Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-activesupport-2.3 This version adds a fix for vulnerabilities in parameter parsing [CVE-2013-0156] Closes: #697789] the debdiff against the package in testing is attached. unblock ruby-activesupport-2.3/2.3.14-5 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
diff -Nru ruby-activesupport-2.3-2.3.14/debian/changelog ruby-activesupport-2.3-2.3.14/debian/changelog
--- ruby-activesupport-2.3-2.3.14/debian/changelog 2012-06-29 14:33:46.000000000 -0300
+++ ruby-activesupport-2.3-2.3.14/debian/changelog 2013-01-09 16:35:41.000000000 -0300
@@ -1,3 +1,11 @@
+ruby-activesupport-2.3 (2.3.14-5) unstable; urgency=high
+
+ * Team upload.
+ * Add fix for vulnerabilities in parameter parsing [CVE-2013-0156].
+ Closes: #697789
+
+ -- Antonio Terceiro <terceiro@debian.org> Wed, 09 Jan 2013 16:34:24 -0300
+
ruby-activesupport-2.3 (2.3.14-4) unstable; urgency=low
* Team upload.
diff -Nru ruby-activesupport-2.3-2.3.14/debian/control ruby-activesupport-2.3-2.3.14/debian/control
--- ruby-activesupport-2.3-2.3.14/debian/control 2012-06-29 14:34:34.000000000 -0300
+++ ruby-activesupport-2.3-2.3.14/debian/control 2013-01-09 16:47:31.000000000 -0300
@@ -2,7 +2,6 @@
Section: ruby
Priority: optional
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
-Uploaders: Ondřej Surý <ondrej@debian.org>
DM-Upload-Allowed: yes
Build-Depends: debhelper (>= 7.0.50~),
gem2deb (>= 0.3.0~),
diff -Nru ruby-activesupport-2.3-2.3.14/debian/control.in ruby-activesupport-2.3-2.3.14/debian/control.in
--- ruby-activesupport-2.3-2.3.14/debian/control.in 2012-06-29 14:28:53.000000000 -0300
+++ ruby-activesupport-2.3-2.3.14/debian/control.in 2012-09-01 17:38:25.000000000 -0300
@@ -2,7 +2,6 @@
Section: ruby
Priority: optional
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
-Uploaders: Ondřej Surý <ondrej@debian.org>
DM-Upload-Allowed: yes
Build-Depends: debhelper (>= 7.0.50~),
gem2deb (>= 0.3.0~),
diff -Nru ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch
--- ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch 1969-12-31 21:00:00.000000000 -0300
+++ ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch 2013-01-09 16:33:35.000000000 -0300
@@ -0,0 +1,82 @@
+From 70adb9613e4a40c5645c99da374639c41012e4fc Mon Sep 17 00:00:00 2001
+From: Jeremy Kemper <jeremy@bitsweat.net>
+Date: Sat, 5 Jan 2013 17:46:26 -0700
+Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow
+ symbols or yaml.
+
+diff --git a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb
+index a43763f..d7a8c1e 100644
+--- a/lib/active_support/core_ext/hash/conversions.rb
++++ b/lib/active_support/core_ext/hash/conversions.rb
+@@ -26,6 +26,13 @@ module ActiveSupport #:nodoc:
+ end
+ end
+
++ DISALLOWED_XML_TYPES = %w(symbol yaml)
++ class DisallowedType < StandardError #:nodoc:
++ def initialize(type)
++ super "Disallowed type attribute: #{type.inspect}"
++ end
++ end
++
+ XML_TYPE_NAMES = {
+ "Symbol" => "symbol",
+ "Fixnum" => "integer",
+@@ -160,14 +167,24 @@ module ActiveSupport #:nodoc:
+ end
+
+ module ClassMethods
+- def from_xml(xml)
+- typecast_xml_value(unrename_keys(XmlMini.parse(xml)))
++ def from_xml(xml, disallowed_types = nil)
++ typecast_xml_value(unrename_keys(XmlMini.parse(xml)), disallowed_types)
++ end
++
++ def from_trusted_xml(xml)
++ from_xml xml, []
+ end
+
+ private
+- def typecast_xml_value(value)
++ def typecast_xml_value(value, disallowed_types = nil)
++ disallowed_types ||= DISALLOWED_XML_TYPES
++
+ case value.class.to_s
+ when 'Hash'
++ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
++ raise DisallowedType, value['type']
++ end
++
+ if value['type'] == 'array'
+ child_key, entries = value.detect { |k,v| k != 'type' } # child_key is throwaway
+ if entries.nil? || (c = value['__content__'] && c.blank?)
+@@ -175,9 +192,9 @@ module ActiveSupport #:nodoc:
+ else
+ case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
+ when "Array"
+- entries.collect { |v| typecast_xml_value(v) }
++ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
+ when "Hash"
+- [typecast_xml_value(entries)]
++ [typecast_xml_value(entries, disallowed_types)]
+ else
+ raise "can't typecast #{entries.inspect}"
+ end
+@@ -205,7 +222,7 @@ module ActiveSupport #:nodoc:
+ nil
+ else
+ xml_value = value.inject({}) do |h,(k,v)|
+- h[k] = typecast_xml_value(v)
++ h[k] = typecast_xml_value(v, disallowed_types)
+ h
+ end
+
+@@ -214,7 +231,7 @@ module ActiveSupport #:nodoc:
+ xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
+ end
+ when 'Array'
+- value.map! { |i| typecast_xml_value(i) }
++ value.map! { |i| typecast_xml_value(i, disallowed_types) }
+ case value.length
+ when 0 then nil
+ when 1 then value.first
diff -Nru ruby-activesupport-2.3-2.3.14/debian/patches/series ruby-activesupport-2.3-2.3.14/debian/patches/series
--- ruby-activesupport-2.3-2.3.14/debian/patches/series 2012-02-02 20:56:25.000000000 -0200
+++ ruby-activesupport-2.3-2.3.14/debian/patches/series 2013-01-09 16:33:35.000000000 -0300
@@ -1,2 +1,3 @@
0001-remove_vendor_directory.patch
0002-remove_rubygems_require.patch
+CVE-2013-0156.patch
Attachment:
signature.asc
Description: Digital signature