Your message dated Fri, 14 Nov 2014 20:10:58 +0000
with message-id <[email protected]>
and subject line Re: Bug#769587: unblock: ruby-sprockets/2.12.3-1
has caused the Debian Bug report #769587,
regarding unblock: ruby-sprockets/2.12.3-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
769587: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769587
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package ruby-sprockets
I have just uploaded 2.12.3-1 to unstable. Even though it is a new
upstream version, it includes solely 2 security fixes, including the one
for CVE-2014-7819 (Arbitrary file existence disclosure in Sprockets),
and another one that I assume was not important enough to get a CVE.
Anyway the changes do not introduce any API or behavior change besides
the security fixes.
Attached you will find the debdiff between this new version and the one
in jessie.
unblock ruby-sprockets/2.12.3-1
-- System Information:
Debian Release: jessie/sid
APT prefers buildd-unstable
APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'),
(1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--
Antonio Terceiro <[email protected]>
Binary files /tmp/yUjvUJRZyP/ruby-sprockets-2.12.1/checksums.yaml.gz and /tmp/wwQmIlt1jH/ruby-sprockets-2.12.3/checksums.yaml.gz differ
diff -Nru ruby-sprockets-2.12.1/debian/changelog ruby-sprockets-2.12.3/debian/changelog
--- ruby-sprockets-2.12.1/debian/changelog 2014-05-19 12:21:50.000000000 -0300
+++ ruby-sprockets-2.12.3/debian/changelog 2014-11-14 16:29:31.000000000 -0200
@@ -1,3 +1,11 @@
+ruby-sprockets (2.12.3-1) unstable; urgency=medium
+
+ * New upstream release
+ - Fix for [CVE-2014-7819] Arbitrary file existence disclosure in
+ Sprockets
+
+ -- Antonio Terceiro <[email protected]> Fri, 14 Nov 2014 16:29:03 -0200
+
ruby-sprockets (2.12.1-1) unstable; urgency=medium
* New upstream release
diff -Nru ruby-sprockets-2.12.1/debian/control ruby-sprockets-2.12.3/debian/control
--- ruby-sprockets-2.12.1/debian/control 2014-05-19 12:19:43.000000000 -0300
+++ ruby-sprockets-2.12.3/debian/control 2014-11-14 16:29:31.000000000 -0200
@@ -2,9 +2,7 @@
Section: ruby
Priority: optional
Maintainer: Debian Ruby Extras Maintainers <[email protected]>
-Uploaders:
- Ondřej Surý <[email protected]>,
- Antonio Terceiro <[email protected]>,
+Uploaders: Antonio Terceiro <[email protected]>,
Build-Depends: debhelper (>= 7.0.50~),
gem2deb (>= 0.5.0~),
ruby-hike (>= 1.2),
diff -Nru ruby-sprockets-2.12.1/lib/sprockets/base.rb ruby-sprockets-2.12.3/lib/sprockets/base.rb
--- ruby-sprockets-2.12.1/lib/sprockets/base.rb 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/lib/sprockets/base.rb 2014-11-06 04:16:45.000000000 -0200
@@ -261,7 +261,7 @@
# Find asset by logical path or expanded path.
def find_asset(path, options = {})
logical_path = path
- pathname = Pathname.new(path)
+ pathname = Pathname.new(path).cleanpath
if pathname.absolute?
