Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: opu Dear release team, As a follow-up of a security bug [1], I have been advised to provide a fix of this package through oldstable-proposed-updates. The proposed update applies a patch from upstream which prevents possible XML denial of service attacks by limiting the size of fetched file and disabling XML entity expansion. 1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702217 Please find attached the debdiff against the current 2.1.8debian-1 version in Squeeze. Let me know if this is suitable for inclusion in the next update of Squeeze. Kind regards, Cédric -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (500, 'oldstable'), (150, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.9-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru libopenid-ruby-2.1.8debian/debian/changelog libopenid-ruby-2.1.8debian/debian/changelog
--- libopenid-ruby-2.1.8debian/debian/changelog 2010-04-12 03:29:36.000000000 +0200
+++ libopenid-ruby-2.1.8debian/debian/changelog 2013-06-30 22:13:22.000000000 +0200
@@ -1,3 +1,13 @@
+libopenid-ruby (2.1.8debian-1+squeeze1) oldstable; urgency=high
+
+ * Team upload
+ * Urgency set to high as a security bug is fixed.
+ * debian/patches: add fix_CVE-2013-1812 from upstream to limit fetching file
+ size and disable XML entity expansion, preventing possible XML denial of
+ service attacks [CVE-2013-1812] (Closes: #702217).
+
+ -- Cédric Boutillier <boutil@debian.org> Sun, 30 Jun 2013 21:58:30 +0200
+
libopenid-ruby (2.1.8debian-1) unstable; urgency=low
[ Lucas Nussbaum ]
diff -Nru libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812
--- libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 1970-01-01 01:00:00.000000000 +0100
+++ libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 2013-06-30 21:58:03.000000000 +0200
@@ -0,0 +1,115 @@
+Description: limit fetching file size & disable XML entity expansion
+ This prevents possible XML denial of service attacks [CVE-2013-1812]
+Author: nov matake <nov@matake.jp>
+Origin: https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
+Bug: https://github.com/openid/ruby-openid/pull/43
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702217
+Reviewed-by: Cédric Boutillier <boutil@debian.org>
+Last-Update: 2012-10-23
+
+---
+ lib/openid/fetchers.rb | 17 ++++++++++++++---
+ lib/openid/yadis/xrds.rb | 34 ++++++++++++++++++++++------------
+ 2 files changed, 36 insertions(+), 15 deletions(-)
+
+--- a/lib/openid/fetchers.rb
++++ b/lib/openid/fetchers.rb
+@@ -10,7 +10,7 @@
+ require 'net/http'
+ end
+
+-MAX_RESPONSE_KB = 1024
++MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
+
+ module Net
+ class HTTP
+@@ -192,6 +192,16 @@
+ conn = make_connection(url)
+ response = nil
+
++ whole_body = ''
++ body_size_limitter = lambda do |r|
++ r.read_body do |partial| # read body now
++ whole_body << partial
++ if whole_body.length > MAX_RESPONSE_KB
++ raise FetchingError.new("Response Too Large")
++ end
++ end
++ whole_body
++ end
+ response = conn.start {
+ # Check the certificate against the URL's hostname
+ if supports_ssl?(conn) and conn.use_ssl?
+@@ -199,10 +209,10 @@
+ end
+
+ if body.nil?
+- conn.request_get(url.request_uri, headers)
++ conn.request_get(url.request_uri, headers, &body_size_limitter)
+ else
+ headers["Content-type"] ||= "application/x-www-form-urlencoded"
+- conn.request_post(url.request_uri, body, headers)
++ conn.request_post(url.request_uri, body, headers, &body_size_limitter)
+ end
+ }
+ rescue RuntimeError => why
+@@ -231,7 +241,10 @@
+ raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
+ end
+ else
+- return HTTPResponse._from_net_response(response, unparsed_url)
++ response = HTTPResponse._from_net_response(response, unparsed_url)
++ response.body = whole_body
++ setup_encoding(response)
++ return response
+ end
+ end
+ end
+--- a/lib/openid/yadis/xrds.rb
++++ b/lib/openid/yadis/xrds.rb
+@@ -88,23 +88,33 @@
+ end
+
+ def Yadis::parseXRDS(text)
+- if text.nil?
+- raise XRDSError.new("Not an XRDS document.")
+- end
++ disable_entity_expansion do
++ if text.nil?
++ raise XRDSError.new("Not an XRDS document.")
++ end
+
+- begin
+- d = REXML::Document.new(text)
+- rescue RuntimeError => why
+- raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
+- end
++ begin
++ d = REXML::Document.new(text)
++ rescue RuntimeError => why
++ raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
++ end
+
+- if is_xrds?(d)
+- return d
+- else
+- raise XRDSError.new("Not an XRDS document.")
++ if is_xrds?(d)
++ return d
++ else
++ raise XRDSError.new("Not an XRDS document.")
++ end
+ end
+ end
+
++ def Yadis::disable_entity_expansion
++ _previous_ = REXML::Document::entity_expansion_limit
++ REXML::Document::entity_expansion_limit = 0
++ yield
++ ensure
++ REXML::Document::entity_expansion_limit = _previous_
++ end
++
+ def Yadis::is_xrds?(xrds_tree)
+ xrds_root = xrds_tree.root
+ return (!xrds_root.nil? and
diff -Nru libopenid-ruby-2.1.8debian/debian/patches/series libopenid-ruby-2.1.8debian/debian/patches/series
--- libopenid-ruby-2.1.8debian/debian/patches/series 2010-04-12 03:22:44.000000000 +0200
+++ libopenid-ruby-2.1.8debian/debian/patches/series 2013-06-30 21:58:03.000000000 +0200
@@ -1 +1,2 @@
use-system-installed-hmac
+fix_CVE-2013-1812
Attachment:
signature.asc
Description: Digital signature