[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#882724: marked as done (stretch-pu: package ruby-ox/2.1.1-2+b6)

Your message dated Sat, 09 Dec 2017 10:46:36 +0000
with message-id <1512816396.1994.30.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882724,
regarding stretch-pu: package ruby-ox/2.1.1-2+b6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
882724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882724
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

this update fixes bug #881445 [CVE-2017-15928]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
by cherrypicking a patch from upstream, to crash of the ruby interpreter
on a parse error.

Debdiff attached.

As jessie and stretch have the same version of this package, I am
willing to upload the same fix to jessie (same diff except the version
number with deb8 instead of deb9). Should I submit an independent bug
report for the jessie proposed update ?

Thanks in advance.

Cédric

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru ruby-ox-2.1.1/debian/changelog ruby-ox-2.1.1/debian/changelog
--- ruby-ox-2.1.1/debian/changelog	2014-04-04 12:58:15.000000000 +0200
+++ ruby-ox-2.1.1/debian/changelog	2017-11-26 01:08:40.000000000 +0100
@@ -1,3 +1,12 @@
+ruby-ox (2.1.1-2+deb9u1) stretch; urgency=medium
+
+  * Team upload
+  * Add fix_parse_obj_segfault.patch picked from upstream
+    + fix CVE-2017-15928: segmentation fault in parse_obj
+    (Closes: #881445)
+
+ -- Cédric Boutillier <boutil@debian.org>  Sun, 26 Nov 2017 01:08:40 +0100
+
 ruby-ox (2.1.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-ox-2.1.1/debian/gbp.conf ruby-ox-2.1.1/debian/gbp.conf
--- ruby-ox-2.1.1/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ ruby-ox-2.1.1/debian/gbp.conf	2017-11-26 00:52:18.000000000 +0100
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch=stretch/master
+upstream-branch=stretch/upstream
diff -Nru ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch
--- ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch	2017-11-26 01:08:40.000000000 +0100
@@ -0,0 +1,51 @@
+Description: Avoid crash with invalid XML passed to Oj.parse_obj()
+ this fixes CVE-2017-15928
+Author: Peter Ohler <peter@ohler.com>
+Origin: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8.patch
+Bug: https://github.com/ohler55/ox/issues/194
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
+Last-Update: 2017-11-25
+
+--- a/ext/ox/obj_load.c
++++ b/ext/ox/obj_load.c
+@@ -791,8 +791,10 @@
+ 		    Helper	gh;
+ 
+ 		    helper_stack_pop(&pi->helpers);
+-		    gh = helper_stack_peek(&pi->helpers);
+-
++		    if (NULL == (gh = helper_stack_peek(&pi->helpers))) {
++			set_error(&pi->err, "Corrupt parse stack, container is wrong type", pi->str, pi->s);
++			return;
++		    }
+ 		    rb_hash_aset(gh->obj, ph->obj, h->obj);
+ 		}
+ 		break;
+--- a/ext/ox/err.c
++++ b/ext/ox/err.c
+@@ -42,7 +42,11 @@
+     va_end(ap);
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ ox_err_raise(Err e) {
+     rb_raise(e->clas, "%s", e->msg);
+ }
+--- a/ext/ox/ox.c
++++ b/ext/ox/ox.c
+@@ -990,7 +990,11 @@
+ #endif
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ _ox_raise_error(const char *msg, const char *xml, const char *current, const char* file, int line) {
+     int	xline = 1;
+     int	col = 1;
diff -Nru ruby-ox-2.1.1/debian/patches/series ruby-ox-2.1.1/debian/patches/series
--- ruby-ox-2.1.1/debian/patches/series	2014-03-22 13:16:52.000000000 +0100
+++ ruby-ox-2.1.1/debian/patches/series	2017-11-26 01:08:40.000000000 +0100
@@ -1 +1,2 @@
+fix_parse_obj_segfault.patch
 000-fix-so-load-path.patch

--- End Message ---
--- Begin Message --- 
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: