Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Hi, On Fri, 31 Jul 2015 04:58:27 +0900, Salvatore Bonaccorso wrote: > > [1 ] > Hi, - snip . > The targetting distribution was still set to 'unstable'. Oh, excuse me... > I have fixed that in the attached debdiffs and added the patch for > jessie-security (can you import them in your VCS please?). Ok. I've commit these changes. Thanks in advance. Best wishes, Youhei --- Youhei SASAKI GPG fingerprint: 4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Hi, (Adding Antonio to the loop who did the previous uploads) On Thu, Jul 30, 2015 at 06:36:56PM +0900, Youhei SASAKI wrote: > Hi, > > Thanks your review. > > On Thu, 30 Jul 2015 04:49:12 +0900, > Salvatore Bonaccorso wrote: > > > > > > # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we > > > # can't build package without "DH_RUBY_IGNORE_TESTS=all"... > > > > It builds for me here in pbuilder. Were exactly is the problem > > located? > > In "lib/rack/response.rb": Upstream Issue: #631 > - https://github.com/rack/rack/issues/631 > > I attached 0002-Fix-unreported-FTBFS.patch. > This is aleady applied in unstable. > > > "patchwise" both looks okay but I have some small comments, first the > > one for wheezy-security: > - snip- > > Use 1.4.1-2.1+deb7u1 as version, wheezy-security as distribution and > > urgency=high. > - snip- > > Same here. use 1.5.2-3+deb8u1 as version, target jessie-security and > > use urgency=high. > - snip - > > Could you make the above changes? > > Thanks. Update package version number and changelogs. debdiff attached. The targetting distribution was still set to 'unstable'. I have fixed that in the attached debdiffs and added the patch for jessie-security (can you import them in your VCS please?). I have uploaded to security-master the jessie-security one as attached. But for wheezy-security the package does not built. Build-log is attached. It fails for me as well already with 1.4.1-2.1. Can you have a look? Regards, Salvatore ruby-rack_1.4.1-2.1+deb7u1_amd64.build.gz Description: application/gzip diff -Nru ruby-rack-1.4.1/debian/changelog ruby-rack-1.4.1/debian/changelog --- ruby-rack-1.4.1/debian/changelog2013-02-22 00:55:14.0 +0100 +++ ruby-rack-1.4.1/debian/changelog2015-07-30 19:57:00.0 +0200 @@ -1,3 +1,14 @@ +ruby-rack (1.4.1-2.1+deb7u1) wheezy-security; urgency=high + + * Create cherry-picked patch for Security Fix (Closes: #789311). +- CVE-2015-3225: 0006-Fix-Params_Depth.patch + Default depth at which the parameter parser will raise an exception + for being too deep, allows remote attackers to cause a denial of + service (SystemStackError) via a request with a large parameter + depth. + + -- Youhei SASAKI Wed, 29 Jul 2015 16:37:25 +0900 + ruby-rack (1.4.1-2.1) unstable; urgency=high [ KURASHIKI Satoru ] diff -Nru ruby-rack-1.4.1/debian/patches/0006-Fix-Params_Depth.patch ruby-rack-1.4.1/debian/patches/0006-Fix-Params_Depth.patch --- ruby-rack-1.4.1/debian/patches/0006-Fix-Params_Depth.patch 1970-01-01 01:00:00.0 +0100 +++ ruby-rack-1.4.1/debian/patches/0006-Fix-Params_Depth.patch 2015-07-30 19:57:00.0 +0200 @@ -0,0 +1,88 @@ +From: Aaron Patterson +Date: Tue, 20 Jan 2015 14:30:13 -0800 +Subject: raise an exception if the parameters are too deep + +CVE-2015-3225 + +Conflicts: + lib/rack/utils.rb + test/spec_utils.rb +--- + lib/rack/utils.rb | 15 +++ + test/spec_utils.rb | 12 + 2 files changed, 23 insertions(+), 4 deletions(-) + +diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb +index 6576dd2..4656f4a 100644 +--- a/lib/rack/utils.rb b/lib/rack/utils.rb +@@ -49,12 +49,17 @@ module Rack + + class << self + attr_accessor :key_space_limit ++ attr_accessor :param_depth_limit + end + + # The default number of bytes to allow parameter keys to take up. + # This helps prevent a rogue client from flooding a Request. + self.key_space_limit = 65536 + ++# Default depth at which the parameter parser will raise an exception for ++# being too deep. This helps prevent SystemStackErrors ++self.param_depth_limit = 100 ++ + # Stolen from Mongrel, with some small modifications: + # Parses a query string by breaking it up at the '&' + # and ';' characters. You can also use this to parse +@@ -94,7 +99,9 @@ module Rack + end + module_function :parse_nested_query + +-def normalize_params(params, name, v = nil) ++def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit) ++ raise RangeError if depth <= 0 ++ + name =~ %r(\A[\[\]]*([^\[\]]+)\]*) + k = $1 || '' + after = $' || '' +@@ -112,14 +119,14 @@ module Rack + params[k] ||= [] + raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array) + if params_hash_type?(params[k].last) && !params[k].last.key?(child_key) +- normalize_params(params[k].last, child_key, v) ++ normalize_params(params[k].last, child_key, v, depth - 1) + else +- params[k] << normalize_params(params.class.new, child_key, v) ++ params[k] << normalize_params(params.class.new, child_key, v, depth - 1) + end + else + params[k] ||= params.class.new + raise TypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params_hash_type?(params[k]) +
Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Hi, On Thu, Jul 30, 2015 at 09:58:27PM +0200, Salvatore Bonaccorso wrote: > The targetting distribution was still set to 'unstable'. I have fixed > that in the attached debdiffs and added the patch for jessie-security > (can you import them in your VCS please?). I have uploaded to > security-master the jessie-security one as attached. But for > wheezy-security the package does not built. Build-log is attached. It > fails for me as well already with 1.4.1-2.1. Can you have a look? It does not FTBFS if I build with sbuild, but does with the attached log in pbuilder. I can use this as wokraround at least for the DSA itself. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Hi, Thanks your review. On Thu, 30 Jul 2015 04:49:12 +0900, Salvatore Bonaccorso wrote: > > > > # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we > > # can't build package without "DH_RUBY_IGNORE_TESTS=all"... > > It builds for me here in pbuilder. Were exactly is the problem > located? In "lib/rack/response.rb": Upstream Issue: #631 - https://github.com/rack/rack/issues/631 I attached 0002-Fix-unreported-FTBFS.patch. This is aleady applied in unstable. > "patchwise" both looks okay but I have some small comments, first the > one for wheezy-security: - snip- > Use 1.4.1-2.1+deb7u1 as version, wheezy-security as distribution and > urgency=high. - snip- > Same here. use 1.5.2-3+deb8u1 as version, target jessie-security and > use urgency=high. - snip - > Could you make the above changes? Thanks. Update package version number and changelogs. debdiff attached. > Have the resulting packages been tested in wheezy and jessie in some > environment using ruby-rack? Yes. I checked both with redmine in jessie, wheezy. It seems fine. Best Wishes, Youhei --- Youhei SASAKI GPG fingerprint: 4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07 ruby-rack_wheezy.debdiff Description: Binary data ruby-rack_jessie.debdiff Description: Binary data 0002-Fix-unreported-FTBFS.patch Description: Binary data
Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Hi, Thanks for working on this issue! On Wed, Jul 29, 2015 at 05:30:34PM +0900, Youhei SASAKI wrote: > Dear Debian Security Team > > I'v created patche in order to fix CVE-2015-3225 for wheezy, jessie. > > #789311 (CVE-2015-3225) > > Please consider to update stable version of ruby-rack with attached > debdiff to close those CVE issues. > > # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we > # can't build package without "DH_RUBY_IGNORE_TESTS=all"... It builds for me here in pbuilder. Were exactly is the problem located? "patchwise" both looks okay but I have some small comments, first the one for wheezy-security: > diff -Nru ruby-rack-1.4.1/debian/changelog ruby-rack-1.4.1/debian/changelog > --- ruby-rack-1.4.1/debian/changelog 2013-02-22 08:55:14.0 +0900 > +++ ruby-rack-1.4.1/debian/changelog 2015-07-29 16:48:43.0 +0900 > @@ -1,3 +1,10 @@ > +ruby-rack (1.4.1-3) unstable; urgency=medium Use 1.4.1-2.1+deb7u1 as version, wheezy-security as distribution and urgency=high. See https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security for some hints. The one for jessie-security: > diff -Nru ruby-rack-1.5.2/debian/changelog ruby-rack-1.5.2/debian/changelog > --- ruby-rack-1.5.2/debian/changelog 2014-10-17 21:44:22.0 +0900 > +++ ruby-rack-1.5.2/debian/changelog 2015-07-29 17:12:45.0 +0900 > @@ -1,3 +1,10 @@ > +ruby-rack (1.5.2-4) unstable; urgency=medium Same here. use 1.5.2-3+deb8u1 as version, target jessie-security and use urgency=high. > + * Create cherry-picked patch for Security Fix (Closes: #789311) > +- CVE-2015-3225: 1-4-deep_params.patch [...] > diff -Nru ruby-rack-1.5.2/debian/patches/series > ruby-rack-1.5.2/debian/patches/series > --- ruby-rack-1.5.2/debian/patches/series 1970-01-01 09:00:00.0 > +0900 > +++ ruby-rack-1.5.2/debian/patches/series 2015-07-29 17:16:29.0 > +0900 > @@ -0,0 +1 @@ > +1-5-deep_params.patch The actual patch is named 1-5-deep_params.patch so the changelog should reflect that. For both entries it would be great to have additionally a short description what CVE-2015-3225 is about in the debian/changelog entry. Could you make the above changes? Have the resulting packages been tested in wheezy and jessie in some environment using ruby-rack? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Dear Debian Security Team I'v created patche in order to fix CVE-2015-3225 for wheezy, jessie. #789311 (CVE-2015-3225) Please consider to update stable version of ruby-rack with attached debdiff to close those CVE issues. # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we # can't build package without "DH_RUBY_IGNORE_TESTS=all"... Best Wishes, Youhei On Sat, 20 Jun 2015 02:38:32 +0900, Salvatore Bonaccorso wrote: > > Source: ruby-rack > Version: 1.4.1-1 > Severity: important > Tags: security patch upstream fixed-upstream > > Hi, > > the following vulnerability was published for ruby-rack. > > CVE-2015-3225[0]: > Potential Denial of Service Vulnerability in Rack normalize_params() > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2015-3225 > > Regards, > Salvatore --- Youhei SASAKI GPG fingerprint: 4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07 ruby-rack_wheezy.debdiff Description: Binary data ruby-rack_jessie.debdiff Description: Binary data