Your message dated Fri, 14 Nov 2014 20:10:58 +0000 with message-id <1415995858.29689.17.camel@adam-barratt.org.uk> and subject line Re: Bug#769587: unblock: ruby-sprockets/2.12.3-1 has caused the Debian Bug report #769587, regarding unblock: ruby-sprockets/2.12.3-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 769587: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769587 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: ruby-sprockets/2.12.3-1
- From: Antonio Terceiro <terceiro@debian.org>
- Date: Fri, 14 Nov 2014 17:04:39 -0200
- Message-id: <[🔎] 20141114190439.GA5561@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-sprockets I have just uploaded 2.12.3-1 to unstable. Even though it is a new upstream version, it includes solely 2 security fixes, including the one for CVE-2014-7819 (Arbitrary file existence disclosure in Sprockets), and another one that I assume was not important enough to get a CVE. Anyway the changes do not introduce any API or behavior change besides the security fixes. Attached you will find the debdiff between this new version and the one in jessie. unblock ruby-sprockets/2.12.3-1 -- System Information: Debian Release: jessie/sid APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>Binary files /tmp/yUjvUJRZyP/ruby-sprockets-2.12.1/checksums.yaml.gz and /tmp/wwQmIlt1jH/ruby-sprockets-2.12.3/checksums.yaml.gz differ diff -Nru ruby-sprockets-2.12.1/debian/changelog ruby-sprockets-2.12.3/debian/changelog --- ruby-sprockets-2.12.1/debian/changelog 2014-05-19 12:21:50.000000000 -0300 +++ ruby-sprockets-2.12.3/debian/changelog 2014-11-14 16:29:31.000000000 -0200 @@ -1,3 +1,11 @@ +ruby-sprockets (2.12.3-1) unstable; urgency=medium + + * New upstream release + - Fix for [CVE-2014-7819] Arbitrary file existence disclosure in + Sprockets + + -- Antonio Terceiro <terceiro@debian.org> Fri, 14 Nov 2014 16:29:03 -0200 + ruby-sprockets (2.12.1-1) unstable; urgency=medium * New upstream release diff -Nru ruby-sprockets-2.12.1/debian/control ruby-sprockets-2.12.3/debian/control --- ruby-sprockets-2.12.1/debian/control 2014-05-19 12:19:43.000000000 -0300 +++ ruby-sprockets-2.12.3/debian/control 2014-11-14 16:29:31.000000000 -0200 @@ -2,9 +2,7 @@ Section: ruby Priority: optional Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> -Uploaders: - Ondřej Surý <ondrej@debian.org>, - Antonio Terceiro <terceiro@debian.org>, +Uploaders: Antonio Terceiro <terceiro@debian.org>, Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.5.0~), ruby-hike (>= 1.2), diff -Nru ruby-sprockets-2.12.1/lib/sprockets/base.rb ruby-sprockets-2.12.3/lib/sprockets/base.rb --- ruby-sprockets-2.12.1/lib/sprockets/base.rb 2014-04-20 04:46:01.000000000 -0300 +++ ruby-sprockets-2.12.3/lib/sprockets/base.rb 2014-11-06 04:16:45.000000000 -0200 @@ -261,7 +261,7 @@ # Find asset by logical path or expanded path. def find_asset(path, options = {}) logical_path = path - pathname = Pathname.new(path) + pathname = Pathname.new(path).cleanpath if pathname.absolute? return unless stat(pathname) diff -Nru ruby-sprockets-2.12.1/lib/sprockets/sass_functions.rb ruby-sprockets-2.12.3/lib/sprockets/sass_functions.rb --- ruby-sprockets-2.12.1/lib/sprockets/sass_functions.rb 2014-04-20 04:46:01.000000000 -0300 +++ ruby-sprockets-2.12.3/lib/sprockets/sass_functions.rb 2014-11-06 04:16:45.000000000 -0200 @@ -3,59 +3,59 @@ module Sprockets module SassFunctions def asset_path(path) - Sass::Script::String.new(sprockets_context.asset_path(path.value), :string) + ::Sass::Script::String.new(sprockets_context.asset_path(path.value), :string) end def asset_url(path) - Sass::Script::String.new("url(" + sprockets_context.asset_path(path.value) + ")") + ::Sass::Script::String.new("url(" + sprockets_context.asset_path(path.value) + ")") end def image_path(path) - Sass::Script::String.new(sprockets_context.image_path(path.value), :string) + ::Sass::Script::String.new(sprockets_context.image_path(path.value), :string) end def image_url(path) - Sass::Script::String.new("url(" + sprockets_context.image_path(path.value) + ")") + ::Sass::Script::String.new("url(" + sprockets_context.image_path(path.value) + ")") end def video_path(path) - Sass::Script::String.new(sprockets_context.video_path(path.value), :string) + ::Sass::Script::String.new(sprockets_context.video_path(path.value), :string) end def video_url(path) - Sass::Script::String.new("url(" + sprockets_context.video_path(path.value) + ")") + ::Sass::Script::String.new("url(" + sprockets_context.video_path(path.value) + ")") end def audio_path(path) - Sass::Script::String.new(sprockets_context.audio_path(path.value), :string) + ::Sass::Script::String.new(sprockets_context.audio_path(path.value), :string) end def