Bug#703409: unblock: ruby-actionpack-2.3/2.3.14-5, ruby-actionpack-3.2/3.2.6-6, ruby-activerecord-2.3/2.3.14-6, ruby-activerecord-3.2/3.2.6-5, ruby-activesupport-2.3/2.3.14-7, ruby-activesupport-3.2/3.2.6-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package ruby-activesupport-3.2
http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
Rails versions 3.2.13, 3.1.12, and 2.3.18 have been released. These
releases contain important security fixes. It is recommended users
upgrade as soon as possible.
Please check out these links for the security fixes:
CVE-2013-1854 Symbol DoS vulnerability in Active Record
CVE-2013-1855 XSS vulnerability in sanitize_css in Action Pack
CVE-2013-1856 XML Parsing Vulnerability affecting JRuby users
CVE-2013-1857 XSS Vulnerability in the sanitize helper of Ruby on Rails
All versions of Rails are impacted by one or more of these security
issues, but per our maintenance policy, only versions 3.2.13, 3.1.12,
and 2.3.18 have been released.
$ diffstat ruby-actionpack-2.3_2.3.14-5.debdiff
changelog | 7 +++++
patches/CVE-2013-1855.patch | 38 ++++++++++++++++++++++++++++++
patches/CVE-2013-1857.patch | 54 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 2 +
4 files changed, 101 insertions(+)
$ diffstat ruby-actionpack-3.2_3.2.6-6.debdiff
changelog | 7 +++++++
patches/CVE-2013-1855.patch | 22 ++++++++++++++++++++++
patches/CVE-2013-1857.patch | 20 ++++++++++++++++++++
patches/series | 2 ++
4 files changed, 51 insertions(+)
$ diffstat ruby-activerecord-2.3_2.3.14-6.debdiff
changelog | 6 ++++++
patches/CVE-2013-1854.patch | 22 ++++++++++++++++++++++
patches/series | 1 +
3 files changed, 29 insertions(+)
$ diffstat ruby-activerecord-3.2_3.2.6-5.debdiff
changelog | 7 +++++++
control | 1 +
control.in | 3 ++-
patches/CVE-2013-1854.patch | 22 ++++++++++++++++++++++
patches/series | 1 +
5 files changed, 33 insertions(+), 1 deletion(-)
$ diffstat ruby-activesupport-2.3_2.3.14-7.debdiff
changelog | 6 ++++++
patches/CVE-2013-1854.patch | 14 ++++++++++++++
patches/series | 1 +
3 files changed, 21 insertions(+)
$ diffstat ruby-activesupport-3.2_3.2.6-6.debdiff
changelog | 7 +++++++
control.in | 2 +-
patches/CVE-2013-1856.patch | 38 ++++++++++++++++++++++++++++++++++++++
patches/series | 1 +
4 files changed, 47 insertions(+), 1 deletion(-)
* - the control.in changes are harmless (since it does only apply when
there's new upstream release) and there's one re-adding of me as a
maintainer of the package. It just doesn't made sense to branch
of just to keep this little changes off, since they don't affect
anything.
unblock ruby-actionpack-2.3/2.3.14-5
unblock ruby-actionpack-3.2/3.2.6-6
unblock ruby-activerecord-2.3/2.3.14-6
unblock ruby-activerecord-3.2/3.2.6-5
unblock ruby-activesupport-2.3/2.3.14-7
unblock ruby-activesupport-3.2/3.2.6-6
-- System Information:
Debian Release: 7.0
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru ruby-actionpack-2.3-2.3.14/debian/changelog ruby-actionpack-2.3-2.3.14/debian/changelog
--- ruby-actionpack-2.3-2.3.14/debian/changelog 2012-06-29 19:49:41.000000000 +0200
+++ ruby-actionpack-2.3-2.3.14/debian/changelog 2013-03-19 09:27:01.000000000 +0100
@@ -1,3 +1,10 @@
+ruby-actionpack-2.3 (2.3.14-5) unstable; urgency=high
+
+ * [CVE-2013-1855]: Fix XSS vulnerability in sanitize_css in Action Pack
+ * [CVE-2013-1857]: Fix XSS Vulnerability in the sanitize helper of Ruby on Rails
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 19 Mar 2013 09:26:18 +0100
+
ruby-actionpack-2.3 (2.3.14-4) unstable; urgency=low
* Team upload.
