Bug#914184: stretch-pu: package ruby-rack/1.6.4-4+deb9u1

To: submit@bugs.debian.org
Subject: Bug#914184: stretch-pu: package ruby-rack/1.6.4-4+deb9u1
From: Chris Lamb <lamby@debian.org>
Date: Tue, 20 Nov 2018 04:19:50 -0500
Message-id: <[🔎] 1542705590.976479.1582943144.05A10D2F@webmail.messagingengine.com>
Reply-to: Chris Lamb <lamby@debian.org>, 914184@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear stable release managers,

Please consider ruby-rack (1.6.4-4+deb9u1) for stretch:
  
  ruby-rack (1.6.4-4+deb9u1) stretch; urgency=medium
  
    * CVE-2018-16471: Prevent a possible XSS vulnerability where a malicious
      request could impact the HTTP/HTTPS scheme returned to the underlying
      application. (Closes: #913005)


The full diff is attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

diff --git a/debian/changelog b/debian/changelog
index da7b047..dbb5d8f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-rack (1.6.4-4+deb9u1) stretch; urgency=medium
+
+  * CVE-2018-16471: Prevent a possible XSS vulnerability where a malicious
+    request could impact the HTTP/HTTPS scheme returned to the underlying
+    application. (Closes: #913005)
+
+ -- Chris Lamb <lamby@debian.org>  Tue, 20 Nov 2018 10:10:14 +0100
+
 ruby-rack (1.6.4-4) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/CVE-2018-16471.patch b/debian/patches/CVE-2018-16471.patch
new file mode 100644
index 0000000..51f98c2
--- /dev/null
+++ b/debian/patches/CVE-2018-16471.patch
@@ -0,0 +1,52 @@
+From: Chris Lamb <lamby@debian.org>
+Date: Tue, 20 Nov 2018 10:03:55 +0100
+Subject: CVE-2018-16471
+
+Backported from https://github.com/rack/rack/commit/97ca63d87d88b4088fb1995b14103d4fe6a5e594
+---
+ lib/rack/request.rb | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/lib/rack/request.rb b/lib/rack/request.rb
+index ac95b1c..7459603 100644
+--- a/lib/rack/request.rb
++++ b/lib/rack/request.rb
+@@ -13,6 +13,8 @@ module Rack
+     # The environment of the request.
+     attr_reader :env
+ 
++    SCHEME_WHITELIST = %w(https http).freeze
++
+     def initialize(env)
+       @env = env
+     end
+@@ -68,10 +70,8 @@ module Rack
+         'https'
+       elsif @env['HTTP_X_FORWARDED_SSL'] == 'on'
+         'https'
+-      elsif @env['HTTP_X_FORWARDED_SCHEME']
+-        @env['HTTP_X_FORWARDED_SCHEME']
+-      elsif @env['HTTP_X_FORWARDED_PROTO']
+-        @env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
++      elsif forwarded_scheme
++        forwarded_scheme
+       else
+         @env["rack.url_scheme"]
+       end
+@@ -394,5 +394,16 @@ module Rack
+         s
+       end
+     end
++
++    def forwarded_scheme
++      scheme_headers = [
++        @env['HTTP_X_FORWARDED_SCHEME'],
++        @env['HTTP_X_FORWARDED_PROTO'].to_s.split(',')[0]
++      ]
++       scheme_headers.each do |header|
++        return header if SCHEME_WHITELIST.include?(header)
++      end
++       nil
++    end
+   end
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 3a39f9c..bfc724e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Fix-Params_Depth.patch
+CVE-2018-16471.patch

Reply to:

Prev by Date: Processed: Re: Should the weboob package stay in Debian?
Next by Date: Processed: Re: Bug#913005: ruby-rack: CVE-2018-16471: Possible XSS vulnerability in Rack
Previous by thread: Processed: Re: Should the weboob package stay in Debian?
Next by thread: Processed: Re: Bug#913005: ruby-rack: CVE-2018-16471: Possible XSS vulnerability in Rack
Index(es):
- Date
- Thread