return unless stat(pathname)
diff -Nru ruby-sprockets-2.12.1/lib/sprockets/sass_functions.rb ruby-sprockets-2.12.3/lib/sprockets/sass_functions.rb
--- ruby-sprockets-2.12.1/lib/sprockets/sass_functions.rb 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/lib/sprockets/sass_functions.rb 2014-11-06 04:16:45.000000000 -0200
@@ -3,59 +3,59 @@
module Sprockets
module SassFunctions
def asset_path(path)
- Sass::Script::String.new(sprockets_context.asset_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.asset_path(path.value), :string)
end
def asset_url(path)
- Sass::Script::String.new("url(" + sprockets_context.asset_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.asset_path(path.value) + ")")
end
def image_path(path)
- Sass::Script::String.new(sprockets_context.image_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.image_path(path.value), :string)
end
def image_url(path)
- Sass::Script::String.new("url(" + sprockets_context.image_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.image_path(path.value) + ")")
end
def video_path(path)
- Sass::Script::String.new(sprockets_context.video_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.video_path(path.value), :string)
end
def video_url(path)
- Sass::Script::String.new("url(" + sprockets_context.video_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.video_path(path.value) + ")")
end
def audio_path(path)
- Sass::Script::String.new(sprockets_context.audio_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.audio_path(path.value), :string)
end
def audio_url(path)
- Sass::Script::String.new("url(" + sprockets_context.audio_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.audio_path(path.value) + ")")
end
def font_path(path)
- Sass::Script::String.new(sprockets_context.font_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.font_path(path.value), :string)
end
def font_url(path)
- Sass::Script::String.new("url(" + sprockets_context.font_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.font_path(path.value) + ")")
end
def javascript_path(path)
- Sass::Script::String.new(sprockets_context.javascript_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.javascript_path(path.value), :string)
end
def javascript_url(path)
- Sass::Script::String.new("url(" + sprockets_context.javascript_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.javascript_path(path.value) + ")")
end
def stylesheet_path(path)
- Sass::Script::String.new(sprockets_context.stylesheet_path(path.value), :string)
+ ::Sass::Script::String.new(sprockets_context.stylesheet_path(path.value), :string)
end
def stylesheet_url(path)
- Sass::Script::String.new("url(" + sprockets_context.stylesheet_path(path.value) + ")")
+ ::Sass::Script::String.new("url(" + sprockets_context.stylesheet_path(path.value) + ")")
end
protected
diff -Nru ruby-sprockets-2.12.1/lib/sprockets/sass_importer.rb ruby-sprockets-2.12.3/lib/sprockets/sass_importer.rb
--- ruby-sprockets-2.12.1/lib/sprockets/sass_importer.rb 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/lib/sprockets/sass_importer.rb 2014-11-06 04:16:45.000000000 -0200
@@ -3,7 +3,7 @@
module Sprockets
# This custom importer that tracks all imported filenames during
# compile.
- class SassImporter < Sass::Importers::Filesystem
+ class SassImporter < ::Sass::Importers::Filesystem
attr_reader :imported_filenames
def initialize(*args)
diff -Nru ruby-sprockets-2.12.1/lib/sprockets/server.rb ruby-sprockets-2.12.3/lib/sprockets/server.rb
--- ruby-sprockets-2.12.1/lib/sprockets/server.rb 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/lib/sprockets/server.rb 2014-11-06 04:16:45.000000000 -0200
@@ -33,16 +33,16 @@
# Extract the path from everything after the leading slash
path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
- # URLs containing a `".."` are rejected for security reasons.
- if forbidden_request?(path)
- return forbidden_response
- end
-
# Strip fingerprint
if fingerprint = path_fingerprint(path)
path = path.sub("-#{fingerprint}", '')
end
+ # URLs containing a `".."` are rejected for security reasons.
+ if forbidden_request?(path)
+ return forbidden_response
+ end
+
# Look up the asset.
asset = find_asset(path, :bundle => !body_only?(env))
@@ -90,7 +90,7 @@
#
# http://example.org/assets/../../../etc/passwd
#
- path.include?("..")
+ path.include?("..") || Pathname.new(path).absolute?
