Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Hi, On Fri, 31 Jul 2015 04:58:27 +0900, Salvatore Bonaccorso wrote: > > [1 ] > Hi, - snip . > The targetting distribution was still set to 'unstable'. Oh, excuse me... > I have fixed that in the attached debdiffs and added the patch for > jessie-security (can you import them in your VCS please?). Ok. I've commit these changes. Thanks in advance. Best wishes, Youhei --- Youhei SASAKI GPG fingerprint: 4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Hi,
(Adding Antonio to the loop who did the previous uploads)
On Thu, Jul 30, 2015 at 06:36:56PM +0900, Youhei SASAKI wrote:
> Hi,
>
> Thanks your review.
>
> On Thu, 30 Jul 2015 04:49:12 +0900,
> Salvatore Bonaccorso wrote:
> > >
> > > # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we
> > > # can't build package without "DH_RUBY_IGNORE_TESTS=all"...
> >
> > It builds for me here in pbuilder. Were exactly is the problem
> > located?
>
> In "lib/rack/response.rb": Upstream Issue: #631
> - https://github.com/rack/rack/issues/631
>
> I attached 0002-Fix-unreported-FTBFS.patch.
> This is aleady applied in unstable.
>
> > "patchwise" both looks okay but I have some small comments, first the
> > one for wheezy-security:
> - snip-
> > Use 1.4.1-2.1+deb7u1 as version, wheezy-security as distribution and
> > urgency=high.
> - snip-
> > Same here. use 1.5.2-3+deb8u1 as version, target jessie-security and
> > use urgency=high.
> - snip -
> > Could you make the above changes?
>
> Thanks. Update package version number and changelogs. debdiff attached.
The targetting distribution was still set to 'unstable'. I have fixed
that in the attached debdiffs and added the patch for jessie-security
(can you import them in your VCS please?). I have uploaded to
security-master the jessie-security one as attached. But for
wheezy-security the package does not built. Build-log is attached. It
fails for me as well already with 1.4.1-2.1. Can you have a look?
Regards,
Salvatore
ruby-rack_1.4.1-2.1+deb7u1_amd64.build.gz
Description: application/gzip
diff -Nru ruby-rack-1.4.1/debian/changelog ruby-rack-1.4.1/debian/changelog
--- ruby-rack-1.4.1/debian/changelog2013-02-22 00:55:14.0 +0100
+++ ruby-rack-1.4.1/debian/changelog2015-07-30 19:57:00.0 +0200
@@ -1,3 +1,14 @@
+ruby-rack (1.4.1-2.1+deb7u1) wheezy-security; urgency=high
+
+ * Create cherry-picked patch for Security Fix (Closes: #789311).
+- CVE-2015-3225: 0006-Fix-Params_Depth.patch
+ Default depth at which the parameter parser will raise an exception
+ for being too deep, allows remote attackers to cause a denial of
+ service (SystemStackError) via a request with a large parameter
+ depth.
+
+ -- Youhei SASAKI Wed, 29 Jul 2015 16:37:25 +0900
+
ruby-rack (1.4.1-2.1) unstable; urgency=high
[ KURASHIKI Satoru ]
diff -Nru ruby-rack-1.4.1/debian/patches/0006-Fix-Params_Depth.patch
ruby-rack-1.4.1/debian/patches/0006-Fix-Params_Depth.patch
--- ruby-rack-1.4.1/debian/patches/0006-Fix-Params_Depth.patch 1970-01-01
01:00:00.0 +0100
+++ ruby-rack-1.4.1/debian/patches/0006-Fix-Params_Depth.patch 2015-07-30
19:57:00.0 +0200
@@ -0,0 +1,88 @@
+From: Aaron Patterson
+Date: Tue, 20 Jan 2015 14:30:13 -0800
+Subject: raise an exception if the parameters are too deep
+
+CVE-2015-3225
+
+Conflicts:
+ lib/rack/utils.rb
+ test/spec_utils.rb
+---
+ lib/rack/utils.rb | 15 +++
+ test/spec_utils.rb | 12
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
+index 6576dd2..4656f4a 100644
+--- a/lib/rack/utils.rb
b/lib/rack/utils.rb
+@@ -49,12 +49,17 @@ module Rack
+
+ class << self
+ attr_accessor :key_space_limit
++ attr_accessor :param_depth_limit
+ end
+
+ # The default number of bytes to allow parameter keys to take up.
+ # This helps prevent a rogue client from flooding a Request.
