[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927424: marked as done (stretch-pu: package rails/2:4.2.7.1-1+deb9u1)

Your message dated Sat, 27 Apr 2019 11:14:32 +0100
with message-id <1556360072.2690.35.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.9
has caused the Debian Bug report #927424,
regarding stretch-pu: package rails/2:4.2.7.1-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
927424: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927424
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Fixes three issues in rails, debdiff below. Passes all regressions tests
and a quick functional test.

Cheers,
        Moritz

diff -Nru rails-4.2.7.1/debian/changelog rails-4.2.7.1/debian/changelog
--- rails-4.2.7.1/debian/changelog	2016-08-22 19:33:48.000000000 +0200
+++ rails-4.2.7.1/debian/changelog	2019-04-18 16:51:20.000000000 +0200
@@ -1,3 +1,10 @@
+rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium
+
+  * CVE-2018-16476 (Closes: #914847)
+  * CVE-2019-5418 / CVE-2019-5419 (Closes: #924520)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Thu, 18 Apr 2019 20:48:13 +0200
+
 rails (2:4.2.7.1-1) unstable; urgency=medium
 
   * New upstream release; includes fixes for the following issues:
diff -Nru rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch
--- rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch	1970-01-01 01:00:00.000000000 +0100
+++ rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch	2019-04-18 16:44:58.000000000 +0200
@@ -0,0 +1,47 @@
+From 4f03411fd07d714b525655e2457bbd761c9f03a5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafaelmfranca@gmail.com>
+Date: Wed, 5 Sep 2018 17:38:09 -0400
+Subject: [PATCH] Do not deserialize GlobalID objects that were not generated by
+ Active Job
+
+Trusting any GlobaID object when deserializing jobs can allow
+attackers to access information that should not be accessible to them.
+
+Fix CVE-2018-16476.
+---
+ activejob/lib/active_job/arguments.rb               | 2 +-
+ activejob/test/cases/argument_serialization_test.rb | 4 ++++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
+index ecd81f2099..e33ee649cd 100644
+--- a/activejob/lib/active_job/arguments.rb
++++ b/activejob/lib/active_job/arguments.rb
+@@ -75,7 +75,7 @@ module ActiveJob
+       def deserialize_argument(argument)
+         case argument
+         when String
+-          GlobalID::Locator.locate(argument) || argument
++          argument
+         when *TYPE_WHITELIST
+           argument
+         when Array
+diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb
+index 1f11e916c4..058a828b86 100644
+--- a/activejob/test/cases/argument_serialization_test.rb
++++ b/activejob/test/cases/argument_serialization_test.rb
+@@ -35,6 +35,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase
+     assert_arguments_roundtrip [@person]
+   end
+ 
++  test "should keep Global IDs strings as they are" do
++    assert_arguments_roundtrip [@person.to_gid.to_s]
++  end
++
+   test 'should dive deep into arrays and hashes' do
+     assert_arguments_roundtrip [3, [@person]]
+     assert_arguments_roundtrip [{ 'a' => @person }]
+-- 
+2.18.0
+
diff -Nru rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch
--- rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch	1970-01-01 01:00:00.000000000 +0100
+++ rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch	2019-04-18 16:45:44.000000000 +0200
@@ -0,0 +1,113 @@
+From 58ed245e80a8710fbe31e91417bfd19f9f934cc4 Mon Sep 17 00:00:00 2001
+From: John Hawthorn <john@hawthorn.email>
+Date: Mon, 4 Mar 2019 18:24:51 -0800
+Subject: [PATCH] Only accept formats from registered mime types
+
+[CVE-2019-5418]
+[CVE-2019-5419]
+---
+ .../lib/action_dispatch/http/mime_negotiation.rb |  6 +++++-
+ .../test/controller/mime/respond_to_test.rb      | 14 ++++++++------
+ .../new_base/content_negotiation_test.rb         | 16 +++++++++++++---
+ 3 files changed, 26 insertions(+), 10 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+index 53a98c5d0a..00fd3d03df 100644
+--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
++++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+@@ -61,7 +61,7 @@ module ActionDispatch
+                               false
+                             end
+ 
+-          if params_readable
++          v = if params_readable
+             Array(Mime[parameters[:format]])
+           elsif use_accept_header && valid_accept_header
+             accepts
+@@ -70,6 +70,10 @@ module ActionDispatch
+           else
+             [Mime::HTML]
+           end
++
++          v.select do |format|
++            format.symbol || format.ref == "*/*"
++          end
+         end
+       end
+ 
+diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb
+index 66d2fd7716..07ad0085fc 100644
+--- a/actionpack/test/controller/mime/respond_to_test.rb
++++ b/actionpack/test/controller/mime/respond_to_test.rb
+@@ -87,9 +87,9 @@ class RespondToController < ActionController::Base
+ 
+   def custom_type_handling
+     respond_to do |type|
+-      type.html { render :text => "HTML"    }
+-      type.custom("application/crazy-xml")  { render :text => "Crazy XML"  }
+-      type.all  { render :text => "Nothing" }
++      type.html { render text: "HTML"    }
++      type.custom("application/fancy-xml")  { render text: "Fancy XML"  }
++      type.all  { render text: "Nothing" }
+     end
+   end
+ 
+@@ -269,12 +269,14 @@ class RespondToControllerTest < ActionController::TestCase
+     @request.host = "www.example.com"
+     Mime::Type.register_alias("text/html", :iphone)
+     Mime::Type.register("text/x-mobile", :mobile)
++    Mime::Type.register("application/fancy-xml", :fancy_xml)
+   end
+ 
+   def teardown
+     super
+     Mime::Type.unregister(:iphone)
+     Mime::Type.unregister(:mobile)
++    Mime::Type.unregister(:fancy_xml)
+   end
+ 
+   def test_html
+@@ -430,10 +432,10 @@ class RespondToControllerTest < ActionController::TestCase
+   end
+ 
+   def test_custom_types
+-    @request.accept = "application/crazy-xml"
++    @request.accept = "application/fancy-xml"
+     get :custom_type_handling
+-    assert_equal "application/crazy-xml", @response.content_type
+-    assert_equal 'Crazy XML', @response.body
++    assert_equal "application/fancy-xml", @response.content_type
++    assert_equal "Fancy XML", @response.body
+ 
+     @request.accept = "text/html"
+     get :custom_type_handling
+diff --git a/actionpack/test/controller/new_base/content_negotiation_test.rb b/actionpack/test/controller/new_base/content_negotiation_test.rb
+index 5fd5946619..57bf16ac9c 100644
+--- a/actionpack/test/controller/new_base/content_negotiation_test.rb
++++ b/actionpack/test/controller/new_base/content_negotiation_test.rb
+@@ -19,9 +19,19 @@ module ContentNegotiation
+       assert_body "Hello world */*!"
+     end
+ 
+-    test "Not all mimes are converted to symbol" do
+-      get "/content_negotiation/basic/all", {}, "HTTP_ACCEPT" => "text/plain, mime/another"
+-      assert_body '[:text, "mime/another"]'
++    test "A js or */* Accept header will return HTML" do
++      get "/content_negotiation/basic/hello", {}, { "HTTP_ACCEPT" => "text/javascript, */*" }
++      assert_body "Hello world text/html!"
++    end
++
++    test "A js or */* Accept header on xhr will return HTML" do
++      xhr :get, "/content_negotiation/basic/hello", {}, { "HTTP_ACCEPT" => "text/javascript, */*" }
++      assert_body "Hello world text/javascript!"
++    end
++
++    test "Unregistered mimes are ignored" do
++      get "/content_negotiation/basic/all", {}, { "HTTP_ACCEPT" => "text/plain, mime/another" }
++      assert_body '[:text]'
+     end
+   end
+ end
+-- 
+2.21.0
+
diff -Nru rails-4.2.7.1/debian/patches/series rails-4.2.7.1/debian/patches/series
--- rails-4.2.7.1/debian/patches/series	2016-08-22 19:33:48.000000000 +0200
+++ rails-4.2.7.1/debian/patches/series	2019-04-18 16:48:04.000000000 +0200
@@ -2,3 +2,5 @@
 0002-load_paths.rb-don-t-load-bundler.patch
 0004-ActiveRecord-adjust-test-suite-for-Debian-build.patch
 0005-relax-json.patch
+006-CVE-2018-16476.patch
+007-CVE-2019-5418_CVE-2019-5419.patch


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Version: 9.9

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: