[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: [rt.debian.org #4251] ruby-rack security bug

hi,

I'm trying to update oldstable's librack-ruby to fix security issues.

I've cherry-picked upstream changes, but I'm not confident about my changes.
Would you review attached debdiff?

This package seems not to be tested by rspec (because squeeze
doesn't have test-spec package which needed by it), so I only tested
against where I've changed...
# pbuilder --login --basetgz squeeze.tgz
# ...
# gem install rspec -v 1.3.2 (not using packaged version)
# gem install test-spec
# specrb -I ./lib test/rack_spec_utils.rb

Notes:

CVE-2013-0183:
The squeeze version's code is different from which I assumed when writing forwarded mail.
So I try to hand-port original code and spec.
I've confirmed that at least the spec I added doesn't report error.

regards,
-- 
KURASHIKI Satoru


---------- Forwarded message ----------
From: Satoru KURASHIKI <lurdan@gmail.com>
Date: Thu, Aug 29, 2013 at 8:59 PM
Subject: Re: [rt.debian.org #4251] ruby-rack security bug
To: rt@rt.debian.org
Cc: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>, Hideki Yamane <henrich@debian.or.jp>


hi,

On Thu, Aug 29, 2013 at 8:50 AM, Satoru KURASHIKI <lurdan@gmail.com> wrote: 
CVE-2013-0183: As far I was gone, I saw that commit ... but similar code affected seems present, 

The point (similar code) is:

         loop do
           read_buffer = input.gets
           break if read_buffer == boundary + EOL
         end

So, I think that it may be changed to as:

       loop do
        content = input.read(bufsize)
        raise EOFError, "bad content body" unless content
        @buf << content

        while @buf.gsub!(/\A([^\n]*\n)/, '')
          read_buffer = $1
          return if read_buffer == boundary + EOL
        end

        raise EOFError, "bad content body" if Utils.bytesize(@buf) >= bufsize
      end

But unfortunately I'm neither a rubyist nor coding expert, so I can't write
test code for this change.
I will ask for reviewing this code to some of my friends...
 
CVE-2012-6109:

This should be fixed IF we backport the "refactor of multipart module.
So, it should be considerd as "not affected".

CVE-2011-5036:

We can pick this commit:

regards,
--
KURASHIKI Satoru

Attachment: librack-ruby-oldstable.debdiff
Description: Binary data

Reply to: