Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.9.git;a=commitdiff;h=1b40d4283a42cb7ac44c6d0cbda842484089c57a
commit 1b40d4283a42cb7ac44c6d0cbda842484089c57a Author: kikadf <[email protected]> Date: Sat May 17 14:36:01 2014 +0200 actionpack-3.2.6-2arcturus2-x86_64 * Fix CVE-2014-0081, CVE-2014-0082, CVE-2014-0130 diff --git a/source/devel-extra/actionpack/CVE-2014-0081.patch b/source/devel-extra/actionpack/CVE-2014-0081.patch new file mode 100644 index 0000000..5f2f32e --- /dev/null +++ b/source/devel-extra/actionpack/CVE-2014-0081.patch @@ -0,0 +1,66 @@ +From af9cac1d311f6564a2927c23f42e7194e4a189ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= + <[email protected]> +Date: Tue, 11 Feb 2014 23:29:27 -0200 +Subject: [PATCH] Escape format, negative_format and units options of number + helpers + +Previously the values of these options were trusted leading to +potential XSS vulnerabilities. + +Fixes: CVE-2014-0081 +--- + .../lib/action_view/helpers/number_helper.rb | 14 +++++- + actionpack/test/template/number_helper_test.rb | 51 ++++++++++++++++++++++ + 2 files changed, 64 insertions(+), 1 deletion(-) + +--- a/lib/action_view/helpers/number_helper.rb ++++ b/lib/action_view/helpers/number_helper.rb +@@ -126,12 +126,18 @@ module ActionView + + options.symbolize_keys! + ++ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] ++ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] ++ options[:format] = ERB::Util.html_escape(options[:format]) if options[:format] ++ options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format] ++ + defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {}) + currency = I18n.translate(:'number.currency.format', :locale => options[:locale], :default => {}) + currency[:negative_format] ||= "-" + currency[:format] if currency[:format] + + defaults = DEFAULT_CURRENCY_VALUES.merge(defaults).merge!(currency) + defaults[:negative_format] = "-" + options[:format] if options[:format] ++ + options = defaults.merge!(options) + + unit = options.delete(:unit) +@@ -188,6 +194,9 @@ module ActionView + + options.symbolize_keys! + ++ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] ++ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] ++ + defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {}) + percentage = I18n.translate(:'number.percentage.format', :locale => options[:locale], :default => {}) + defaults = defaults.merge(percentage) +@@ -232,6 +241,9 @@ module ActionView + def number_with_delimiter(number, options = {}) + options.symbolize_keys! + ++ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter] ++ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator] ++ + begin + Float(number) + rescue ArgumentError, TypeError +@@ -507,7 +519,7 @@ module ActionView + units = options.delete :units + unit_exponents = case units + when Hash +- units ++ units = Hash[units.map { |k, v| [k, ERB::Util.html_escape(v)] }] + when String, Symbol + I18n.translate(:"#{units}", :locale => options[:locale], :raise => true) + when nil diff --git a/source/devel-extra/actionpack/CVE-2014-0082.patch b/source/devel-extra/actionpack/CVE-2014-0082.patch new file mode 100644 index 0000000..c488eef --- /dev/null +++ b/source/devel-extra/actionpack/CVE-2014-0082.patch @@ -0,0 +1,33 @@ +From f103fe6031a1e36000d4dc430a3b130d381b2c0e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= + <[email protected]> +Date: Tue, 11 Feb 2014 22:56:50 -0200 +Subject: [PATCH] Use the reference for the mime type to get the format + +Before we were calling to_sym in the mime type, even when it is unknown +what can cause denial of service since symbols are not removed by the +garbage collector. + +Fixes: CVE-2014-0082 +--- + actionpack/lib/action_view/template/text.rb | 2 +- + actionpack/test/template/text_test.rb | 17 +++++++++++++++++ + 2 files changed, 18 insertions(+), 1 deletion(-) + create mode 100644 actionpack/test/template/text_test.rb + +diff --git a/lib/action_view/template/text.rb b/actionpack/lib/action_view/template/text.rb +index 4261c3b..d90e43b 100644 +--- a/lib/action_view/template/text.rb ++++ b/lib/action_view/template/text.rb +@@ -23,7 +23,7 @@ module ActionView #:nodoc: + end + + def formats +- [@mime_type.to_sym] ++ [@mime_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s] + end + end + end +-- +1.8.4.3 + diff --git a/source/devel-extra/actionpack/CVE-2014-0130.patch b/source/devel-extra/actionpack/CVE-2014-0130.patch new file mode 100644 index 0000000..0cac238 --- /dev/null +++ b/source/devel-extra/actionpack/CVE-2014-0130.patch @@ -0,0 +1,81 @@ +From 0f3b7d1a319383f743f9938e1eed00f0fba7a367 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= + <[email protected]> +Date: Thu, 17 Apr 2014 16:50:39 -0300 +Subject: [PATCH] Only accept actions without File::SEPARATOR in the name. + +This will avoid directory traversal in implicit render. + +Fixes: CVE-2014-0130 +--- + actionpack/lib/abstract_controller/base.rb | 28 +++++++++++++++++++--- + .../new_base/render_implicit_action_test.rb | 17 ++++++++++++- + 2 files changed, 41 insertions(+), 4 deletions(-) + +diff --git a/actionpack/lib/abstract_controller/base.rb b/actionpack/lib/abstract_controller/base.rb +index fd6a46f..2541125 100644 +--- a/lib/abstract_controller/base.rb ++++ b/lib/abstract_controller/base.rb +@@ -112,7 +112,7 @@ module AbstractController + def process(action, *args) + @_action_name = action_name = action.to_s + +- unless action_name = method_for_action(action_name) ++ unless action_name = _find_action_name(action_name) + raise ActionNotFound, "The action '#{action}' could not be found for #{self.class.name}" + end + +@@ -138,7 +138,7 @@ module AbstractController + # available action consider actions that are also available + # through other means, for example, implicit render ones. + def available_action?(action_name) +- method_for_action(action_name).present? ++ _find_action_name(action_name).present? + end + + private +@@ -182,6 +182,23 @@ module AbstractController + end + + # Takes an action name and returns the name of the method that will ++ # handle the action. ++ # ++ # It checks if the action name is valid and returns false otherwise. ++ # ++ # See method_for_action for more information. ++ # ++ # ==== Parameters ++ # * <tt>action_name</tt> - An action name to find a method name for ++ # ++ # ==== Returns ++ # * <tt>string</tt> - The name of the method that handles the action ++ # * false - No valid method name could be found. Raise ActionNotFound. ++ def _find_action_name(action_name) ++ _valid_action_name?(action_name) && method_for_action(action_name) ++ end ++ ++ # Takes an action name and returns the name of the method that will + # handle the action. In normal cases, this method returns the same + # name as it receives. By default, if #method_for_action receives + # a name that is not an action, it will look for an #action_missing +@@ -203,11 +220,16 @@ module AbstractController + # + # ==== Returns + # * <tt>string</tt> - The name of the method that handles the action +- # * <tt>nil</tt> - No method name could be found. Raise ActionNotFound. ++ # * <tt>nil</tt> - No method name could be found. + def method_for_action(action_name) + if action_method?(action_name) then action_name + elsif respond_to?(:action_missing, true) then "_handle_action_missing" + end + end ++ ++ # Checks if the action name is valid and returns false otherwise. ++ def _valid_action_name?(action_name) ++ action_name.to_s !~ Regexp.new(File::SEPARATOR) ++ end + end + end +-- +1.9.1 + diff --git a/source/devel-extra/actionpack/FrugalBuild b/source/devel-extra/actionpack/FrugalBuild index 4b10159..12fc7dd 100644 --- a/source/devel-extra/actionpack/FrugalBuild +++ b/source/devel-extra/actionpack/FrugalBuild @@ -1,10 +1,9 @@ # Compiling Time: 0.45 SBU -# Contributor: kikadf <[email protected]> # Maintainer: jercel <[email protected]> pkgname=actionpack pkgver=3.2.6 -pkgrel=2arcturus1 +pkgrel=2arcturus2 pkgdesc="Eases web-request routing, handling, and response." url="http://rubyforge.org/projects/actionpack/"; depends=('activesupport>=3.2.6') @@ -17,7 +16,8 @@ sha1sums=('699cfcdd1e279f9e86e4c0a935b51570fd293ad9') source=(${source[@]} CVE-2012-3424.patch CVE-2012-3463.patch CVE-2012-3465.patch CVE-2013-0155.patch CVE-2013-1855.patch CVE-2013-1857.patch CVE-2013-4389.patch CVE-2013-4491.patch CVE-2013-6414.patch - CVE-2013-6415.patch CVE-2013-6417.patch) + CVE-2013-6415.patch CVE-2013-6417.patch CVE-2014-0081.patch + CVE-2014-0082.patch CVE-2014-0130.patch) sha1sums=(${sha1sums[@]} 'e1296be7281fb5cd29402e73fd782fbd35b85b18' \ '3363cb439105c87268c7e9c5800d643ff417f7c5' \ '595c1696b04f94754fe4bceec06302e7fcb86e6c' \ @@ -28,6 +28,10 @@ sha1sums=(${sha1sums[@]} 'e1296be7281fb5cd29402e73fd782fbd35b85b18' \ 'e839bc93528cc00bec59913708f4d4db452f93bd' \ '96222bd83d5f9a5f88b12aa58f68a7b83676578f' \ '4846c25e2b4e4afe9545fcb8b861f6fbedf7e94a' \ - '59179b172db651fd3b3bee2e1b4a893439780a3a') + '59179b172db651fd3b3bee2e1b4a893439780a3a' \ + '9e3c8cfa41e04907f630aca2ccfdb94631dfbaa7' \ + '375d8cbb22fec5bc1dff1ffa061308a787d0e200' \ + 'd61e4a9e03ecad27b685e35e2e4e83e959b150f8') # *********** + _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
