Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-activesupport-3.2 This release includes a fix for CVE-2013-0156, fixing debian bug #697790 The debdiff against the package in testing is attached unblock ruby-activesupport-3.2/3.2.6-5 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
diff -Nru ruby-activesupport-3.2-3.2.6/debian/changelog ruby-activesupport-3.2-3.2.6/debian/changelog
--- ruby-activesupport-3.2-3.2.6/debian/changelog 2012-08-10 14:23:44.000000000 -0300
+++ ruby-activesupport-3.2-3.2.6/debian/changelog 2013-01-09 17:24:43.000000000 -0300
@@ -1,3 +1,10 @@
+ruby-activesupport-3.2 (3.2.6-5) unstable; urgency=high
+
+ * debian/patches/CVE-2013-0156.patch: fix for vulnerabilities in
+ vulnerabilities in parameter parsing [CVE-2013-0156] (Closes: #697790)
+
+ -- Antonio Terceiro <terceiro@debian.org> Wed, 09 Jan 2013 17:23:52 -0300
+
ruby-activesupport-3.2 (3.2.6-4) unstable; urgency=high
* debian/patches/CVE-2012-3464.patch: fixes potential XSS vulnerability.
diff -Nru ruby-activesupport-3.2-3.2.6/debian/control ruby-activesupport-3.2-3.2.6/debian/control
--- ruby-activesupport-3.2-3.2.6/debian/control 2012-06-24 18:57:55.000000000 -0300
+++ ruby-activesupport-3.2-3.2.6/debian/control 2012-09-01 17:38:38.000000000 -0300
@@ -3,7 +3,6 @@
Priority: optional
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Uploaders:
- Ondřej Surý <ondrej@debian.org>,
Antonio Terceiro <terceiro@debian.org>,
DM-Upload-Allowed: yes
Build-Depends: debhelper (>= 7.0.50~),
diff -Nru ruby-activesupport-3.2-3.2.6/debian/control.in ruby-activesupport-3.2-3.2.6/debian/control.in
--- ruby-activesupport-3.2-3.2.6/debian/control.in 2012-06-15 23:41:30.000000000 -0300
+++ ruby-activesupport-3.2-3.2.6/debian/control.in 2012-09-01 17:38:38.000000000 -0300
@@ -3,7 +3,6 @@
Priority: optional
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Uploaders:
- Ondřej Surý <ondrej@debian.org>,
Antonio Terceiro <terceiro@debian.org>,
DM-Upload-Allowed: yes
Build-Depends: debhelper (>= 7.0.50~),
diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch
--- ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch 1969-12-31 21:00:00.000000000 -0300
+++ ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch 2013-01-09 17:10:22.000000000 -0300
@@ -0,0 +1,76 @@
+From 43109ecb986470ef023a7e91beb9812718f000fe Mon Sep 17 00:00:00 2001
+From: Jeremy Kemper <jeremy@bitsweat.net>
+Date: Sat, 5 Jan 2013 17:46:26 -0700
+Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow
+ symbols or yaml.
+
+diff --git a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb
+index 5f07bb4..b820a16 100644
+--- a/lib/active_support/core_ext/hash/conversions.rb
++++ b/lib/active_support/core_ext/hash/conversions.rb
+@@ -85,15 +85,33 @@ class Hash
+ end
+ end
+
++ class DisallowedType < StandardError #:nodoc:
++ def initialize(type)
++ super "Disallowed type attribute: #{type.inspect}"
++ end
++ end
++
++ DISALLOWED_XML_TYPES = %w(symbol yaml)
++
+ class << self
+- def from_xml(xml)
+- typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)))
++ def from_xml(xml, disallowed_types = nil)
++ typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)), disallowed_types)
++ end
++
++ def from_trusted_xml(xml)
++ from_xml xml, []
+ end
+
+ private
+- def typecast_xml_value(value)
++ def typecast_xml_value(value, disallowed_types = nil)
++ disallowed_types ||= DISALLOWED_XML_TYPES
++
+ case value.class.to_s
+ when 'Hash'
++ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
++ raise DisallowedType, value['type']
++ end
++
+ if value['type'] == 'array'
+ _, entries = Array.wrap(value.detect { |k,v| not v.is_a?(String) })
+ if entries.nil? || (c = value['__content__'] && c.blank?)
+@@ -101,9 +119,9 @@ class Hash
+ else
+ case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
+ when "Array"
+- entries.collect { |v| typecast_xml_value(v) }
++ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
+ when "Hash"
+- [typecast_xml_value(entries)]
++ [typecast_xml_value(entries, disallowed_types)]
+ else
+ raise "can't typecast #{entries.inspect}"
+ end
+@@ -127,14 +145,14 @@ class Hash
+ elsif value['type'] && value.size == 1 && !value['type'].is_a?(::Hash)
+ nil
+ else
+- xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v)] }]
++ xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v, disallowed_types)] }]
+
+ # Turn { :files => { :file => #<StringIO> } into { :files => #<StringIO> } so it is compatible with
+ # how multipart uploaded files from HTML appear
+ xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
+ end
+ when 'Array'
+- value.map! { |i| typecast_xml_value(i) }
++ value.map! { |i| typecast_xml_value(i, disallowed_types) }
+ value.length > 1 ? value : value.first
+ when 'String'
+ value
diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/series ruby-activesupport-3.2-3.2.6/debian/patches/series
--- ruby-activesupport-3.2-3.2.6/debian/patches/series 2012-08-10 14:07:22.000000000 -0300
+++ ruby-activesupport-3.2-3.2.6/debian/patches/series 2013-01-09 17:10:22.000000000 -0300
@@ -1 +1,2 @@
CVE-2012-3464.patch
+CVE-2013-0156.patch
Attachment:
signature.asc
Description: Digital signature