diff -Nru ruby-actionpack-2.3-2.3.14/debian/patches/CVE-2013-1855.patch ruby-actionpack-2.3-2.3.14/debian/patches/CVE-2013-1855.patch
--- ruby-actionpack-2.3-2.3.14/debian/patches/CVE-2013-1855.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-actionpack-2.3-2.3.14/debian/patches/CVE-2013-1855.patch 2013-03-19 09:27:01.000000000 +0100
@@ -0,0 +1,38 @@
+--- a/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
++++ b/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+@@ -106,8 +106,8 @@ module HTML
+ style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
+
+ # gauntlet
+- if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
+- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
++ if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
++ style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
+ return ''
+ end
+
+@@ -117,8 +117,8 @@ module HTML
+ clean << prop + ': ' + val + ';'
+ elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
+ unless val.split().any? do |keyword|
+- !allowed_css_keywords.include?(keyword) &&
+- keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
++ !allowed_css_keywords.include?(keyword) &&
++ keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+ end
+ clean << prop + ': ' + val + ';'
+ end
+--- a/test/controller/html-scanner/sanitizer_test.rb
++++ b/test/controller/html-scanner/sanitizer_test.rb
+@@ -249,6 +249,11 @@ class SanitizerTest < ActionController::
+ assert_equal '', sanitize_css(raw)
+ end
+
++ def test_should_sanitize_across_newlines
++ raw = %(\nwidth:\nexpression(alert('XSS'));\n)
++ assert_equal '', sanitize_css(raw)
++ end
++
+ def test_should_sanitize_img_vbscript
+ assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />'
+ end
diff -Nru ruby-actionpack-2.3-2.3.14/debian/patches/CVE-2013-1857.patch ruby-actionpack-2.3-2.3.14/debian/patches/CVE-2013-1857.patch
--- ruby-actionpack-2.3-2.3.14/debian/patches/CVE-2013-1857.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-actionpack-2.3-2.3.14/debian/patches/CVE-2013-1857.patch 2013-03-19 09:27:01.000000000 +0100
@@ -0,0 +1,54 @@
+--- a/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
++++ b/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+@@ -62,8 +62,8 @@ module HTML
+
+ # A regular expression of the valid characters used to separate protocols like
+ # the ':' in 'http://foo.com'
+- self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/
+-
++ self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i
++
+ # Specifies a Set of HTML attributes that can have URIs.
+ self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
+
+@@ -166,8 +166,8 @@ module HTML
+ end
+
+ def contains_bad_protocols?(attr_name, value)
+- uri_attributes.include?(attr_name) &&
+- (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
++ uri_attributes.include?(attr_name) &&
++ (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
+ end
+ end
+ end
+--- a/test/controller/html-scanner/sanitizer_test.rb
++++ b/test/controller/html-scanner/sanitizer_test.rb
+@@ -169,6 +169,7 @@ class SanitizerTest < ActionController::
+ %(<IMG SRC="jav
ascript:alert('XSS');">),
+ %(<IMG SRC="jav
ascript:alert('XSS');">),
+ %(<IMG SRC="  javascript:alert('XSS');">),
++ %(<IMG SRC="javascript:alert('XSS');">),
+ %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i|
+ define_method "test_should_not_fall_for_xss_image_hack_#{i+1}" do
+ assert_sanitized img_hack, "<img>"
+@@ -270,6 +271,19 @@ class SanitizerTest < ActionController::
+ assert_sanitized %{<a href=\"http://www.domain.com?var1=1&var2=2\">my link</a>}
+ end
+
++ def test_should_sanitize_neverending_attribute
++ assert_sanitized "<span class=\"\\", "<span class=\"\\\">"
++ end
++
++ def test_x03a
++ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
++ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
++ assert_sanitized %(<a href="http://legit">), %(<a href="http://legit">)
++ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
++ assert_sanitized %(<a href="javascript:alert('XSS');">), "<a>"
++ assert_sanitized %(<a href="http://legit">), %(<a href="http://legit">)
++ end
++
+ protected
+ def assert_sanitized(input, expected = nil)
+ @sanitizer ||= HTML::WhiteListSanitizer.new
diff -Nru ruby-actionpack-2.3-2.3.14/debian/patches/series ruby-actionpack-2.3-2.3.14/debian/patches/series
--- ruby-actionpack-2.3-2.3.14/debian/patches/series 2012-04-26 09:49:40.000000000 +0200
+++ ruby-actionpack-2.3-2.3.14/debian/patches/series 2013-03-19 09:27:01.000000000 +0100
@@ -1,3 +1,5 @@
0001-use_system_activesupport.patch
0002-dont_require_rubygems.patch
CVE-2012-1099.patch
+CVE-2013-1855.patch
+CVE-2013-1857.patch
diff -Nru ruby-actionpack-3.2-3.2.6/debian/changelog ruby-actionpack-3.2-3.2.6/debian/changelog
--- ruby-actionpack-3.2-3.2.6/debian/changelog 2013-01-09 22:27:16.000000000 +0100
+++ ruby-actionpack-3.2-3.2.6/debian/changelog 2013-03-19 09:50:29.000000000 +0100
@@ -1,3 +1,10 @@
+ruby-actionpack-3.2 (3.2.6-6) unstable; urgency=high
+
+ * [CVE-2013-1855]: Fix XSS vulnerability in sanitize_css in Action Pack
+ * [CVE-2013-1857]: Fix XSS Vulnerability in the sanitize helper of Ruby on Rails
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 19 Mar 2013 09:45:34 +0100
+
ruby-actionpack-3.2 (3.2.6-5) unstable; urgency=high
* debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-1855.patch ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-1855.patch
--- ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-1855.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-1855.patch 2013-03-19 09:50:29.000000000 +0100
@@ -0,0 +1,22 @@
+--- a/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
++++ b/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+@@ -110,8 +110,8 @@ module HTML
+ style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
+
+ # gauntlet
+- if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
+- style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
++ if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
++ style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
+ return ''
+ end
+
+@@ -122,7 +122,7 @@ module HTML
+ elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
+ unless val.split().any? do |keyword|
+ !allowed_css_keywords.include?(keyword) &&
+- keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
++ keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
+ end
+ clean << prop + ': ' + val + ';'
+ end
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-1857.patch ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-1857.patch
--- ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-1857.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-1857.patch 2013-03-19 09:50:29.000000000 +0100
@@ -0,0 +1,20 @@
+--- a/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
++++ b/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+@@ -66,7 +66,7 @@ module HTML
+
+ # A regular expression of the valid characters used to separate protocols like
+ # the ':' in 'http://foo.com'
+- self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/
++ self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i
+
+ # Specifies a Set of HTML attributes that can have URIs.
+ self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
+@@ -171,7 +171,7 @@ module HTML
+
+ def contains_bad_protocols?(attr_name, value)
+ uri_attributes.include?(attr_name) &&
+- (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
++ (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
+ end
+ end
+ end
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/series ruby-actionpack-3.2-3.2.6/debian/patches/series
--- ruby-actionpack-3.2-3.2.6/debian/patches/series 2013-01-09 22:24:02.000000000 +0100
+++ ruby-actionpack-3.2-3.2.6/debian/patches/series 2013-03-19 09:50:29.000000000 +0100
@@ -2,3 +2,5 @@
CVE-2012-3463.patch
CVE-2012-3465.patch
CVE-2013-0155.patch
+CVE-2013-1855.patch
+CVE-2013-1857.patch
diff -Nru ruby-activerecord-2.3-2.3.14/debian/changelog ruby-activerecord-2.3-2.3.14/debian/changelog
--- ruby-activerecord-2.3-2.3.14/debian/changelog 2013-02-12 17:05:09.000000000 +0100
+++ ruby-activerecord-2.3-2.3.14/debian/changelog 2013-03-19 09:19:36.000000000 +0100
@@ -1,3 +1,9 @@
+ruby-activerecord-2.3 (2.3.14-6) unstable; urgency=high
+
+ * [CVE-2013-1854]: Fix symbol DoS vulnerability in Active Record
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 19 Mar 2013 09:19:24 +0100
+
ruby-activerecord-2.3 (2.3.14-5) unstable; urgency=high
* Fix circumvention of attr_protected [CVE-2013-0276]
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-1854.patch ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-1854.patch
--- ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-1854.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-1854.patch 2013-03-19 09:19:36.000000000 +0100
@@ -0,0 +1,22 @@
+--- a/lib/active_record/base.rb
++++ b/lib/active_record/base.rb
+@@ -2307,7 +2307,7 @@ module ActiveRecord #:nodoc:
+ def expand_hash_conditions_for_aggregates(attrs)
+ expanded_attrs = {}
+ attrs.each do |attr, value|
+- unless (aggregation = reflect_on_aggregation(attr.to_sym)).nil?
