Package: release.debian.org Severity: normal Tags: stretch User: [email protected] Usertags: pu
Hi, this update fixes bug #881445 [CVE-2017-15928] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445 by cherrypicking a patch from upstream, to crash of the ruby interpreter on a parse error. Debdiff attached. As jessie and stretch have the same version of this package, I am willing to upload the same fix to jessie (same diff except the version number with deb8 instead of deb9). Should I submit an independent bug report for the jessie proposed update ? Thanks in advance. Cédric -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru ruby-ox-2.1.1/debian/changelog ruby-ox-2.1.1/debian/changelog --- ruby-ox-2.1.1/debian/changelog 2014-04-04 12:58:15.000000000 +0200 +++ ruby-ox-2.1.1/debian/changelog 2017-11-26 01:08:40.000000000 +0100 @@ -1,3 +1,12 @@ +ruby-ox (2.1.1-2+deb9u1) stretch; urgency=medium + + * Team upload + * Add fix_parse_obj_segfault.patch picked from upstream + + fix CVE-2017-15928: segmentation fault in parse_obj + (Closes: #881445) + + -- Cédric Boutillier <[email protected]> Sun, 26 Nov 2017 01:08:40 +0100 + ruby-ox (2.1.1-2) unstable; urgency=medium * Team upload. diff -Nru ruby-ox-2.1.1/debian/gbp.conf ruby-ox-2.1.1/debian/gbp.conf --- ruby-ox-2.1.1/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ ruby-ox-2.1.1/debian/gbp.conf 2017-11-26 00:52:18.000000000 +0100 @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch=stretch/master +upstream-branch=stretch/upstream diff -Nru ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch --- ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch 2017-11-26 01:08:40.000000000 +0100 @@ -0,0 +1,51 @@ +Description: Avoid crash with invalid XML passed to Oj.parse_obj() + this fixes CVE-2017-15928 +Author: Peter Ohler <[email protected]> +Origin: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8.patch +Bug: https://github.com/ohler55/ox/issues/194 +Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445 +Last-Update: 2017-11-25 + +--- a/ext/ox/obj_load.c ++++ b/ext/ox/obj_load.c +@@ -791,8 +791,10 @@ + Helper gh; + + helper_stack_pop(&pi->helpers); +- gh = helper_stack_peek(&pi->helpers); +- ++ if (NULL == (gh = helper_stack_peek(&pi->helpers))) { ++ set_error(&pi->err, "Corrupt parse stack, container is wrong type", pi->str, pi->s); ++ return; ++ } + rb_hash_aset(gh->obj, ph->obj, h->obj); + } + break; +--- a/ext/ox/err.c ++++ b/ext/ox/err.c +@@ -42,7 +42,11 @@ + va_end(ap); + } + ++#if __GNUC__ > 4 ++_Noreturn void ++#else + void ++#endif + ox_err_raise(Err e) { + rb_raise(e->clas, "%s", e->msg); + } +--- a/ext/ox/ox.c ++++ b/ext/ox/ox.c +@@ -990,7 +990,11 @@ + #endif + } + ++#if __GNUC__ > 4 ++_Noreturn void ++#else + void ++#endif + _ox_raise_error(const char *msg, const char *xml, const char *current, const char* file, int line) { + int xline = 1; + int col = 1; diff -Nru ruby-ox-2.1.1/debian/patches/series ruby-ox-2.1.1/debian/patches/series --- ruby-ox-2.1.1/debian/patches/series 2014-03-22 13:16:52.000000000 +0100 +++ ruby-ox-2.1.1/debian/patches/series 2017-11-26 01:08:40.000000000 +0100 @@ -1 +1,2 @@ +fix_parse_obj_segfault.patch 000-fix-so-load-path.patch
