Bug#716741: pu: package swift/1.4.8-2+deb70u1 (CVE-2013-2161)
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I have prepared an update for Swift 1.4.8-2 in Wheezy. The package
is available here:
http://archive.gplhost.com/pub/security/swift/
Julien Cristau commited the fix for Wheezy on our Git on Alioth, which
I have just uploaded (after tests on our CI).
The debdiff for the package is attached. Note that this new version
also updates the debian/gbp.conf, as this helps the maintainers to
better track updates in Wheezy, and having to fix the gbp.conf on
each rebuild is annoying: please also allow this to reach Wheezy as
well.
Let me know if I have the green light for the upload,
Cheers,
Thomas Goirand (zigo)
diff -Nru swift-1.4.8/debian/changelog swift-1.4.8/debian/changelog
--- swift-1.4.8/debian/changelog 2012-09-06 08:45:21.000000000 +0000
+++ swift-1.4.8/debian/changelog 2013-07-12 06:08:41.000000000 +0000
@@ -1,3 +1,11 @@
+swift (1.4.8-2+deb70u1) wheezy-proposed-updates; urgency=low
+
+ * CVE-2013-2161: Applied fix for unchecked user input in Swift XML responses
+ (Closes: #712202).
+ * Updated debian/gbp.conf to track Wheezy fixes.
+
+ -- Thomas Goirand <zigo@debian.org> Fri, 12 Jul 2013 13:54:33 +0800
+
swift (1.4.8-2) unstable; urgency=high
* CVE-2012-4406: Do not use pickle for serialization in memcache, but JSON
diff -Nru swift-1.4.8/debian/gbp.conf swift-1.4.8/debian/gbp.conf
--- swift-1.4.8/debian/gbp.conf 2012-09-06 08:45:21.000000000 +0000
+++ swift-1.4.8/debian/gbp.conf 2013-07-12 06:08:41.000000000 +0000
@@ -1,6 +1,7 @@
[DEFAULT]
upstream-branch = master
-debian-branch = debian/unstable
+debian-branch = debian/wheezy
+upstream-tag = %(version)s
[git-buildpackage]
export-dir = ../build-area/
diff -Nru swift-1.4.8/debian/patches/CVE-2013-2161.patch swift-1.4.8/debian/patches/CVE-2013-2161.patch
--- swift-1.4.8/debian/patches/CVE-2013-2161.patch 1970-01-01 00:00:00.000000000 +0000
+++ swift-1.4.8/debian/patches/CVE-2013-2161.patch 2013-07-12 06:08:41.000000000 +0000
@@ -0,0 +1,27 @@
+From 6659382c4fa348e1ebbce2424968dd7267ea1db1 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 27 May 2013 02:07:39 +0000
+Subject: [PATCH] Check user input in XML responses.
+
+Fixes bug 1183884.
+
+* swift/account/server.py: Escape account name in XML listings.
+
+Change-Id: I7ba54631ed1349516132c00a53fae74f0b84ac37
+---
+ swift/account/server.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: swift/swift/account/server.py
+===================================================================
+--- swift.orig/swift/account/server.py 2013-07-12 13:51:47.000000000 +0800
++++ swift/swift/account/server.py 2013-07-12 13:56:46.000000000 +0800
+@@ -238,7 +238,7 @@
+ account_list = '[' + ','.join(json_out) + ']'
+ elif out_content_type.endswith('/xml'):
+ output_list = ['<?xml version="1.0" encoding="UTF-8"?>',
+- '<account name="%s">' % account]
++ '<account name="%s">' % saxutils.escape(account)]
+ for (name, object_count, bytes_used, is_subdir) in account_list:
+ name = saxutils.escape(name)
+ if is_subdir:
diff -Nru swift-1.4.8/debian/patches/series swift-1.4.8/debian/patches/series
--- swift-1.4.8/debian/patches/series 2012-09-06 08:45:21.000000000 +0000
+++ swift-1.4.8/debian/patches/series 2013-07-12 06:08:41.000000000 +0000
@@ -1 +1,2 @@
CVE-2012-4406_Do-not-use-pickle-for-serialization-in-memcache-but-JSON.patch
+CVE-2013-2161.patch
Reply to: