--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: stretch-pu: package ruby-i18n/0.7.0-2+deb9u1
- From: Chris Lamb <lamby@debian.org>
- Date: Tue, 20 Nov 2018 04:33:37 -0500
- Message-id: <1542706417.979548.1582956840.3B5AA1F5@webmail.messagingengine.com>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear stable release managers,
Please consider ruby-i18n (0.7.0-2+deb9u1) for stretch:
ruby-i18n (0.7.0-2+deb9u1) stretch; urgency=medium
* CVE-2014-10077: Prevent a remote denial-of-service vulnerability via an
application crash by engineering a situation where `:some_key` is present
in `keep_keys` but not present in the hash. (Closes: #913093)
The full diff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
diff --git a/debian/changelog b/debian/changelog
index 689bc5e..04fbbb6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-i18n (0.7.0-2+deb9u1) stretch; urgency=medium
+
+ * CVE-2014-10077: Prevent a remote denial-of-service vulnerability via an
+ application crash by engineering a situation where `:some_key` is present
+ in `keep_keys` but not present in the hash. (Closes: #913093)
+
+ -- Chris Lamb <lamby@debian.org> Tue, 20 Nov 2018 10:32:18 +0100
+
ruby-i18n (0.7.0-2) unstable; urgency=medium
* Upload to unstable
diff --git a/debian/patches/CVE-2014-10077.patch b/debian/patches/CVE-2014-10077.patch
new file mode 100644
index 0000000..c1e9c52
--- /dev/null
+++ b/debian/patches/CVE-2014-10077.patch
@@ -0,0 +1,42 @@
+From: Chris Lamb <lamby@debian.org>
+Date: Tue, 20 Nov 2018 10:25:08 +0100
+Subject: CVE-2014-10077: Prevent a remote denial-of-service vulnerability via
+ an application crash by engineering a situation where `:some_key` is present
+ in `keep_keys` but not present in the hash.
+
+Backported from https://github.com/svenfuchs/i18n/commit/24e71a9a4901ed18c9cab5c53109fd9bf2416bcb
+---
+ lib/i18n/core_ext/hash.rb | 2 +-
+ test/core_ext/hash_test.rb | 6 ++++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/lib/i18n/core_ext/hash.rb b/lib/i18n/core_ext/hash.rb
+index f2a2422..895f41a 100644
+--- a/lib/i18n/core_ext/hash.rb
++++ b/lib/i18n/core_ext/hash.rb
+@@ -1,7 +1,7 @@
+ class Hash
+ def slice(*keep_keys)
+ h = {}
+- keep_keys.each { |key| h[key] = fetch(key) }
++ keep_keys.each { |key| h[key] = fetch(key) if has_key?(key) }
+ h
+ end unless Hash.method_defined?(:slice)
+
+diff --git a/test/core_ext/hash_test.rb b/test/core_ext/hash_test.rb
+index 8309336..f7ebd6f 100644
+--- a/test/core_ext/hash_test.rb
++++ b/test/core_ext/hash_test.rb
+@@ -14,6 +14,12 @@ class I18nCoreExtHashInterpolationTest < I18n::TestCase
+ assert_equal expected, hash.slice(:foo)
+ end
+
++ test "#slice non-existent key" do
++ hash = { :foo => 'bar', :baz => 'bar' }
++ expected = { :foo => 'bar' }
++ assert_equal expected, hash.slice(:foo, :not_here)
++ end
++
+ test "#except" do
+ hash = { :foo => 'bar', :baz => 'bar' }
+ expected = { :foo => 'bar' }
diff --git a/debian/patches/series b/debian/patches/series
index 815cfc5..d8947eb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
strip_bundler.patch
Ignore-metadata-on-frozen-objects.patch
+CVE-2014-10077.patch
--- End Message ---