Bug#697796: marked as done (unblock: ruby-activesupport-2.3/2.3.14-5)

[Debian Bug Tracking System]

Your message dated Wed, 09 Jan 2013 21:47:07 +0000
with message-id <1357768027.21796.2.ca...@jacala.jungle.funky-badger.org>
and subject line Re: Bug#697796: unblock: ruby-activesupport-2.3/2.3.14-5
has caused the Debian Bug report #697796,
regarding unblock: ruby-activesupport-2.3/2.3.14-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
697796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697796
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package ruby-activesupport-2.3

This version adds a fix for vulnerabilities in parameter parsing
[CVE-2013-0156] Closes: #697789]

the debdiff against the package in testing is attached.

unblock ruby-activesupport-2.3/2.3.14-5

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terce...@debian.org>

diff -Nru ruby-activesupport-2.3-2.3.14/debian/changelog ruby-activesupport-2.3-2.3.14/debian/changelog
--- ruby-activesupport-2.3-2.3.14/debian/changelog	2012-06-29 14:33:46.000000000 -0300
+++ ruby-activesupport-2.3-2.3.14/debian/changelog	2013-01-09 16:35:41.000000000 -0300
@@ -1,3 +1,11 @@
+ruby-activesupport-2.3 (2.3.14-5) unstable; urgency=high
+
+  * Team upload.
+  * Add fix for vulnerabilities in parameter parsing [CVE-2013-0156].
+    Closes: #697789
+
+ -- Antonio Terceiro <terce...@debian.org>  Wed, 09 Jan 2013 16:34:24 -0300
+
 ruby-activesupport-2.3 (2.3.14-4) unstable; urgency=low
 
   * Team upload.
diff -Nru ruby-activesupport-2.3-2.3.14/debian/control ruby-activesupport-2.3-2.3.14/debian/control
--- ruby-activesupport-2.3-2.3.14/debian/control	2012-06-29 14:34:34.000000000 -0300
+++ ruby-activesupport-2.3-2.3.14/debian/control	2013-01-09 16:47:31.000000000 -0300
@@ -2,7 +2,6 @@
 Section: ruby
 Priority: optional
 Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org>
-Uploaders: Ondřej Surý <ond...@debian.org>
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~),
 	       gem2deb (>= 0.3.0~),
diff -Nru ruby-activesupport-2.3-2.3.14/debian/control.in ruby-activesupport-2.3-2.3.14/debian/control.in
--- ruby-activesupport-2.3-2.3.14/debian/control.in	2012-06-29 14:28:53.000000000 -0300
+++ ruby-activesupport-2.3-2.3.14/debian/control.in	2012-09-01 17:38:25.000000000 -0300
@@ -2,7 +2,6 @@
 Section: ruby
 Priority: optional
 Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org>
-Uploaders: Ondřej Surý <ond...@debian.org>
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~),
 	       gem2deb (>= 0.3.0~),
diff -Nru ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch
--- ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-activesupport-2.3-2.3.14/debian/patches/CVE-2013-0156.patch	2013-01-09 16:33:35.000000000 -0300
@@ -0,0 +1,82 @@
+From 70adb9613e4a40c5645c99da374639c41012e4fc Mon Sep 17 00:00:00 2001
+From: Jeremy Kemper <jer...@bitsweat.net>
+Date: Sat, 5 Jan 2013 17:46:26 -0700
+Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow
+ symbols or yaml.
+
+diff --git a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb
+index a43763f..d7a8c1e 100644
+--- a/lib/active_support/core_ext/hash/conversions.rb
++++ b/lib/active_support/core_ext/hash/conversions.rb
+@@ -26,6 +26,13 @@ module ActiveSupport #:nodoc:
+           end
+         end
+ 
++        DISALLOWED_XML_TYPES = %w(symbol yaml)
++        class DisallowedType < StandardError #:nodoc:
++          def initialize(type)
++            super "Disallowed type attribute: #{type.inspect}"
++          end
++        end
++
+         XML_TYPE_NAMES = {
+           "Symbol"     => "symbol",
+           "Fixnum"     => "integer",
+@@ -160,14 +167,24 @@ module ActiveSupport #:nodoc:
+         end
+ 
+         module ClassMethods
+-          def from_xml(xml)
+-            typecast_xml_value(unrename_keys(XmlMini.parse(xml)))
++          def from_xml(xml, disallowed_types = nil)
++            typecast_xml_value(unrename_keys(XmlMini.parse(xml)), disallowed_types)
++          end
++
++          def from_trusted_xml(xml)
++            from_xml xml, []
+           end
+ 
+           private
+-            def typecast_xml_value(value)
++            def typecast_xml_value(value, disallowed_types = nil)
++              disallowed_types ||= DISALLOWED_XML_TYPES
++
+               case value.class.to_s
+                 when 'Hash'
++                  if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
++                    raise DisallowedType, value['type']
++                  end
++
+                   if value['type'] == 'array'
+                     child_key, entries = value.detect { |k,v| k != 'type' }   # child_key is throwaway
+                     if entries.nil? || (c = value['__content__'] && c.blank?)
+@@ -175,9 +192,9 @@ module ActiveSupport #:nodoc:
+                     else
+                       case entries.class.to_s   # something weird with classes not matching here.  maybe singleton methods breaking is_a?
+                       when "Array"
+-                        entries.collect { |v| typecast_xml_value(v) }
++                        entries.collect { |v| typecast_xml_value(v, disallowed_types) }
+                       when "Hash"
+-                        [typecast_xml_value(entries)]
++                        [typecast_xml_value(entries, disallowed_types)]
+                       else
+                         raise "can't typecast #{entries.inspect}"
+                       end
+@@ -205,7 +222,7 @@ module ActiveSupport #:nodoc:
+                     nil
+                   else
+                     xml_value = value.inject({}) do |h,(k,v)|
+-                      h[k] = typecast_xml_value(v)
++                      h[k] = typecast_xml_value(v, disallowed_types)
+                       h
+                     end
+                     
+@@ -214,7 +231,7 @@ module ActiveSupport #:nodoc:
+                     xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
+                   end
+                 when 'Array'
+-                  value.map! { |i| typecast_xml_value(i) }
++                  value.map! { |i| typecast_xml_value(i, disallowed_types) }
+                   case value.length
+                     when 0 then nil
+                     when 1 then value.first
diff -Nru ruby-activesupport-2.3-2.3.14/debian/patches/series ruby-activesupport-2.3-2.3.14/debian/patches/series
--- ruby-activesupport-2.3-2.3.14/debian/patches/series	2012-02-02 20:56:25.000000000 -0200
+++ ruby-activesupport-2.3-2.3.14/debian/patches/series	2013-01-09 16:33:35.000000000 -0300
@@ -1,2 +1,3 @@
 0001-remove_vendor_directory.patch
 0002-remove_rubygems_require.patch
+CVE-2013-0156.patch

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

On Wed, 2013-01-09 at 16:56 -0300, Antonio Terceiro wrote:
> Please unblock package ruby-activesupport-2.3
> 
> This version adds a fix for vulnerabilities in parameter parsing
> [CVE-2013-0156] Closes: #697789]

Unblocked; thanks.

Regards,

Adam

--- End Message ---