Control: tags 901913 + patch Control: tags 901913 + pending
Dear maintainer, I've prepared an NMU for ruby-sprockets (versioned as 3.7.0-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru ruby-sprockets-3.7.0/debian/changelog ruby-sprockets-3.7.0/debian/changelog --- ruby-sprockets-3.7.0/debian/changelog 2016-09-13 13:34:48.000000000 +0200 +++ ruby-sprockets-3.7.0/debian/changelog 2018-07-05 23:29:49.000000000 +0200 @@ -1,3 +1,11 @@ +ruby-sprockets (3.7.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Do not respond to http requests asking for a `file://` (CVE-2018-3760) + (Closes: #901913) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 05 Jul 2018 23:29:49 +0200 + ruby-sprockets (3.7.0-1) unstable; urgency=medium * Team upload diff -Nru ruby-sprockets-3.7.0/debian/patches/Do-not-respond-to-http-requests-asking-for-a-file.patch ruby-sprockets-3.7.0/debian/patches/Do-not-respond-to-http-requests-asking-for-a-file.patch --- ruby-sprockets-3.7.0/debian/patches/Do-not-respond-to-http-requests-asking-for-a-file.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-sprockets-3.7.0/debian/patches/Do-not-respond-to-http-requests-asking-for-a-file.patch 2018-07-05 23:29:49.000000000 +0200 @@ -0,0 +1,34 @@ +From: schneems <richard.schneeman+...@gmail.com> +Date: Tue, 24 Apr 2018 16:37:53 -0500 +Subject: Do not respond to http requests asking for a `file://` +Origin: https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-3760 +Bug-Debian: https://bugs.debian.org/901913 + +Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an attacker can pass in a specifically crafted url that will allow them access to view every file on the system. If the file hit contains a compilable extension such as `.erb` then the code in that file will be executed. + +A Rails app will be using the Sprockets file server in production if they have accidentally configured their app to: + +```ruby +config.assets.compile = true # Your app is vulnerable +``` + +It is highly recommended to not use the Sprockets server in production and to instead precompile assets to disk and serve them through a server such as Nginx or via the static file middleware that ships with rails `config.public_file_server.enabled = true`. + +This patch mitigates the issue, but explicitly disallowing any requests to uri resources via the server. +--- + lib/sprockets/server.rb | 2 +- + test/test_server.rb | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/lib/sprockets/server.rb ++++ b/lib/sprockets/server.rb +@@ -115,7 +115,7 @@ module Sprockets + # + # http://example.org/assets/../../../etc/passwd + # +- path.include?("..") || absolute_path?(path) ++ path.include?("..") || absolute_path?(path) || path.include?("://") + end + + # Returns a 200 OK response tuple diff -Nru ruby-sprockets-3.7.0/debian/patches/series ruby-sprockets-3.7.0/debian/patches/series --- ruby-sprockets-3.7.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ ruby-sprockets-3.7.0/debian/patches/series 2018-07-05 23:29:49.000000000 +0200 @@ -0,0 +1 @@ +Do-not-respond-to-http-requests-asking-for-a-file.patch
_______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers