Bug#805260: jessie-pu: package ruby-bson/1.10.0-1+deb8u1

To: submit@bugs.debian.org
Subject: Bug#805260: jessie-pu: package ruby-bson/1.10.0-1+deb8u1
From: Prach Pongpanich <prach@debian.org>
Date: Mon, 16 Nov 2015 10:54:58 +0700
Message-id: <[🔎] 20151116035458.GA1926@bravo>
Reply-to: Prach Pongpanich <prach@debian.org>, 805260@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Please accept the fixes for CVE-2015-4410 in ruby-bson. I already discussed
with the security team (tagged as no-dsa).

Source debdiff attached.

 https://security-tracker.debian.org/CVE-2015-4410

Regards,
Prach

diff -Nru ruby-bson-1.10.0/debian/changelog ruby-bson-1.10.0/debian/changelog
--- ruby-bson-1.10.0/debian/changelog	2014-05-15 12:00:35.000000000 +0700
+++ ruby-bson-1.10.0/debian/changelog	2015-11-16 08:59:15.000000000 +0700
@@ -1,3 +1,9 @@
+ruby-bson (1.10.0-1+deb8u1) jessie; urgency=medium
+
+  * Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)
+
+ -- Prach Pongpanich <prach@debian.org>  Mon, 16 Nov 2015 08:55:51 +0700
+
 ruby-bson (1.10.0-1) unstable; urgency=medium
 
   [ Cédric Boutillier ]
diff -Nru ruby-bson-1.10.0/debian/gbp.conf ruby-bson-1.10.0/debian/gbp.conf
--- ruby-bson-1.10.0/debian/gbp.conf	1970-01-01 07:00:00.000000000 +0700
+++ ruby-bson-1.10.0/debian/gbp.conf	2015-11-16 08:59:15.000000000 +0700
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/jessie
diff -Nru ruby-bson-1.10.0/debian/patches/series ruby-bson-1.10.0/debian/patches/series
--- ruby-bson-1.10.0/debian/patches/series	2014-05-15 12:00:35.000000000 +0700
+++ ruby-bson-1.10.0/debian/patches/series	2015-11-15 00:59:01.000000000 +0700
@@ -4,3 +4,4 @@
 #change_require_activesupport.patch
 #add_to_bson_code.patch
 remove_rubygems_from_bins.patch
+Update_BSON_ObjectId_validation.patch
diff -Nru ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch
--- ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch	1970-01-01 07:00:00.000000000 +0700
+++ ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch	2015-11-15 00:59:01.000000000 +0700
@@ -0,0 +1,18 @@
+From bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade Mon Sep 17 00:00:00 2001
+From: Emily Stolfo <emily@10gen.com>
+Date: Thu, 4 Jun 2015 11:19:36 -0400
+Subject: [PATCH] RUBY-941 Update BSON ObjectId validation
+
+diff --git a/lib/bson/types/object_id.rb b/lib/bson/types/object_id.rb
+index 5de7f66..6e44efa 100644
+--- a/lib/bson/types/object_id.rb
++++ b/lib/bson/types/object_id.rb
+@@ -51,7 +51,7 @@ def initialize(data=nil, time=nil)
+     #
+     # @return [Boolean]
+     def self.legal?(str)
+-      str =~ /^[0-9a-f]{24}$/i ? true : false
++      str =~ /\A[0-9a-f]{24}\z/i ? true : false
+     end
+ 
+     # Create an object id from the given time. This is useful for doing range

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#805260: jessie-pu: package ruby-bson/1.10.0-1+deb8u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#805260: jessie-pu: package ruby-bson/1.10.0-1+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#805260: jessie-pu: package ruby-bson/1.10.0-1+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: NEW changes in oldstable-new
Next by Date: Bug#804055: transition: graphicsmagick
Previous by thread: Processed: Re: Bug#805216: wheezy-pu: package libhtml-scrubber-perl/0.09-1
Next by thread: Bug#805260: jessie-pu: package ruby-bson/1.10.0-1+deb8u1
Index(es):
- Date
- Thread