audio_url(path) - Sass::Script::String.new("url(" + sprockets_context.audio_path(path.value) + ")") + ::Sass::Script::String.new("url(" + sprockets_context.audio_path(path.value) + ")") end def font_path(path) - Sass::Script::String.new(sprockets_context.font_path(path.value), :string) + ::Sass::Script::String.new(sprockets_context.font_path(path.value), :string) end def font_url(path) - Sass::Script::String.new("url(" + sprockets_context.font_path(path.value) + ")") + ::Sass::Script::String.new("url(" + sprockets_context.font_path(path.value) + ")") end def javascript_path(path) - Sass::Script::String.new(sprockets_context.javascript_path(path.value), :string) + ::Sass::Script::String.new(sprockets_context.javascript_path(path.value), :string) end def javascript_url(path) - Sass::Script::String.new("url(" + sprockets_context.javascript_path(path.value) + ")") + ::Sass::Script::String.new("url(" + sprockets_context.javascript_path(path.value) + ")") end def stylesheet_path(path) - Sass::Script::String.new(sprockets_context.stylesheet_path(path.value), :string) + ::Sass::Script::String.new(sprockets_context.stylesheet_path(path.value), :string) end def stylesheet_url(path) - Sass::Script::String.new("url(" + sprockets_context.stylesheet_path(path.value) + ")") + ::Sass::Script::String.new("url(" + sprockets_context.stylesheet_path(path.value) + ")") end protected diff -Nru ruby-sprockets-2.12.1/lib/sprockets/sass_importer.rb ruby-sprockets-2.12.3/lib/sprockets/sass_importer.rb --- ruby-sprockets-2.12.1/lib/sprockets/sass_importer.rb 2014-04-20 04:46:01.000000000 -0300 +++ ruby-sprockets-2.12.3/lib/sprockets/sass_importer.rb 2014-11-06 04:16:45.000000000 -0200 @@ -3,7 +3,7 @@ module Sprockets # This custom importer that tracks all imported filenames during # compile. - class SassImporter < Sass::Importers::Filesystem + class SassImporter < ::Sass::Importers::Filesystem attr_reader :imported_filenames def initialize(*args) diff -Nru ruby-sprockets-2.12.1/lib/sprockets/server.rb ruby-sprockets-2.12.3/lib/sprockets/server.rb --- ruby-sprockets-2.12.1/lib/sprockets/server.rb 2014-04-20 04:46:01.000000000 -0300 +++ ruby-sprockets-2.12.3/lib/sprockets/server.rb 2014-11-06 04:16:45.000000000 -0200 @@ -33,16 +33,16 @@ # Extract the path from everything after the leading slash path = unescape(env['PATH_INFO'].to_s.sub(/^\//, '')) - # URLs containing a `".."` are rejected for security reasons. - if forbidden_request?(path) - return forbidden_response - end - # Strip fingerprint if fingerprint = path_fingerprint(path) path = path.sub("-#{fingerprint}", '') end + # URLs containing a `".."` are rejected for security reasons. + if forbidden_request?(path) + return forbidden_response + end + # Look up the asset. asset = find_asset(path, :bundle => !body_only?(env)) @@ -90,7 +90,7 @@ # # http://example.org/assets/../../../etc/passwd # - path.include?("..") + path.include?("..") || Pathname.new(path).absolute? end # Returns a 403 Forbidden response tuple @@ -222,7 +222,7 @@ # # => "0aa2105d29558f3eb790d411d7d8fb66" # def path_fingerprint(path) - path[/-([0-9a-f]{7,40})\.[^.]+$/, 1] + path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1] end # URI.unescape is deprecated on 1.9. We need to use URI::Parser diff -Nru ruby-sprockets-2.12.1/lib/sprockets/version.rb ruby-sprockets-2.12.3/lib/sprockets/version.rb --- ruby-sprockets-2.12.1/lib/sprockets/version.rb 2014-04-20 04:46:01.000000000 -0300 +++ ruby-sprockets-2.12.3/lib/sprockets/version.rb 2014-11-06 04:16:45.000000000 -0200 @@ -1,3 +1,3 @@ module Sprockets - VERSION = "2.12.1" + VERSION = "2.12.3" end diff -Nru ruby-sprockets-2.12.1/metadata.yml ruby-sprockets-2.12.3/metadata.yml --- ruby-sprockets-2.12.1/metadata.yml 2014-04-20 04:46:01.000000000 -0300 +++ ruby-sprockets-2.12.3/metadata.yml 2014-11-06 04:16:45.000000000 -0200 @@ -1,7 +1,7 @@ --- !ruby/object:Gem::Specification name: sprockets version: !ruby/object:Gem::Version - version: 2.12.1 + version: 2.12.3 platform: ruby authors: - Sam Stephenson @@ -9,236 +9,236 @@ autorequire: bindir: bin cert_chain: [] -date: 2014-04-17 00:00:00.000000000 Z +date: 2014-10-28 00:00:00.000000000 Z dependencies: - !ruby/object:Gem::Dependency name: hike requirement: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.2' type: :runtime prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.2' - !ruby/object:Gem::Dependency name: multi_json requirement: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.0' type: :runtime prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.0' - !ruby/object:Gem::Dependency name: rack requirement: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.0' type: :runtime prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.0' - !ruby/object:Gem::Dependency name: tilt requirement: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.1' - - - '!=' + - - "!