end
# Returns a 403 Forbidden response tuple
@@ -222,7 +222,7 @@
# # => "0aa2105d29558f3eb790d411d7d8fb66"
#
def path_fingerprint(path)
- path[/-([0-9a-f]{7,40})\.[^.]+$/, 1]
+ path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1]
end
# URI.unescape is deprecated on 1.9. We need to use URI::Parser
diff -Nru ruby-sprockets-2.12.1/lib/sprockets/version.rb ruby-sprockets-2.12.3/lib/sprockets/version.rb
--- ruby-sprockets-2.12.1/lib/sprockets/version.rb 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/lib/sprockets/version.rb 2014-11-06 04:16:45.000000000 -0200
@@ -1,3 +1,3 @@
module Sprockets
- VERSION = "2.12.1"
+ VERSION = "2.12.3"
end
diff -Nru ruby-sprockets-2.12.1/metadata.yml ruby-sprockets-2.12.3/metadata.yml
--- ruby-sprockets-2.12.1/metadata.yml 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/metadata.yml 2014-11-06 04:16:45.000000000 -0200
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: sprockets
version: !ruby/object:Gem::Version
- version: 2.12.1
+ version: 2.12.3
platform: ruby
authors:
- Sam Stephenson
@@ -9,236 +9,236 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2014-04-17 00:00:00.000000000 Z
+date: 2014-10-28 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: hike
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.2'
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.2'
- !ruby/object:Gem::Dependency
name: multi_json
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
- !ruby/object:Gem::Dependency
name: rack
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
- !ruby/object:Gem::Dependency
name: tilt
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.1'
- - - '!='
+ - - "!="
- !ruby/object:Gem::Version
version: 1.3.0
type: :runtime
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.1'
- - - '!='
+ - - "!="
- !ruby/object:Gem::Version
version: 1.3.0
- !ruby/object:Gem::Dependency
name: closure-compiler
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
- !ruby/object:Gem::Dependency
name: coffee-script
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '2.0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '2.0'
- !ruby/object:Gem::Dependency
name: coffee-script-source
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.2'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.2'
- !ruby/object:Gem::Dependency
name: eco
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
- !ruby/object:Gem::Dependency
name: ejs
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
- !ruby/object:Gem::Dependency
name: execjs
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '1.0'
- !ruby/object:Gem::Dependency
name: json
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
- !ruby/object:Gem::Dependency
name: rack-test
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
- !ruby/object:Gem::Dependency
name: rake
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
- !ruby/object:Gem::Dependency
name: sass
requirement: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '3.1'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - ~>
+ - - "~>"
- !ruby/object:Gem::Version
version: '3.1'
- !ruby/object:Gem::Dependency
name: uglifier
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
- !ruby/object:Gem::Dependency
name: yui-compressor
requirement: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
description: Sprockets is a Rack-based asset packaging system that concatenates and
@@ -251,9 +251,11 @@
extensions: []
extra_rdoc_files: []
files:
-- README.md
- LICENSE
+- README.md
+- bin/sprockets
- lib/rake/sprocketstask.rb
+- lib/sprockets.rb
- lib/sprockets/asset.rb
- lib/sprockets/asset_attributes.rb
- lib/sprockets/base.rb
@@ -291,8 +293,6 @@
- lib/sprockets/utils.rb
- lib/sprockets/version.rb
- lib/sprockets/yui_compressor.rb
-- lib/sprockets.rb
-- bin/sprockets
homepage: http://getsprockets.org/
licenses:
- MIT
@@ -303,19 +303,18 @@
- lib
required_ruby_version: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
required_rubygems_version: !ruby/object:Gem::Requirement
requirements:
- - - '>='
+ - - ">="
- !ruby/object:Gem::Version
version: '0'
requirements: []
rubyforge_project: sprockets
-rubygems_version: 2.0.3
+rubygems_version: 2.2.2
signing_key:
specification_version: 4
summary: Rack-based asset packaging system
test_files: []
-has_rdoc:
diff -Nru ruby-sprockets-2.12.1/README.md ruby-sprockets-2.12.3/README.md
--- ruby-sprockets-2.12.1/README.md 2014-04-20 04:46:01.000000000 -0300
+++ ruby-sprockets-2.12.3/README.md 2014-11-06 04:16:45.000000000 -0200
@@ -366,6 +366,17 @@
## Version History ##
+**2.12.3** (October 28, 2014)
+
+* Security: Fix directory traversal bug in development mode server.
+
+**2.12.2** (September 5, 2014)
+
+* Ensure internal asset lookups calls are still restricted to load paths within
+ asset compiles. Though, you should not depend on internal asset resolves to be
+ completely restricted for security reasons. Assets themselves should be
+ considered full scripting environments with filesystem access.
+
**2.12.1** (April 17, 2014)
* Fix making manifest target directory when its different than the output directory.
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
On Fri, 2014-11-14 at 17:04 -0200, Antonio Terceiro wrote:
> Please unblock package ruby-sprockets
>
> I have just uploaded 2.12.3-1 to unstable. Even though it is a new
> upstream version, it includes solely 2 security fixes, including the one
> for CVE-2014-7819 (Arbitrary file existence disclosure in Sprockets),
> and another one that I assume was not important enough to get a CVE.
>
> Anyway the changes do not introduce any API or behavior change besides
> the security fixes.
Unblocked.
Regards,
Adam
--- End Message ---
