Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby1.9.1 This release fixes a security bug (Debian #6999291, CVE-2013-0256) the debdiff against the package in testing is attached unblock ruby1.9.1/1.9.3.194-6 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog
--- ruby1.9.1-1.9.3.194/debian/changelog 2012-11-27 18:42:09.000000000 -0300
+++ ruby1.9.1-1.9.3.194/debian/changelog 2013-02-12 16:04:22.000000000 -0300
@@ -1,3 +1,11 @@
+ruby1.9.1 (1.9.3.194-6) unstable; urgency=high
+
+ [Nobuhiro Iwamatsu]
+ * debian/patches/CVE-2013-0256.patch: fix possible cross site scripting
+ vulnerability in documentation generated by RDOC (Closes: #699929)
+
+ -- Antonio Terceiro <terceiro@debian.org> Tue, 12 Feb 2013 16:00:30 -0300
+
ruby1.9.1 (1.9.3.194-5) unstable; urgency=high
* Disable running the test suite during the build on sparc again. Keeping
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-0256.patch ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-0256.patch
--- ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-0256.patch 1969-12-31 21:00:00.000000000 -0300
+++ ruby1.9.1-1.9.3.194/debian/patches/CVE-2013-0256.patch 2013-02-12 16:04:22.000000000 -0300
@@ -0,0 +1,36 @@
+From fd061353e3312b77b48eee7cf96cab8ca9b797ac Mon Sep 17 00:00:00 2001
+From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
+Date: Wed, 6 Feb 2013 08:00:49 +0000
+Subject: [PATCH] * lib/rdoc: Import RDoc 3.9.5.
+ NOTE: This patch includes only main correctios.
+Origin: upstream, https://github.com/ruby/ruby/commit/fd061353e3312b77b48eee7cf96cab8ca9b797ac
+Bug: http://www.ruby-lang.org/ja/news/2013/02/06/rdoc-xss-cve-2013-0256/
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699929
+
+diff --git a/lib/rdoc/generator/template/darkfish/js/darkfish.js b/lib/rdoc/generator/template/darkfish/js/darkfish.js
+index 84565c1..7a2f44c 100644
+--- a/lib/rdoc/generator/template/darkfish/js/darkfish.js
++++ b/lib/rdoc/generator/template/darkfish/js/darkfish.js
+@@ -73,13 +73,15 @@ function hookQuickSearch() {
+ function highlightTarget( anchor ) {
+ console.debug( "Highlighting target '%s'.", anchor );
+
+- $("a[name=" + anchor + "]").each( function() {
+- if ( !$(this).parent().parent().hasClass('target-section') ) {
+- console.debug( "Wrapping the target-section" );
+- $('div.method-detail').unwrap( 'div.target-section' );
+- $(this).parent().wrap( '<div class="target-section"></div>' );
+- } else {
+- console.debug( "Already wrapped." );
++ $("a[name]").each( function() {
++ if ( $(this).attr("name") == anchor ) {
++ if ( !$(this).parent().parent().hasClass('target-section') ) {
++ console.debug( "Wrapping the target-section" );
++ $('div.method-detail').unwrap( 'div.target-section' );
++ $(this).parent().wrap( '<div class="target-section"></div>' );
++ } else {
++ console.debug( "Already wrapped." );
++ }
+ }
+ });
+ };
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series
--- ruby1.9.1-1.9.3.194/debian/patches/series 2012-11-21 23:39:33.000000000 -0300
+++ ruby1.9.1-1.9.3.194/debian/patches/series 2013-02-12 16:04:22.000000000 -0300
@@ -19,3 +19,4 @@
20120927-cve_2011_1005.patch
CVE-2012-4522.patch
20121120-cve-2012-5371.diff
+CVE-2013-0256.patch
Attachment:
signature.asc
Description: Digital signature