++ unless (aggregation = reflect_on_aggregation(attr)).nil?
+ mapping = aggregate_mapping(aggregation)
+ mapping.each do |field_attr, aggregate_attr|
+ if mapping.size == 1 && !value.respond_to?(aggregate_attr)
+--- a/lib/active_record/reflection.rb
++++ b/lib/active_record/reflection.rb
+@@ -18,7 +18,7 @@ module ActiveRecord
+ when :composed_of
+ reflection = AggregateReflection.new(macro, name, options, active_record)
+ end
+- write_inheritable_hash :reflections, name => reflection
++ write_inheritable_hiwa :reflections, name => reflection
+ reflection
+ end
+
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/series ruby-activerecord-2.3-2.3.14/debian/patches/series
--- ruby-activerecord-2.3-2.3.14/debian/patches/series 2013-02-12 17:05:09.000000000 +0100
+++ ruby-activerecord-2.3-2.3.14/debian/patches/series 2013-03-19 09:19:36.000000000 +0100
@@ -4,3 +4,4 @@
CVE-2013-0155.patch
CVE-2013-0276.patch
CVE-2013-0277.patch
+CVE-2013-1854.patch
diff -Nru ruby-activerecord-3.2-3.2.6/debian/changelog ruby-activerecord-3.2-3.2.6/debian/changelog
--- ruby-activerecord-3.2-3.2.6/debian/changelog 2013-01-09 22:22:50.000000000 +0100
+++ ruby-activerecord-3.2-3.2.6/debian/changelog 2013-03-19 09:37:05.000000000 +0100
@@ -1,3 +1,10 @@
+ruby-activerecord-3.2 (3.2.6-5) unstable; urgency=high
+
+ * Bump build dependency on gem2deb to >- 0.3.0~ in debian/control.in
+ * [CVE-2013-1854]: Fix symbol DoS vulnerability in Active Record
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 19 Mar 2013 09:36:39 +0100
+
ruby-activerecord-3.2 (3.2.6-4) unstable; urgency=high
* debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk
diff -Nru ruby-activerecord-3.2-3.2.6/debian/control ruby-activerecord-3.2-3.2.6/debian/control
--- ruby-activerecord-3.2-3.2.6/debian/control 2012-09-01 22:38:02.000000000 +0200
+++ ruby-activerecord-3.2-3.2.6/debian/control 2013-03-19 09:37:05.000000000 +0100
@@ -3,6 +3,7 @@
Priority: optional
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Uploaders:
+ Ondřej Surý <ondrej@debian.org>,
Antonio Terceiro <terceiro@debian.org>,
DM-Upload-Allowed: yes
Build-Depends: debhelper (>= 7.0.50~),
diff -Nru ruby-activerecord-3.2-3.2.6/debian/control.in ruby-activerecord-3.2-3.2.6/debian/control.in
--- ruby-activerecord-3.2-3.2.6/debian/control.in 2012-09-01 22:38:02.000000000 +0200
+++ ruby-activerecord-3.2-3.2.6/debian/control.in 2013-03-19 09:37:05.000000000 +0100
@@ -3,10 +3,11 @@
Priority: optional
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Uploaders:
+ Ondřej Surý <ondrej@debian.org>,
Antonio Terceiro <terceiro@debian.org>,
DM-Upload-Allowed: yes
Build-Depends: debhelper (>= 7.0.50~),
- gem2deb (>= 0.2.13~),
+ gem2deb (>= 0.3.0~),
ruby-activesupport-3.2 (>= @RAILS_VERSION@),
ruby-activesupport-3.2 (<< @RAILS_VERSION@.),