+ self.key_space_limit = 65536
+
++# Default depth at which the parameter parser will raise an exception for
++# being too deep. This helps prevent SystemStackErrors
++self.param_depth_limit = 100
++
+ # Stolen from Mongrel, with some small modifications:
+ # Parses a query string by breaking it up at the '&'
+ # and ';' characters. You can also use this to parse
+@@ -94,7 +99,9 @@ module Rack
+ end
+ module_function :parse_nested_query
+
+-def normalize_params(params, name, v = nil)
++def normalize_params(params, name, v = nil, depth =
Utils.param_depth_limit)
++ raise RangeError if depth <= 0
++
+ name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
+ k = $1 || ''
+ after = $' || ''
+@@ -112,14 +119,14 @@ module Rack
+ params[k] ||= []
+ raise TypeError, "expected Array (got #{params[k].class.name}) for
param `#{k}'" unless params[k].is_a?(Array)
+ if params_hash_type?(params[k].last) &&
!params[k].last.key?(child_key)
+- normalize_params(params[k].last, child_key, v)
++ normalize_params(params[k].last, child_key, v, depth - 1)
+ else
+- params[k] << normalize_params(params.class.new, child_key, v)
++ params[k] << normalize_params(params.class.new, child_key, v, depth
- 1)
+ end
+ else
+ params[k] ||= params.class.new
+ raise TypeError, "expected Hash (got #{params[k].class.name}) for
param `#{k}'" unless params_hash_type?(params[k])
+
Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Hi, On Thu, Jul 30, 2015 at 09:58:27PM +0200, Salvatore Bonaccorso wrote: > The targetting distribution was still set to 'unstable'. I have fixed > that in the attached debdiffs and added the patch for jessie-security > (can you import them in your VCS please?). I have uploaded to > security-master the jessie-security one as attached. But for > wheezy-security the package does not built. Build-log is attached. It > fails for me as well already with 1.4.1-2.1. Can you have a look? It does not FTBFS if I build with sbuild, but does with the attached log in pbuilder. I can use this as wokraround at least for the DSA itself. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Hi, Thanks your review. On Thu, 30 Jul 2015 04:49:12 +0900, Salvatore Bonaccorso wrote: > > > > # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we > > # can't build package without "DH_RUBY_IGNORE_TESTS=all"... > > It builds for me here in pbuilder. Were exactly is the problem > located? In "lib/rack/response.rb": Upstream Issue: #631 - https://github.com/rack/rack/issues/631 I attached 0002-Fix-unreported-FTBFS.patch. This is aleady applied in unstable. > "patchwise" both looks okay but I have some small comments, first the > one for wheezy-security: - snip- > Use 1.4.1-2.1+deb7u1 as version, wheezy-security as distribution and > urgency=high. - snip- > Same here. use 1.5.2-3+deb8u1 as version, target jessie-security and > use urgency=high. - snip - > Could you make the above changes? Thanks. Update package version number and changelogs. debdiff attached. > Have the resulting packages been tested in wheezy and jessie in some > environment using ruby-rack? Yes. I checked both with redmine in jessie, wheezy. It seems fine. Best Wishes, Youhei --- Youhei SASAKI GPG fingerprint: 4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07 ruby-rack_wheezy.debdiff Description: Binary data ruby-rack_jessie.debdiff Description: Binary data 0002-Fix-unreported-FTBFS.patch Description: Binary data
Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Hi, Thanks for working on this issue! On Wed, Jul 29, 2015 at 05:30:34PM +0900, Youhei SASAKI wrote: > Dear Debian Security Team > > I'v created patche in order to fix CVE-2015-3225 for wheezy, jessie. > > #789311 (CVE-2015-3225) > > Please consider to update stable version of ruby-rack with attached > debdiff to close those CVE issues. > > # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we > # can't build package without "DH_RUBY_IGNORE_TESTS=all"... It builds for me here in pbuilder. Were exactly is the problem located? "patchwise" both looks okay but I have some small comments, first the one for wheezy-security: > diff -Nru ruby-rack-1.4.1/debian/changelog ruby-rack-1.4.1/debian/changelog > --- ruby-rack-1.4.1/debian/changelog 2013-02-22 08:55:14.0 +0900 > +++ ruby-rack-1.4.1/debian/changelog 2015-07-29 16:48:43.0 +0900 > @@ -1,3 +1,10 @@ > +ruby-rack (1.4.1-3) unstable; urgency=medium Use 1.4.1-2.1+deb7u1 as version, wheezy-security as distribution and urgency=high. See https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security for some hints. The one for jessie-security: > diff -Nru ruby-rack-1.5.2/debian/changelog ruby-rack-1.5.2/debian/changelog > --- ruby-rack-1.5.2/debian/changelog 2014-10-17 21:44:22.0 +0900 > +++ ruby-rack-1.5.2/debian/changelog 2015-07-29 17:12:45.0 +0900 > @@ -1,3 +1,10 @@ > +ruby-rack (1.5.2-4) unstable; urgency=medium Same here. use 1.5.2-3+deb8u1 as version, target jessie-security and use urgency=high. > + * Create cherry-picked patch for Security Fix (Closes: #789311) > +- CVE-2015-3225: 1-4-deep_params.patch [...] > diff -Nru ruby-rack-1.5.2/debian/patches/series > ruby-rack-1.5.2/debian/patches/series > --- ruby-rack-1.5.2/debian/patches/series 1970-01-01 09:00:00.0 > +0900 > +++ ruby-rack-1.5.2/debian/patches/series 2015-07-29 17:16:29.0 > +0900 > @@ -0,0 +1 @@ > +1-5-deep_params.patch The actual patch is named 1-5-deep_params.patch so the changelog should reflect that. For both entries it would be great to have additionally a short description what CVE-2015-3225 is about in the debian/changelog entry. Could you make the above changes? Have the resulting packages been tested in wheezy and jessie in some environment using ruby-rack? Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Dear Debian Security Team I'v created patche in order to fix CVE-2015-3225 for wheezy, jessie. #789311 (CVE-2015-3225) Please consider to update stable version of ruby-rack with attached debdiff to close those CVE issues. # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we # can't build package without "DH_RUBY_IGNORE_TESTS=all"... Best Wishes, Youhei On Sat, 20 Jun 2015 02:38:32 +0900, Salvatore Bonaccorso wrote: > > Source: ruby-rack > Version: 1.4.1-1 > Severity: important > Tags: security patch upstream fixed-upstream > > Hi, > > the following vulnerability was published for ruby-rack. > > CVE-2015-3225[0]: > Potential Denial of Service Vulnerability in Rack normalize_params() > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2015-3225 > > Regards, > Salvatore --- Youhei SASAKI GPG fingerprint: 4096/RSA: 66A4 EA70 4FE2 4055 8D6A C2E6 9394 F354 891D 7E07 ruby-rack_wheezy.debdiff Description: Binary data ruby-rack_jessie.debdiff Description: Binary data
