Bug#683820: unblock: ruby-actionpack-3.2/3.2.6-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#683820: unblock: ruby-actionpack-3.2/3.2.6-3
From: Antonio Terceiro <terceiro@debian.org>
Date: Sat, 4 Aug 2012 09:55:42 -0300
Message-id: <[🔎] 20120804125542.GA27562@debian.org>
Reply-to: Antonio Terceiro <terceiro@debian.org>, 683820@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby-actionpack-3.2

This version add a single patch that fixes a secutiry problem
(CVE-2012-3424, #683370), and just uploaded to unstable. You will find a
debdiff against the version currently in testing attached.

unblock ruby-actionpack-3.2/3.2.6-3

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru ruby-actionpack-3.2-3.2.6/debian/changelog ruby-actionpack-3.2-3.2.6/debian/changelog
--- ruby-actionpack-3.2-3.2.6/debian/changelog	2012-06-24 19:07:35.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/changelog	2012-08-04 09:29:24.000000000 -0300
@@ -1,3 +1,9 @@
+ruby-actionpack-3.2 (3.2.6-3) unstable; urgency=high
+
+  * Add patch by Aaron Patterson for CVE-2012-3424 (Closes: #683370)
+
+ -- Antonio Terceiro <terceiro@debian.org>  Sat, 04 Aug 2012 09:28:12 -0300
+
 ruby-actionpack-3.2 (3.2.6-2) unstable; urgency=low
 
   * Bump build dependency to gem2deb >= 0.3.0~
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3424.patch ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3424.patch
--- ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3424.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3424.patch	2012-08-04 09:27:46.000000000 -0300
@@ -0,0 +1,22 @@
+Description: Do not convert digest auth strings to symbols.
+Author: Aaron Patterson <aaron.patterson@gmail.com>
+
+---
+
+Origin: upstream, https://github.com/rails/rails/commit/27311fef5efa598f281649074255834546d2b4ec
+Forwarded: not-needed
+
+--- ruby-actionpack-3.2-3.2.6.orig/lib/action_controller/metal/http_authentication.rb
++++ ruby-actionpack-3.2-3.2.6/lib/action_controller/metal/http_authentication.rb
+@@ -227,9 +227,9 @@ module ActionController
+       end
+ 
+       def decode_credentials(header)
+-        Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
++        HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
+           key, value = pair.split('=', 2)
+-          [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')]
++          [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
+         end]
+       end
+ 
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/series ruby-actionpack-3.2-3.2.6/debian/patches/series
--- ruby-actionpack-3.2-3.2.6/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/patches/series	2012-08-04 09:26:26.000000000 -0300
@@ -0,0 +1 @@
+CVE-2012-3424.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#683820: marked as done (unblock: ruby-actionpack-3.2/3.2.6-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#683578: unblock: getlive/2.4+cvs20120801-1
Next by Date: Bug#683822: unblock: amule/2.3.1-9
Previous by thread: Bug#682448: marked as done (unblock: exactimage/0.8.5-5)
Next by thread: Bug#683820: marked as done (unblock: ruby-actionpack-3.2/3.2.6-3)
Index(es):
- Date
- Thread