return rb_str_new4(tmp);
+ }
+ 
+--- ruby1.9.1-1.9.3.194.orig/test/ruby/test_file.rb
++++ ruby1.9.1-1.9.3.194/test/ruby/test_file.rb
+@@ -189,4 +189,14 @@ class TestFile < Test::Unit::TestCase
+       assert_equal(File.chmod(0666, file), 1, bug5671)
+     end
+   end
++
++  def test_open_nul
++    Dir.mktmpdir(__method__.to_s) do |tmpdir|
++      path = File.join(tmpdir, "foo")
++      assert_raise(ArgumentError) do
++        open(path + "\0bar", "w") {}
++      end
++      assert_file_not(:exist?, path)
++    end
++  end
+ end
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series
--- ruby1.9.1-1.9.3.194/debian/patches/series	2012-09-30 17:40:56.000000000 -0300
+++ ruby1.9.1-1.9.3.194/debian/patches/series	2012-10-16 10:24:26.000000000 -0300
@@ -17,3 +17,4 @@
 hurd-path-max.diff
 20120517-r35434.patch
 20120927-cve_2011_1005.patch
+CVE-2012-4522.patch

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: Antonio Terceiro <terceiro@debian.org>, 690818-done@bugs.debian.org

Subject: Re: Bug#690818: unblock: ruby1.9.1/1.9.3.194-3

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Thu, 18 Oct 2012 06:16:16 +0100

Message-id: <1350537376.24093.16.camel@jacala.jungle.funky-badger.org>

In-reply-to: <[🔎] 20121017230042.GA29419@debian.org>

References: <[🔎] 20121017230042.GA29419@debian.org>
On Wed, 2012-10-17 at 20:00 -0300, Antonio Terceiro wrote:
> Please unblock package ruby1.9.1
> 
> This release adds a patch from upstream to fix CVE-2012-4522 (Debian bug
> #690670).

Unblocked; thanks.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#690818: unblock: ruby1.9.1/1.9.3.194-3
  - From: Antonio Terceiro <terceiro@debian.org>

Prev by Date: Bug#690795: unblock: icedove/10.0.9-1
Next by Date: Bug#690795: unblock: icedove/10.0.9-1
Previous by thread: Bug#690818: unblock: ruby1.9.1/1.9.3.194-3
Next by thread: Candidates for removal from testing
Index(es):
- Date
- Thread