Hello community, here is the log from the commit of package rubygem-rack.3906 for openSUSE:13.2:Update checked in at 2015-07-17 16:46:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/rubygem-rack.3906 (Old) and /work/SRC/openSUSE:13.2:Update/.rubygem-rack.3906.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack.3906" Changes: -------- New Changes file: --- /dev/null 2015-06-25 09:04:34.320025005 +0200 +++ /work/SRC/openSUSE:13.2:Update/.rubygem-rack.3906.new/rubygem-rack.changes 2015-07-17 16:46:17.000000000 +0200 @@ -0,0 +1,114 @@ +------------------------------------------------------------------- +Wed Jul 8 17:12:05 UTC 2015 - [email protected] + +- fix CVE-2015-3225: rubygem-rack: Potential Denial of Service + Vulnerability in Rack (bnc#934797) + + CVE-2015-3225.patch: contains the fix + +------------------------------------------------------------------- +Tue May 28 05:28:04 UTC 2013 - [email protected] + +- new template version + +------------------------------------------------------------------- +Tue Feb 12 13:45:09 UTC 2013 - [email protected] + +- updated to version 1.5.2 + * February 7th, Thirty fifth public release 1.5.2 + * Fix CVE-2013-0263, timing attack against Rack::Session::Cookie + * Fix CVE-2013-0262, symlink path traversal in Rack::File + * Add various methods to Session for enhanced Rails compatibility + * Request#trusted_proxy? now only matches whole stirngs + * Add JSON cookie coder, to be default in Rack 1.6+ due to security concerns + * URLMap host matching in environments that don't set the Host header fixed + * Fix a race condition that could result in overwritten pidfiles + * Various documentation additions + +------------------------------------------------------------------- +Sun Feb 3 17:14:19 UTC 2013 - [email protected] + +- updated to version 1.5.1 + +------------------------------------------------------------------- +Thu Jan 24 06:34:01 UTC 2013 - [email protected] + +- update to version 1.5.0, remove suffix + * Introduced hijack SPEC, for before-response and after-response hijacking + * SessionHash is no longer a Hash subclass + * Rack::File cache_control parameter is removed, in place of headers options + * Rack::Auth::AbstractRequest#scheme now yields strings, not symbols + * Rack::Utils cookie functions now format expires in RFC 2822 format + * Rack::File now has a default mime type + * rackup -b 'run Rack::File.new(".")', option provides command line configs + * Rack::Deflater will no longer double encode bodies + * Rack::Mime#match? provides convenience for Accept header matching + * Rack::Utils#q_values provides splitting for Accept headers + * Rack::Utils#best_q_match provides a helper for Accept headers + * Rack::Handler.pick provides convenience for finding available servers + * Puma added to the list of default servers (preferred over Webrick) + * Various middleware now correctly close body when replacing it + * Rack::Request#params is no longer persistent with only GET params + * Rack::Request#update_param and #delete_param provide persistent operations + * Rack::Request#trusted_proxy? now returns true for local unix sockets + * Rack::Response no longer forces Content-Types + * Rack::Sendfile provides local mapping configuration options + * Rack::Utils#rfc2109 provides old netscape style time output + * Updated HTTP status codes + * Ruby 1.8.6 likely no longer passes tests, and is no longer fully supported + +------------------------------------------------------------------- +Tue Jan 8 20:26:44 UTC 2013 - [email protected] + +- updated to version 1.4.3 + * Add warnings when users do not provide a session secret + * Fix parsing performance for unquoted filenames + * Updated URI backports + * Fix URI backport version matching, and silence constant warnings + * Correct parameter parsing with empty values + * Correct rackup '-I' flag, to allow multiple uses + * Correct rackup pidfile handling + * Report rackup line numbers correctly + * Fix request loops caused by non-stale nonces with time limits + * Fix reloader on Windows + * Prevent infinite recursions from Response#to_ary + * Various middleware better conforms to the body close specification + * Updated language for the body close specification + * Additional notes regarding ECMA escape compatibility issues + * Fix the parsing of multiple ranges in range headers + * Prevent errors from empty parameter keys + * Added PATCH verb to Rack::Request + * Various documentation updates + * Fix session merge semantics (fixes rack-test) + * Rack::Static :index can now handle multiple directories + * All tests now utilize Rack::Lint (special thanks to Lars Gierth) + * Rack::File cache_control parameter is now deprecated, and removed by 1.5 + * Correct Rack::Directory script name escaping + * Rack::Static supports header rules for sophisticated configurations + * Multipart parsing now works without a Content-Length header + * New logos courtesy of Zachary Scott! + * Rack::BodyProxy now explicitly defines #each, useful for C extensions + * Cookies that are not URI escaped no longer cause exceptions + * Security: Prevent unbounded reads in large multipart boundaries + +------------------------------------------------------------------- +Tue Jul 31 13:13:42 UTC 2012 - [email protected] + +- use new gem2rpm to provide new provisions + +------------------------------------------------------------------- +Mon Apr 2 12:41:39 UTC 2012 - [email protected] + +- Spec file cleanup: + * Prepare for Factory submission + +------------------------------------------------------------------- +Fri Mar 30 13:10:03 UTC 2012 - [email protected] + +- handle /usr/bin/rackup via update-alternatives + +------------------------------------------------------------------- +Thu Jan 26 16:06:57 UTC 2012 - [email protected] + +- initial package of the 1.4 branch + New: ---- CVE-2015-3225.patch rack-1.5.2.gem rubygem-rack.changes rubygem-rack.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rack.spec ++++++ # # spec file for package rubygem-rack # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: rubygem-rack Version: 1.5.2 Release: 0 %define mod_name rack %define mod_full_name %{mod_name}-%{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: ruby-macros >= 1 Url: http://rack.github.com/ Source: http://rubygems.org/gems/%{mod_full_name}.gem Patch0: CVE-2015-3225.patch Summary: a modular Ruby webserver interface License: MIT Group: Development/Languages/Ruby %define mod_branch -%{version} %define mod_weight 1 PreReq: update-alternatives %description Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Also see http://rack.github.com/. %package doc Summary: RDoc documentation for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description doc Documentation generated at gem installation time. Usually in RDoc and RI formats. %package testsuite Summary: Test suite for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description testsuite Test::Unit or RSpec files, useful for developers. %prep gem unpack --verbose %{S:0} pushd %{mod_full_name} chmod -R go-w . gem spec --ruby %{S:0} > %{mod_full_name}.gemspec patch -p1 < %{P:0} gem build %{mod_full_name}.gemspec popd %build %install %gem_install %{mod_full_name}/%{mod_full_name}.gem mv %{buildroot}%{_bindir}/rackup{,%{mod_branch}} ln -s rackup%{mod_branch} %{buildroot}%{_bindir}/rackup mkdir -p %{buildroot}%{_docdir}/%{name} ln -s %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/COPYING %buildroot/%{_docdir}/%{name}/COPYING ln -s %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/README.rdoc %buildroot/%{_docdir}/%{name}/README.rdoc %post /usr/sbin/update-alternatives --install \ %{_bindir}/rackup rackup %{_bindir}/rackup%{mod_branch} %{mod_weight} %preun if [ "$1" = 0 ] ; then /usr/sbin/update-alternatives --remove rackup %{_bindir}/rackup%{mod_branch} fi %files %defattr(-,root,root,-) %{_docdir}/%{name} %{_bindir}/rackup%{mod_branch} %ghost %{_bindir}/rackup %{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ %exclude %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/test %{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec %files doc %defattr(-,root,root,-) %doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/ %files testsuite %defattr(-,root,root,-) %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/test %changelog ++++++ CVE-2015-3225.patch ++++++ diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb index 561e46e..a163c49 100644 --- a/lib/rack/utils.rb +++ b/lib/rack/utils.rb @@ -52,12 +52,17 @@ module Rack class << self attr_accessor :key_space_limit + attr_accessor :param_depth_limit end # The default number of bytes to allow parameter keys to take up. # This helps prevent a rogue client from flooding a Request. self.key_space_limit = 65536 + # Default depth at which the parameter parser will raise an exception for + # being too deep. This helps prevent SystemStackErrors + self.param_depth_limit = 100 + # Stolen from Mongrel, with some small modifications: # Parses a query string by breaking it up at the '&' # and ';' characters. You can also use this to parse @@ -100,7 +105,9 @@ module Rack end module_function :parse_nested_query - def normalize_params(params, name, v = nil) + def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit) + raise RangeError if depth <= 0 + name =~ %r(\A[\[\]]*([^\[\]]+)\]*) k = $1 || '' after = $' || '' @@ -118,14 +125,14 @@ module Rack params[k] ||= [] raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array) if params_hash_type?(params[k].last) && !params[k].last.key?(child_key) - normalize_params(params[k].last, child_key, v) + normalize_params(params[k].last, child_key, v, depth - 1) else - params[k] << normalize_params(params.class.new, child_key, v) + params[k] << normalize_params(params.class.new, child_key, v, depth - 1) end else params[k] ||= params.class.new raise TypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k]) - params[k] = normalize_params(params[k], after, v) + params[k] = normalize_params(params[k], after, v, depth - 1) end return params