ruby-activemodel-3.2 (>= @RAILS_VERSION@),
diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-1854.patch ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-1854.patch
--- ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-1854.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-1854.patch 2013-03-19 09:37:05.000000000 +0100
@@ -0,0 +1,22 @@
+--- a/lib/active_record/relation.rb
++++ b/lib/active_record/relation.rb
+@@ -464,7 +464,7 @@ module ActiveRecord
+ node.left.relation.name == table_name
+ }
+
+- Hash[equalities.map { |where| [where.left.name, where.right] }]
++ Hash[equalities.map { |where| [where.left.name, where.right] }].with_indifferent_access
+ end
+
+ def scope_for_create
+--- a/lib/active_record/relation/predicate_builder.rb
++++ b/lib/active_record/relation/predicate_builder.rb
+@@ -20,7 +20,7 @@ module ActiveRecord
+ table = Arel::Table.new(table_name, engine)
+ end
+
+- attribute = table[column.to_sym]
++ attribute = table[column]
+
+ case value
+ when ActiveRecord::Relation
diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/series ruby-activerecord-3.2-3.2.6/debian/patches/series
--- ruby-activerecord-3.2-3.2.6/debian/patches/series 2013-01-09 22:17:11.000000000 +0100
+++ ruby-activerecord-3.2-3.2.6/debian/patches/series 2013-03-19 09:37:05.000000000 +0100
@@ -1,3 +1,4 @@
Remove_rubygems_dependency.patch
3-2-dynamic_finder_injection.patch
CVE-2013-0155.patch
+CVE-2013-1854.patch
diff -Nru ruby-activesupport-2.3-2.3.14/debian/changelog ruby-activesupport-2.3-2.3.14/debian/changelog
--- ruby-activesupport-2.3-2.3.14/debian/changelog 2013-01-29 16:10:33.000000000 +0100
+++ ruby-activesupport-2.3-2.3.14/debian/changelog 2013-03-19 09:29:30.000000000 +0100
@@ -1,3 +1,9 @@
+ruby-activesupport-2.3 (2.3.14-7) unstable; urgency=high
+
+ * [CVE-2013-1854]: Fix symbol DoS vulnerability in Active Record
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 19 Mar 2013 09:22:08 +0100
+
ruby-activesupport-2.3 (2.3.14-6) unstable; urgency=high
* Team upload.
diff -Nru ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-1854.patch ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-1854.patch
--- ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-1854.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-1854.patch 2013-03-19 09:29:30.000000000 +0100
@@ -0,0 +1,14 @@
+--- a/lib/active_support/core_ext/class/inheritable_attributes.rb
++++ b/lib/active_support/core_ext/class/inheritable_attributes.rb
+@@ -109,6 +109,11 @@ class Class # :nodoc:
+ write_inheritable_attribute(key, read_inheritable_attribute(key).merge(hash))
+ end
+
++ def write_inheritable_hiwa(key, hash)
++ write_inheritable_attribute(key, {}.with_indifferent_access) if read_inheritable_attribute(key).nil?
++ write_inheritable_attribute(key, read_inheritable_attribute(key).merge(hash))
++ end
++
+ def read_inheritable_attribute(key)
+ inheritable_attributes[key]
+ end
diff -Nru ruby-activesupport-2.3-2.3.14/debian/patches/series ruby-activesupport-2.3-2.3.14/debian/patches/series
--- ruby-activesupport-2.3-2.3.14/debian/patches/series 2013-01-29 15:24:48.000000000 +0100
+++ ruby-activesupport-2.3-2.3.14/debian/patches/series 2013-03-19 09:29:30.000000000 +0100
@@ -2,3 +2,4 @@
0002-remove_rubygems_require.patch
CVE-2013-0156.patch
CVE-2013-0333.patch
+CVE-2013-1854.patch
diff -Nru ruby-activesupport-3.2-3.2.6/debian/changelog ruby-activesupport-3.2-3.2.6/debian/changelog
--- ruby-activesupport-3.2-3.2.6/debian/changelog 2013-01-09 21:24:43.000000000 +0100
+++ ruby-activesupport-3.2-3.2.6/debian/changelog 2013-03-19 09:51:07.000000000 +0100
@@ -1,3 +1,10 @@
+ruby-activesupport-3.2 (3.2.6-6) unstable; urgency=high
+
+ * Fix aa735c44 in control.in, so it is kept when upstream version changes
+ * [CVE-2013-1856]: Fix XML Parsing Vulnerability affecting JRuby users
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 19 Mar 2013 09:46:52 +0100
+
ruby-activesupport-3.2 (3.2.6-5) unstable; urgency=high
* debian/patches/CVE-2013-0156.patch: fix for vulnerabilities in
diff -Nru ruby-activesupport-3.2-3.2.6/debian/control.in ruby-activesupport-3.2-3.2.6/debian/control.in
--- ruby-activesupport-3.2-3.2.6/debian/control.in 2012-09-01 22:38:38.000000000 +0200
+++ ruby-activesupport-3.2-3.2.6/debian/control.in 2013-03-19 09:51:07.000000000 +0100
@@ -6,7 +6,7 @@
Antonio Terceiro <terceiro@debian.org>,
DM-Upload-Allowed: yes
Build-Depends: debhelper (>= 7.0.50~),
- gem2deb (>= 0.2.13~),
+ gem2deb (>= 0.3.0~),
ruby-i18n (>= 0.6~),
ruby-multi-json (>= 1.0~)
Standards-Version: 3.9.3
diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-1856.patch ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-1856.patch
--- ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-1856.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-1856.patch 2013-03-19 09:51:07.000000000 +0100
@@ -0,0 +1,38 @@
+diff --git a/lib/active_support/xml_mini/jdom.rb b/lib/active_support/xml_mini/jdom.rb
+index 6c222b8..8d23ce4 100644
+--- a/lib/active_support/xml_mini/jdom.rb
++++ b/lib/active_support/xml_mini/jdom.rb
+@@ -38,6 +38,12 @@ module ActiveSupport
+ {}
+ else
+ @dbf = DocumentBuilderFactory.new_instance
++ # secure processing of java xml
++ # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html
++ @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
++ @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false)
++ @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
++ @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true)
+ xml_string_reader = StringReader.new(data)
+ xml_input_source = InputSource.new(xml_string_reader)
+ doc = @dbf.new_document_builder.parse(xml_input_source)
+diff --git a/test/fixtures/xml/jdom_doctype.dtd b/test/fixtures/xml/jdom_doctype.dtd
+new file mode 100644
+index 0000000..8948049
+--- /dev/null
++++ b/test/fixtures/xml/jdom_doctype.dtd
+@@ -0,0 +1 @@
++<!ENTITY a "external entity">
+diff --git a/test/fixtures/xml/jdom_entities.txt b/test/fixtures/xml/jdom_entities.txt
+new file mode 100644
+index 0000000..0337fda
+--- /dev/null
++++ b/test/fixtures/xml/jdom_entities.txt
+@@ -0,0 +1 @@
++<!ENTITY a "hello">
+diff --git a/test/fixtures/xml/jdom_include.txt b/test/fixtures/xml/jdom_include.txt
+new file mode 100644
+index 0000000..239ca3a
+--- /dev/null
++++ b/test/fixtures/xml/jdom_include.txt
+@@ -0,0 +1,1 @@
++include me
diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/series ruby-activesupport-3.2-3.2.6/debian/patches/series
--- ruby-activesupport-3.2-3.2.6/debian/patches/series 2013-01-09 21:10:22.000000000 +0100
+++ ruby-activesupport-3.2-3.2.6/debian/patches/series 2013-03-19 09:51:07.000000000 +0100
@@ -1,2 +1,3 @@
CVE-2012-3464.patch
CVE-2013-0156.patch
+CVE-2013-1856.patch
Reply to: