Bug#702217: proposition for libopenid-ruby/2.1.8debian-1+squeeze1 [CVE-2013-1812]

2013-03-10 Thread Moritz Muehlenhoff 
On Sat, Mar 09, 2013 at 05:34:31PM +0100, Luciano Bello wrote:
 On Wednesday 06 March 2013, Cédric Boutillier wrote:
  I adapted the patch from upstream and applied it to the version of
  libopenid-ruby currently in squeeze.
  Attached is the debdiff with a possible 2.1.8debian/1+squeeze1
  targetting squeeze if accepted by the security team.
 
 Thanks for your patch! In my opinion, this can be handle via s-p-u.

Agreed, see here for the procedure:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#702217: proposition for libopenid-ruby/2.1.8debian-1+squeeze1 [CVE-2013-1812]

2013-03-09 Thread Luciano Bello 
On Wednesday 06 March 2013, Cédric Boutillier wrote:
 I adapted the patch from upstream and applied it to the version of
 libopenid-ruby currently in squeeze.
 Attached is the debdiff with a possible 2.1.8debian/1+squeeze1
 targetting squeeze if accepted by the security team.

Thanks for your patch! In my opinion, this can be handle via s-p-u.

Cheers, luciano


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#702217: proposition for libopenid-ruby/2.1.8debian-1+squeeze1 [CVE-2013-1812]

2013-03-06 Thread Cédric Boutillier 
Hi!

I adapted the patch from upstream and applied it to the version of
libopenid-ruby currently in squeeze.

Attached is the debdiff with a possible 2.1.8debian/1+squeeze1
targetting squeeze if accepted by the security team.

The debdiff on the .deb packages shows nothing except the change of the
version number:

$ debdiff libopenid-ruby_2.1.8debian*.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Installed-Size: [-4312-] {+4308+}
Version: [-2.1.8debian-1-] {+2.1.8debian-1+squeeze1+}

$ debdiff libopenid-ruby1.8_2.1.8debian*.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Version: [-2.1.8debian-1-] {+2.1.8debian-1+squeeze1+}

Cheers,

Cédric
diff -Nru libopenid-ruby-2.1.8debian/debian/changelog 
libopenid-ruby-2.1.8debian/debian/changelog
--- libopenid-ruby-2.1.8debian/debian/changelog 2010-04-12 03:29:36.0 
+0200
+++ libopenid-ruby-2.1.8debian/debian/changelog 2013-03-06 15:10:19.0 
+0100
@@ -1,3 +1,13 @@
+libopenid-ruby (2.1.8debian-1+squeeze1) stable-security; urgency=high
+
+  * Team upload
+  * Urgency set to high as a security bug is fixed.
+  * debian/patches: add fix_CVE-2013-1812 from upstream to limit fetching file
+size and disable XML entity expansion, preventing possible XML denial of
+service attacks [CVE-2013-1812] (Closes: #702217).
+
+ -- Cédric Boutillier bou...@debian.org  Wed, 06 Mar 2013 15:02:31 +0100
+
 libopenid-ruby (2.1.8debian-1) unstable; urgency=low
 
   [ Lucas Nussbaum ]
diff -Nru libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 
libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812
--- libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 1970-01-01 
01:00:00.0 +0100
+++ libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 2013-03-06 
15:01:55.0 +0100
@@ -0,0 +1,115 @@
+Description: limit fetching file size  disable XML entity expansion
+  This prevents possible XML denial of service attacks [CVE-2013-1812]
+Author: nov matake n...@matake.jp
+Origin: 
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
+Bug: https://github.com/openid/ruby-openid/pull/43
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702217
+Reviewed-by: Cédric Boutillier bou...@debian.org
+Last-Update: 2012-10-23
+
+---
+ lib/openid/fetchers.rb   |   17 ++---
+ lib/openid/yadis/xrds.rb |   34 ++
+ 2 files changed, 36 insertions(+), 15 deletions(-)
+
+--- a/lib/openid/fetchers.rb
 b/lib/openid/fetchers.rb
+@@ -10,7 +10,7 @@
+   require 'net/http'
+ end
+ 
+-MAX_RESPONSE_KB = 1024
++MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
+ 
+ module Net
+   class HTTP
+@@ -192,6 +192,16 @@
+ conn = make_connection(url)
+ response = nil
+ 
++whole_body = ''
++body_size_limitter = lambda do |r|
++  r.read_body do |partial|   # read body now
++whole_body  partial
++if whole_body.length  MAX_RESPONSE_KB
++  raise FetchingError.new(Response Too Large)
++end
++  end
++  whole_body
++end
+ response = conn.start {
+   # Check the certificate against the URL's hostname
+   if supports_ssl?(conn) and conn.use_ssl?
+@@ -199,10 +209,10 @@
+   end
+ 
+   if body.nil?
+-conn.request_get(url.request_uri, headers)
++conn.request_get(url.request_uri, headers, body_size_limitter)
+   else
+ headers[Content-type] ||= application/x-www-form-urlencoded
+-conn.request_post(url.request_uri, body, headers)
++conn.request_post(url.request_uri, body, headers, 
body_size_limitter)
+   end
+ }
+   rescue RuntimeError = why
+@@ -231,7 +241,10 @@
+   raise FetchingError, Error encountered in redirect from #{url}: 
#{why}
+ end
+   else
+-return HTTPResponse._from_net_response(response, unparsed_url)
++response = HTTPResponse._from_net_response(response, unparsed_url)
++response.body = whole_body
++setup_encoding(response)
++return response
+   end
+ end
+   end
+--- a/lib/openid/yadis/xrds.rb
 b/lib/openid/yadis/xrds.rb
+@@ -88,23 +88,33 @@
+ end
+ 
+ def Yadis::parseXRDS(text)
+-  if text.nil?
+-raise XRDSError.new(Not an XRDS document.)
+-  end
++  disable_entity_expansion do
++if text.nil?
++  raise XRDSError.new(Not an XRDS document.)
++end
+ 
+-  begin
+-d = REXML::Document.new(text)
+-  rescue RuntimeError = why
+-raise XRDSError.new(Not an XRDS document. Failed to parse XML.)
+-  end
++begin
++  d = REXML::Document.new(text)
++rescue RuntimeError = why