Hello community, here is the log from the commit of package rubygem-rack-1_3.3907 for openSUSE:13.1:Update checked in at 2015-07-17 16:46:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/rubygem-rack-1_3.3907 (Old) and /work/SRC/openSUSE:13.1:Update/.rubygem-rack-1_3.3907.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-rack-1_3.3907" Changes: -------- New Changes file: --- /dev/null 2015-06-25 09:04:34.320025005 +0200 +++ /work/SRC/openSUSE:13.1:Update/.rubygem-rack-1_3.3907.new/rubygem-rack-1_3.changes 2015-07-17 16:46:18.000000000 +0200 @@ -0,0 +1,95 @@ +------------------------------------------------------------------- +Wed Jul 8 17:28:10 UTC 2015 - [email protected] + +- fix CVE-2015-3225: rubygem-rack: Potential Denial of Service + Vulnerability in Rack (bnc#934797) + + CVE-2015-3225.patch: contains the fix + +------------------------------------------------------------------- +Mon May 13 11:26:57 UTC 2013 - [email protected] + +- add license link + +------------------------------------------------------------------- +Sat Mar 23 08:00:33 UTC 2013 - [email protected] + +- updated to version 1.3.10 + +------------------------------------------------------------------- +Fri Mar 23 10:35:09 UTC 2012 - [email protected] + +- Spec file cleanup: + * Prepare for Factory + +------------------------------------------------------------------- +Thu Nov 3 16:32:15 UTC 2011 - [email protected] + +- Update to 1.3.5 (bnc#727772) + - Fix annoying warnings caused by the backport in 1.3.4 + +------------------------------------------------------------------- +Thu Oct 6 16:09:59 UTC 2011 - [email protected] + +- Update to 1.3.4 + - Fix bug with broken query parameters in Rack::ShowExceptions + - Rack::Request#cookies no longer swallows exceptions on broken input + - Prevents XSS attacks enabled by bug in Ruby 1.8’s regexp engine + - Rack::ConditionalGet handles broken If-Modified-Since helpers + - Fix a bug with MRI regex engine to prevent XSS by malformed unicode + - Backport security fix from 1.9.3, also fixes some roundtrip issues in URI + - Small documentation update + - Fix an issue where BodyProxy could cause an infinite recursion + - Add some supporting files for travis-ci + +------------------------------------------------------------------- +Mon Sep 12 13:53:34 UTC 2011 - [email protected] + +- provide the single digit versioned named aswell + +------------------------------------------------------------------- +Mon Aug 1 16:40:15 UTC 2011 - [email protected] + +- update to 1.3.2 + - fix whitespace errors + - Add .rdoc extension so GitHub can apply formatting + - Restore Ruby 1.9.1 compatibility + - Fix a regression caused by [82]f043f32 + - Fix Rack::Utils.escape in the case when $KCODE='U' + - Sigh, thinking backports was a bad idea + - fix Rack::Lock, use same logic for Rack::CommonLogger + - allow passing in rack.session in tests (used to work + previously) + - nicer method_missings + - fix typo + - BasicObject does not define respond_to? + - fix BodyProxy#close + - let Rack::BodyProxy raise an IOError (like IO and StringIO do) + when ca... + - more tests for Rack::BodyProxy + - block should not be called if IOError raised + - update core team list + - simpler, dry implementation for HeaderHash#to_hash, fixes + [122]#177 + - fix typo + - make sure the Cache-Control header can never be nil + - Minor error in documentation regarding the order of parameters + in HTTP... + - call #close on body in mock responses + - test for Rack::Response#close + - Have MockRequest call close on the body rather than + MockResponse. + - prepare readme for 1.3.1 + - update changes + - Edited lib/rack/sendfile.rb via GitHub + - Fixed a Regexp bug that can DoS your box. + - Merge pull request [156]#206 from + brendan/19451fc0463ec424fa368cac05be15c75... + - Update readme pending patch release + - Rack::Utils.escape should work with symbols in Ruby 1.8.7 + +------------------------------------------------------------------- +Fri Jun 17 14:11:39 UTC 2011 - [email protected] + +- initial package of the 1.3 branch (1.3.0) + New: ---- CVE-2015-3225.patch rack-1.3.10.gem rubygem-rack-1_3.changes rubygem-rack-1_3.