=" - !ruby/object:Gem::Version version: 1.3.0 type: :runtime prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.1' - - - '!=' + - - "!=" - !ruby/object:Gem::Version version: 1.3.0 - !ruby/object:Gem::Dependency name: closure-compiler requirement: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' - !ruby/object:Gem::Dependency name: coffee-script requirement: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '2.0' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '2.0' - !ruby/object:Gem::Dependency name: coffee-script-source requirement: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.2' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.2' - !ruby/object:Gem::Dependency name: eco requirement: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.0' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.0' - !ruby/object:Gem::Dependency name: ejs requirement: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.0' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.0' - !ruby/object:Gem::Dependency name: execjs requirement: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.0' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '1.0' - !ruby/object:Gem::Dependency name: json requirement: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' - !ruby/object:Gem::Dependency name: rack-test requirement: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' - !ruby/object:Gem::Dependency name: rake requirement: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' - !ruby/object:Gem::Dependency name: sass requirement: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '3.1' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - ~> + - - "~>" - !ruby/object:Gem::Version version: '3.1' - !ruby/object:Gem::Dependency name: uglifier requirement: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' - !ruby/object:Gem::Dependency name: yui-compressor requirement: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' type: :development prerelease: false version_requirements: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' description: Sprockets is a Rack-based asset packaging system that concatenates and @@ -251,9 +251,11 @@ extensions: [] extra_rdoc_files: [] files: -- README.md - LICENSE +- README.md +- bin/sprockets - lib/rake/sprocketstask.rb +- lib/sprockets.rb - lib/sprockets/asset.rb - lib/sprockets/asset_attributes.rb - lib/sprockets/base.rb @@ -291,8 +293,6 @@ - lib/sprockets/utils.rb - lib/sprockets/version.rb - lib/sprockets/yui_compressor.rb -- lib/sprockets.rb -- bin/sprockets homepage: http://getsprockets.org/ licenses: - MIT @@ -303,19 +303,18 @@ - lib required_ruby_version: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' required_rubygems_version: !ruby/object:Gem::Requirement requirements: - - - '>=' + - - ">=" - !ruby/object:Gem::Version version: '0' requirements: [] rubyforge_project: sprockets -rubygems_version: 2.0.3 +rubygems_version: 2.2.2 signing_key: specification_version: 4 summary: Rack-based asset packaging system test_files: [] -has_rdoc: diff -Nru ruby-sprockets-2.12.1/README.md ruby-sprockets-2.12.3/README.md --- ruby-sprockets-2.12.1/README.md 2014-04-20 04:46:01.000000000 -0300 +++ ruby-sprockets-2.12.3/README.md 2014-11-06 04:16:45.000000000 -0200 @@ -366,6 +366,17 @@ ## Version History ## +**2.12.3** (October 28, 2014) + +* Security: Fix directory traversal bug in development mode server. + +**2.12.2** (September 5, 2014) + +* Ensure internal asset lookups calls are still restricted to load paths within + asset compiles. Though, you should not depend on internal asset resolves to be + completely restricted for security reasons. Assets themselves should be + considered full scripting environments with filesystem access. + **2.12.1** (April 17, 2014) * Fix making manifest target directory when its different than the output directory.Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Antonio Terceiro <terceiro@debian.org>, 769587-done@bugs.debian.org
- Subject: Re: Bug#769587: unblock: ruby-sprockets/2.12.3-1
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Fri, 14 Nov 2014 20:10:58 +0000
- Message-id: <1415995858.29689.17.camel@adam-barratt.org.uk>
- In-reply-to: <[🔎] 20141114190439.GA5561@debian.org>
- References: <[🔎] 20141114190439.GA5561@debian.org>
On Fri, 2014-11-14 at 17:04 -0200, Antonio Terceiro wrote: > Please unblock package ruby-sprockets > > I have just uploaded 2.12.3-1 to unstable. Even though it is a new > upstream version, it includes solely 2 security fixes, including the one > for CVE-2014-7819 (Arbitrary file existence disclosure in Sprockets), > and another one that I assume was not important enough to get a CVE. > > Anyway the changes do not introduce any API or behavior change besides > the security fixes. Unblocked. Regards, Adam
--- End Message ---