Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-sprockets I have just uploaded 2.12.3-1 to unstable. Even though it is a new upstream version, it includes solely 2 security fixes, including the one for CVE-2014-7819 (Arbitrary file existence disclosure in Sprockets), and another one that I assume was not important enough to get a CVE. Anyway the changes do not introduce any API or behavior change besides the security fixes. Attached you will find the debdiff between this new version and the one in jessie. unblock ruby-sprockets/2.12.3-1 -- System Information: Debian Release: jessie/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
Binary files /tmp/yUjvUJRZyP/ruby-sprockets-2.12.1/checksums.yaml.gz and /tmp/wwQmIlt1jH/ruby-sprockets-2.12.3/checksums.yaml.gz differ
diff -Nru ruby-sprockets-2.12.1/debian/changelog ruby-sprockets-2.12.3/debian/changelog
--- ruby-sprockets-2.12.1/debian/changelog 2014-05-19 12:21:50.000000000 -0300
+++ ruby-sprockets-2.12.3/debian/changelog 2014-11-14 16:29:31.000000000 -0200
@@ -1,3 +1,11 @@
+ruby-sprockets (2.12.3-1) unstable; urgency=medium
+
+ * New upstream release
+ - Fix for [CVE-2014-7819] Arbitrary file existence disclosure in
+ Sprockets
+
+ -- Antonio Terceiro <terceiro@debian.org> Fri, 14 Nov 2014 16:29:03 -0200
+
ruby-sprockets (2.12.1-1) unstable; urgency=medium
* New upstream release
diff -Nru ruby-sprockets-2.12.1/debian/control ruby-sprockets-2.12.3/debian/control
--- ruby-sprockets-2.12.1/debian/control 2014-05-19 12:19:43.000000000 -0300
+++ ruby-sprockets-2.12.3/debian/control 2014-11-14 16:29:31.000000000 -0200
@@ -2,9 +2,7 @@
Section: ruby
Priority: optional
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
-Uploaders:
- Ondřej Surý <ondrej@debian.org>,
- Antonio Terceiro <terceiro@debian.org>,
+Uploaders: Antonio Terceiro <terceiro@debian.org>,
Build-Depends: debhelper (>= 7.0.50~),
gem2deb (>= 0.5.0~),
ruby-hike (>= 1.2),
diff -Nru ruby-sprockets-2.12.1/lib/sprockets/base.rb ruby-sprockets-2.12.3/lib/sprockets/base.rb
--- ruby-sprockets-2.12.1/lib/sprockets/base.rb 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/lib/sprockets/base.rb 2014-11-06 04:16:45.000000000 -0200
@@ -261,7 +261,7 @@
# Find asset by logical path or expanded path.
def find_asset(path, options = {})
logical_path = path
- pathname = Pathname.new(path)
+ pathname = Pathname.new(path).cleanpath
if pathname.absolute?
return unless stat(pathname)
diff -Nru ruby-sprockets-2.12.1/lib/sprockets/sass_functions.rb ruby-sprockets-2.12.3/lib/sprockets/sass_functions.rb
--- ruby-sprockets-2.12.1/lib/sprockets/sass_functions.rb 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/lib/sprockets/sass_functions.rb 2014-11-06 04:16:45.000000000 -0200
@@ -3,59 +3,59 @@
module Sprockets
module SassFunctions
def asset_path(path)
- Sass::Script::String.new(sprockets_context.asset_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.asset_path(path.value), :string)
end
def asset_url(path)
- Sass::Script::String.new("url(" + sprockets_context.asset_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.asset_path(path.value) + ")")
end
def image_path(path)
- Sass::Script::String.new(sprockets_context.image_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.image_path(path.value), :string)
end
def image_url(path)
- Sass::Script::String.new("url(" + sprockets_context.image_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.image_path(path.value) + ")")
end
def video_path(path)
- Sass::Script::String.new(sprockets_context.video_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.video_path(path.value), :string)
end
def video_url(path)
- Sass::Script::String.new("url(" + sprockets_context.video_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.video_path(path.value) + ")")
end
def audio_path(path)
- Sass::Script::String.new(sprockets_context.audio_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.audio_path(path.value), :string)
end
def audio_url(path)
- Sass::Script::String.new("url(" + sprockets_context.audio_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.audio_path(path.value) + ")")
end
def font_path(path)
- Sass::Script::String.new(sprockets_context.font_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.font_path(path.value), :string)
end
def font_url(path)
- Sass::Script::String.new("url(" + sprockets_context.font_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.font_path(path.value) + ")")
end
def javascript_path(path)
- Sass::Script::String.new(sprockets_context.javascript_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.javascript_path(path.value), :string)
end
def javascript_url(path)
- Sass::Script::String.new("url(" + sprockets_context.javascript_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.javascript_path(path.value) + ")")
end
def stylesheet_path(path)
- Sass::Script::String.new(sprockets_context.stylesheet_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.stylesheet_path(path.value), :string)
end
def stylesheet_url(path)
- Sass::Script::String.new("url(" + sprockets_context.stylesheet_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.stylesheet_path(path.value) + ")")
end
protected
diff -Nru ruby-sprockets-2.12.1/lib/sprockets/sass_importer.rb ruby-sprockets-2.12.3/lib/sprockets/sass_importer.rb
--- ruby-sprockets-2.12.1/lib/sprockets/sass_importer.rb 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/lib/sprockets/sass_importer.rb 2014-11-06 04:16:45.000000000 -0200
@@ -3,7 +3,7 @@
module Sprockets
# This custom importer that tracks all imported filenames during
# compile.
- class SassImporter < Sass::Importers::Filesystem
+ class SassImporter < ::Sass::Importers::Filesystem
attr_reader :imported_filenames
def initialize(*args)
diff -Nru ruby-sprockets-2.12.1/lib/sprockets/server.rb ruby-sprockets-2.12.3/lib/sprockets/server.rb
--- ruby-sprockets-2.12.1/lib/sprockets/server.rb 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/lib/sprockets/server.rb 2014-11-06 04:16:45.000000000 -0200
@@ -33,16 +33,16 @@
# Extract the path from everything after the leading slash
path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
- # URLs containing a `".."` are rejected for security reasons.
- if forbidden_request?(path)
- return forbidden_response
- end
-
# Strip fingerprint
if fingerprint = path_fingerprint(path)
path = path.sub("-#{fingerprint}", '')
end
+ # URLs containing a `".."` are rejected for security reasons.
+ if forbidden_request?(path)
+ return forbidden_response
+ end
+
# Look up the asset.
asset = find_asset(path, :bundle => !body_only?(env))
@@ -90,7 +90,7 @@
#
# http://example.org/assets/../../../etc/passwd
#
- path.include?("..")
+ path.include?("..") || Pathname.new(path).absolute?
end
# Returns a 403 Forbidden response tuple
@@ -222,7 +222,7 @@
# # => "0aa2105d29558f3eb790d411d7d8fb66"
#
def path_fingerprint(path)
- path[/-([0-9a-f]{7,40})\.[^.]+$/, 1]
+ path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1]
end
# URI.unescape is deprecated on 1.9. We need to use URI::Parser
diff -Nru ruby-sprockets-2.12.1/lib/sprockets/version.rb ruby-sprockets-2.12.3/lib/sprockets/version.rb
--- ruby-sprockets-2.12.1/lib/sprockets/version.rb 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/lib/sprockets/version.rb 2014-11-06 04:16:45.000000000 -0200
@@ -1,3 +1,3 @@
module Sprockets
- VERSION = "2.12.1"
+ VERSION = "2.12.3"
end
diff -Nru ruby-sprockets-2.12.1/metadata.yml ruby-sprockets-2.12.3/metadata.yml
--- ruby-sprockets-2.12.1/metadata.yml 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/metadata.yml 2014-11-06 04:16:45.000000000 -0200
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: sprockets
version: !ruby/object:Gem::Version
- version: 2.12.1
+ version: 2.12.3
platform: ruby
authors:
- Sam Stephenson
@@ -9,236 +9,236 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2014-04-17 00:00:00.000000000 Z
+date: 2014-10-28 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: hike
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.2'
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.2'
- !ruby/object:Gem::Dependency
name: multi_json
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
- !ruby/object:Gem::Dependency
name: rack
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
- !ruby/object:Gem::Dependency
name: tilt
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.1'
- - - '!='
+ - - "!="
- !ruby/object:Gem::Version
version: 1.3.0
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.1'
- - - '!='
+ - - "!="
- !ruby/object:Gem::Version
version: 1.3.0
- !ruby/object:Gem::Dependency
name: closure-compiler
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
- !ruby/object:Gem::Dependency
name: coffee-script
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '2.0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '2.0'
- !ruby/object:Gem::Dependency
name: coffee-script-source
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.2'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.2'
- !ruby/object:Gem::Dependency
name: eco
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
- !ruby/object:Gem::Dependency
name: ejs
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
- !ruby/object:Gem::Dependency
name: execjs
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
- !ruby/object:Gem::Dependency
name: json
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
- !ruby/object:Gem::Dependency
name: rack-test
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
- !ruby/object:Gem::Dependency
name: rake
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
- !ruby/object:Gem::Dependency
name: sass
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '3.1'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '3.1'
- !ruby/object:Gem::Dependency
name: uglifier
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
- !ruby/object:Gem::Dependency
name: yui-compressor
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
description: Sprockets is a Rack-based asset packaging system that concatenates and
@@ -251,9 +251,11 @@
extensions: []
extra_rdoc_files: []
files:
-- README.md
- LICENSE
+- README.md
+- bin/sprockets
- lib/rake/sprocketstask.rb
+- lib/sprockets.rb
- lib/sprockets/asset.rb
- lib/sprockets/asset_attributes.rb
- lib/sprockets/base.rb
@@ -291,8 +293,6 @@
- lib/sprockets/utils.rb
- lib/sprockets/version.rb
- lib/sprockets/yui_compressor.rb
-- lib/sprockets.rb
-- bin/sprockets
homepage: http://getsprockets.org/
licenses:
- MIT
@@ -303,19 +303,18 @@
- lib
required_ruby_version: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
required_rubygems_version: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
requirements: []
rubyforge_project: sprockets
-rubygems_version: 2.0.3
+rubygems_version: 2.2.2
signing_key:
specification_version: 4
summary: Rack-based asset packaging system
test_files: []
-has_rdoc:
diff -Nru ruby-sprockets-2.12.1/README.md ruby-sprockets-2.12.3/README.md
--- ruby-sprockets-2.12.1/README.md 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/README.md 2014-11-06 04:16:45.000000000 -0200
@@ -366,6 +366,17 @@
## Version History ##
+**2.12.3** (October 28, 2014)
+
+* Security: Fix directory traversal bug in development mode server.
+
+**2.12.2** (September 5, 2014)
+
+* Ensure internal asset lookups calls are still restricted to load paths within
+ asset compiles. Though, you should not depend on internal asset resolves to be
+ completely restricted for security reasons. Assets themselves should be
+ considered full scripting environments with filesystem access.
+
**2.12.1** (April 17, 2014)
* Fix making manifest target directory when its different than the output directory.
Attachment:
signature.asc
Description: Digital signature