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rubygem-rack-1_3.spec ++++++ # # spec file for package rubygem-rack-1_3 # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: rubygem-rack-1_3 Version: 1.3.10 Release: 0 %define mod_name rack %define mod_full_name %{mod_name}-%{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: ruby-macros >= 1 Url: http://rack.github.com/ Source: http://rubygems.org/gems/%{mod_full_name}.gem Patch0: CVE-2015-3225.patch Summary: a modular Ruby webserver interface License: MIT Group: Development/Languages/Ruby %define mod_branch -%{version} %define mod_weight 1 PreReq: update-alternatives %description Rack provides minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Also see http://rack.github.com/. %package doc Summary: RDoc documentation for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description doc Documentation generated at gem installation time. Usually in RDoc and RI formats. %package testsuite Summary: Test suite for %{mod_name} Group: Development/Languages/Ruby Requires: %{name} = %{version} %description testsuite Test::Unit or RSpec files, useful for developers. %prep gem unpack --verbose %{S:0} pushd %{mod_full_name} chmod -R go-w . gem spec --ruby %{S:0} > %{mod_full_name}.gemspec patch -p1 < %{P:0} gem build %{mod_full_name}.gemspec popd %build %install %gem_install %{mod_full_name}/%{mod_full_name}.gem mv %{buildroot}%{_bindir}/rackup{,%{mod_branch}} ln -s rackup%{mod_branch} %{buildroot}%{_bindir}/rackup mkdir -p %{buildroot}%{_docdir}/%{name} ln -s %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/COPYING %buildroot/%{_docdir}/%{name}/COPYING ln -s %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/README.rdoc %buildroot/%{_docdir}/%{name}/README.rdoc %post /usr/sbin/update-alternatives --install \ %{_bindir}/rackup rackup %{_bindir}/rackup%{mod_branch} %{mod_weight} %preun if [ "$1" = 0 ] ; then /usr/sbin/update-alternatives --remove rackup %{_bindir}/rackup%{mod_branch} fi %files %defattr(-,root,root,-) %{_docdir}/%{name} %{_bindir}/rackup%{mod_branch} %ghost %{_bindir}/rackup %{_libdir}/ruby/gems/%{rb_ver}/cache/%{mod_full_name}.gem %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/ %exclude %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/test %{_libdir}/ruby/gems/%{rb_ver}/specifications/%{mod_full_name}.gemspec %files doc %defattr(-,root,root,-) %doc %{_libdir}/ruby/gems/%{rb_ver}/doc/%{mod_full_name}/ %files testsuite %defattr(-,root,root,-) %{_libdir}/ruby/gems/%{rb_ver}/gems/%{mod_full_name}/test %changelog ++++++ CVE-2015-3225.patch ++++++ diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb index 1808660..36a2f87 100644 --- a/lib/rack/utils.rb +++ b/lib/rack/utils.rb @@ -45,11 +45,15 @@ module Rack class << self attr_accessor :key_space_limit + attr_accessor :param_depth_limit end # The default number of bytes to allow parameter keys to take up. # This helps prevent a rogue client from flooding a Request. self.key_space_limit = 65536 + # Default depth at which the parameter parser will raise an exception for + # being too deep. This helps prevent SystemStackErrors + self.param_depth_limit = 100 # Stolen from Mongrel, with some small modifications: # Parses a query string by breaking it up at the '&' @@ -111,7 +115,8 @@ module Rack end module_function :parse_nested_query - def normalize_params(params, name, v = nil) + def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit) + raise RangeError if depth <= 0 name =~ %r(\A[\[\]]*([^\[\]]+)\]*) k = $1 || '' after = $' || '' @@ -129,14 +134,14 @@ module Rack params[k] ||= [] raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array) if params[k].last.is_a?(Hash) && !params[k].last.key?(child_key) - normalize_params(params[k].last, child_key, v) + normalize_params(params[k].last, child_key, v, depth - 1) else - params[k] << normalize_params({}, child_key, v) + params[k] << normalize_params({}, child_key, v, depth - 1) end else params[k] ||= {} raise TypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Hash) - params[k] = normalize_params(params[k], after, v) + params[k] = normalize_params(params[k], after, v, depth - 1) end return params
