hi, I'm trying to update oldstable's librack-ruby to fix security issues.
I've cherry-picked upstream changes, but I'm not confident about my changes. Would you review attached debdiff? This package seems not to be tested by rspec (because squeeze doesn't have test-spec package which needed by it), so I only tested against where I've changed... # pbuilder --login --basetgz squeeze.tgz # ... # gem install rspec -v 1.3.2 (not using packaged version) # gem install test-spec # specrb -I ./lib test/rack_spec_utils.rb Notes: CVE-2013-0183: The squeeze version's code is different from which I assumed when writing forwarded mail. So I try to hand-port original code and spec. I've confirmed that at least the spec I added doesn't report error. regards, -- KURASHIKI Satoru ---------- Forwarded message ---------- From: Satoru KURASHIKI <[email protected]> Date: Thu, Aug 29, 2013 at 8:59 PM Subject: Re: [rt.debian.org #4251] ruby-rack security bug To: [email protected] Cc: Nobuhiro Iwamatsu <[email protected]>, Hideki Yamane < [email protected]> hi, On Thu, Aug 29, 2013 at 8:50 AM, Satoru KURASHIKI <[email protected]> wrote: > > CVE-2013-0183: As far I was gone, I saw that commit ... but similar code >> affected seems present, > > The point (similar code) is: loop do read_buffer = input.gets break if read_buffer == boundary + EOL end So, I think that it may be changed to as: loop do content = input.read(bufsize) raise EOFError, "bad content body" unless content @buf << content while @buf.gsub!(/\A([^\n]*\n)/, '') read_buffer = $1 return if read_buffer == boundary + EOL end raise EOFError, "bad content body" if Utils.bytesize(@buf) >= bufsize end But unfortunately I'm neither a rubyist nor coding expert, so I can't write test code for this change. I will ask for reviewing this code to some of my friends... > CVE-2012-6109: > > This should be fixed IF we backport the "refactor of multipart module. So, it should be considerd as "not affected". CVE-2011-5036: > > We can pick this commit: https://github.com/rack/rack/commit/09c5e53f11a491c25bef873ed146842f3cd03228 regards, -- KURASHIKI Satoru
librack-ruby-oldstable.debdiff
Description: Binary data
