Hi!
I adapted the patch from upstream and applied it to the version of
libopenid-ruby currently in squeeze.
Attached is the debdiff with a possible 2.1.8debian/1+squeeze1
targetting squeeze if accepted by the security team.
The debdiff on the .deb packages shows nothing except the change of the
version number:
$ debdiff libopenid-ruby_2.1.8debian*.deb
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Installed-Size: [-4312-] {+4308+}
Version: [-2.1.8debian-1-] {+2.1.8debian-1+squeeze1+}
$ debdiff libopenid-ruby1.8_2.1.8debian*.deb
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
Version: [-2.1.8debian-1-] {+2.1.8debian-1+squeeze1+}
Cheers,
Cédric
diff -Nru libopenid-ruby-2.1.8debian/debian/changelog
libopenid-ruby-2.1.8debian/debian/changelog
--- libopenid-ruby-2.1.8debian/debian/changelog 2010-04-12 03:29:36.0
+0200
+++ libopenid-ruby-2.1.8debian/debian/changelog 2013-03-06 15:10:19.0
+0100
@@ -1,3 +1,13 @@
+libopenid-ruby (2.1.8debian-1+squeeze1) stable-security; urgency=high
+
+ * Team upload
+ * Urgency set to high as a security bug is fixed.
+ * debian/patches: add fix_CVE-2013-1812 from upstream to limit fetching file
+size and disable XML entity expansion, preventing possible XML denial of
+service attacks [CVE-2013-1812] (Closes: #702217).
+
+ -- Cédric Boutillier bou...@debian.org Wed, 06 Mar 2013 15:02:31 +0100
+
libopenid-ruby (2.1.8debian-1) unstable; urgency=low
[ Lucas Nussbaum ]
diff -Nru libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812
libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812
--- libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 1970-01-01
01:00:00.0 +0100
+++ libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 2013-03-06
15:01:55.0 +0100
@@ -0,0 +1,115 @@
+Description: limit fetching file size disable XML entity expansion
+ This prevents possible XML denial of service attacks [CVE-2013-1812]
+Author: nov matake n...@matake.jp
+Origin:
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
+Bug: https://github.com/openid/ruby-openid/pull/43
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702217
+Reviewed-by: Cédric Boutillier bou...@debian.org
+Last-Update: 2012-10-23
+
+---
+ lib/openid/fetchers.rb | 17 ++---
+ lib/openid/yadis/xrds.rb | 34 ++
+ 2 files changed, 36 insertions(+), 15 deletions(-)
+
+--- a/lib/openid/fetchers.rb
b/lib/openid/fetchers.rb
+@@ -10,7 +10,7 @@
+ require 'net/http'
+ end
+
+-MAX_RESPONSE_KB = 1024
++MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
+
+ module Net
+ class HTTP
+@@ -192,6 +192,16 @@
+ conn = make_connection(url)
+ response = nil
+
++whole_body = ''
++body_size_limitter = lambda do |r|
++ r.read_body do |partial| # read body now
++whole_body partial
++if whole_body.length MAX_RESPONSE_KB
++ raise FetchingError.new(Response Too Large)
++end
++ end
++ whole_body
++end
+ response = conn.start {
+ # Check the certificate against the URL's hostname
+ if supports_ssl?(conn) and conn.use_ssl?
+@@ -199,10 +209,10 @@
+ end
+
+ if body.nil?
+-conn.request_get(url.request_uri, headers)
++conn.request_get(url.request_uri, headers, body_size_limitter)
+ else
+ headers[Content-type] ||= application/x-www-form-urlencoded
+-conn.request_post(url.request_uri, body, headers)
++conn.request_post(url.request_uri, body, headers,
body_size_limitter)
+ end
+ }
+ rescue RuntimeError = why
+@@ -231,7 +241,10 @@
+ raise FetchingError, Error encountered in redirect from #{url}:
#{why}
+ end
+ else
+-return HTTPResponse._from_net_response(response, unparsed_url)
++response = HTTPResponse._from_net_response(response, unparsed_url)
++response.body = whole_body
++setup_encoding(response)
++return response
+ end
+ end
+ end
+--- a/lib/openid/yadis/xrds.rb
b/lib/openid/yadis/xrds.rb
+@@ -88,23 +88,33 @@
+ end
+
+ def Yadis::parseXRDS(text)
+- if text.nil?
+-raise XRDSError.new(Not an XRDS document.)
+- end
++ disable_entity_expansion do
++if text.nil?
++ raise XRDSError.new(Not an XRDS document.)
++end
+
+- begin
+-d = REXML::Document.new(text)
+- rescue RuntimeError = why
+-raise XRDSError.new(Not an XRDS document. Failed to parse XML.)
+- end
++begin
++ d = REXML::Document.new(text)
++rescue RuntimeError = why