Your message dated Wed, 09 Jan 2013 21:32:30 +0000 with message-id <1357767150.21796.0.camel@jacala.jungle.funky-badger.org> and subject line Re: Bug#697799: unblock: ruby-activesupport-3.2/3.2.6-5 has caused the Debian Bug report #697799, regarding unblock: ruby-activesupport-3.2/3.2.6-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 697799: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697799 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: ruby-activesupport-3.2/3.2.6-5
- From: Antonio Terceiro <terceiro@debian.org>
- Date: Wed, 9 Jan 2013 17:50:59 -0300
- Message-id: <20130109205059.GA9422@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-activesupport-3.2 This release includes a fix for CVE-2013-0156, fixing debian bug #697790 The debdiff against the package in testing is attached unblock ruby-activesupport-3.2/3.2.6-5 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>diff -Nru ruby-activesupport-3.2-3.2.6/debian/changelog ruby-activesupport-3.2-3.2.6/debian/changelog --- ruby-activesupport-3.2-3.2.6/debian/changelog 2012-08-10 14:23:44.000000000 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/changelog 2013-01-09 17:24:43.000000000 -0300 @@ -1,3 +1,10 @@ +ruby-activesupport-3.2 (3.2.6-5) unstable; urgency=high + + * debian/patches/CVE-2013-0156.patch: fix for vulnerabilities in + vulnerabilities in parameter parsing [CVE-2013-0156] (Closes: #697790) + + -- Antonio Terceiro <terceiro@debian.org> Wed, 09 Jan 2013 17:23:52 -0300 + ruby-activesupport-3.2 (3.2.6-4) unstable; urgency=high * debian/patches/CVE-2012-3464.patch: fixes potential XSS vulnerability. diff -Nru ruby-activesupport-3.2-3.2.6/debian/control ruby-activesupport-3.2-3.2.6/debian/control --- ruby-activesupport-3.2-3.2.6/debian/control 2012-06-24 18:57:55.000000000 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/control 2012-09-01 17:38:38.000000000 -0300 @@ -3,7 +3,6 @@ Priority: optional Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> Uploaders: - Ondřej Surý <ondrej@debian.org>, Antonio Terceiro <terceiro@debian.org>, DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), diff -Nru ruby-activesupport-3.2-3.2.6/debian/control.in ruby-activesupport-3.2-3.2.6/debian/control.in --- ruby-activesupport-3.2-3.2.6/debian/control.in 2012-06-15 23:41:30.000000000 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/control.in 2012-09-01 17:38:38.000000000 -0300 @@ -3,7 +3,6 @@ Priority: optional Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> Uploaders: - Ondřej Surý <ondrej@debian.org>, Antonio Terceiro <terceiro@debian.org>, DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch --- ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/patches/CVE-2013-0156.patch 2013-01-09 17:10:22.000000000 -0300 @@ -0,0 +1,76 @@ +From 43109ecb986470ef023a7e91beb9812718f000fe Mon Sep 17 00:00:00 2001 +From: Jeremy Kemper <jeremy@bitsweat.net> +Date: Sat, 5 Jan 2013 17:46:26 -0700 +Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow + symbols or yaml. + +diff --git a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb +index 5f07bb4..b820a16 100644 +--- a/lib/active_support/core_ext/hash/conversions.rb ++++ b/lib/active_support/core_ext/hash/conversions.rb +@@ -85,15 +85,33 @@ class Hash + end + end + ++ class DisallowedType < StandardError #:nodoc: ++ def initialize(type) ++ super "Disallowed type attribute: #{type.inspect}" ++ end ++ end ++ ++ DISALLOWED_XML_TYPES = %w(symbol yaml) ++ + class << self +- def from_xml(xml) +- typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml))) ++ def from_xml(xml, disallowed_types = nil) ++ typecast_xml_value(unrename_keys(ActiveSupport::XmlMini.parse(xml)), disallowed_types) ++ end ++ ++ def from_trusted_xml(xml) ++ from_xml xml, [] + end + + private +- def typecast_xml_value(value) ++ def typecast_xml_value(value, disallowed_types = nil) ++ disallowed_types ||= DISALLOWED_XML_TYPES ++ + case value.class.to_s + when 'Hash' ++ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type']) ++ raise DisallowedType, value['type'] ++ end ++ + if value['type'] == 'array' + _, entries = Array.wrap(value.detect { |k,v| not v.is_a?(String) }) + if entries.nil? || (c = value['__content__'] && c.blank?) +@@ -101,9 +119,9 @@ class Hash + else + case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a? + when "Array" +- entries.collect { |v| typecast_xml_value(v) } ++ entries.collect { |v| typecast_xml_value(v, disallowed_types) } + when "Hash" +- [typecast_xml_value(entries)] ++ [typecast_xml_value(entries, disallowed_types)] + else + raise "can't typecast #{entries.inspect}" + end +@@ -127,14 +145,14 @@ class Hash + elsif value['type'] && value.size == 1 && !value['type'].is_a?(::Hash) + nil + else +- xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v)] }] ++ xml_value = Hash[value.map { |k,v| [k, typecast_xml_value(v, disallowed_types)] }] + + # Turn { :files => { :file => #<StringIO> } into { :files => #<StringIO> } so it is compatible with + # how multipart uploaded files from HTML appear + xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value + end + when 'Array' +- value.map! { |i| typecast_xml_value(i) } ++ value.map! { |i| typecast_xml_value(i, disallowed_types) } + value.length > 1 ? value : value.first + when 'String' + value diff -Nru ruby-activesupport-3.2-3.2.6/debian/patches/series ruby-activesupport-3.2-3.2.6/debian/patches/series --- ruby-activesupport-3.2-3.2.6/debian/patches/series 2012-08-10 14:07:22.000000000 -0300 +++ ruby-activesupport-3.2-3.2.6/debian/patches/series 2013-01-09 17:10:22.000000000 -0300 @@ -1 +1,2 @@ CVE-2012-3464.patch +CVE-2013-0156.patchAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Antonio Terceiro <terceiro@debian.org>, 697799-done@bugs.debian.org
- Subject: Re: Bug#697799: unblock: ruby-activesupport-3.2/3.2.6-5
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Wed, 09 Jan 2013 21:32:30 +0000
- Message-id: <1357767150.21796.0.camel@jacala.jungle.funky-badger.org>
- In-reply-to: <20130109205059.GA9422@debian.org>
- References: <20130109205059.GA9422@debian.org>
On Wed, 2013-01-09 at 17:50 -0300, Antonio Terceiro wrote: > Please unblock package ruby-activesupport-3.2 > > This release includes a fix for CVE-2013-0156, fixing debian bug > #697790 Unblocked; thanks. Regards, Adam
--- End Message ---