Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)

[Salvatore Bonaccorso]

Control: retitle -1 Update libextlib-ruby / ruby-extlib for vulnerabilities 
(Re: CVE-2013-1802)

Hi

A separate CVE was assigned to this vulerability: CVE-2013-1802

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Processed: Re: Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)

[Debian Bug Tracking System]

Processing control commands:

 retitle -1 Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: 
 CVE-2013-1802)
Bug #697895 {Done: Cédric Boutillier bou...@debian.org} [libextlib-ruby] 
Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)
Changed Bug title to 'Update libextlib-ruby / ruby-extlib for vulnerabilities 
(Re: CVE-2013-1802)' from 'Update libextlib-ruby / ruby-extlib for 
vulnerabilities (Re: CVE-2013-0156)'

-- 
697895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697895
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)

[Joshua Timberman]

Thank you, Salvatore and Cédric, for your help and quick turnaround with
this!


--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)

[Salvatore Bonaccorso]

Hi

Attached the upstream commits applied to the unstable version and
generated debdiff. But this creates too some additional files in one
of the binary packages created:

ruby-extlib:
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-
-rw-r--r--  root/root   
/usr/share/rubygems-integration/1.8/specifications/extlib-0.9.15.gemspec
-rw-r--r--  root/root   
/usr/share/rubygems-integration/1.9.1/specifications/extlib-0.9.15.gemspec

Regards,
Salvatore
diff -u ruby-extlib-0.9.15/debian/changelog ruby-extlib-0.9.15/debian/changelog
--- ruby-extlib-0.9.15/debian/changelog
+++ ruby-extlib-0.9.15/debian/changelog
@@ -1,3 +1,11 @@
+ruby-extlib (0.9.15-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * [SECURITY] CVE-2013-0156: Remove symbol and yaml coercion from the
+XML parser. (Closes: #697895) (LP: #1098357)
+
+ -- Salvatore Bonaccorso car...@debian.org  Fri, 11 Jan 2013 21:14:26 +0100
+
 ruby-extlib (0.9.15-2) unstable; urgency=low
 
   * Add full text of the Ruby licence.
@@ -49 +56,0 @@
-
only in patch2:
unchanged:
--- ruby-extlib-0.9.15.orig/spec/hash_spec.rb
+++ ruby-extlib-0.9.15/spec/hash_spec.rb
@@ -254,7 +254,7 @@
   'approved'   = nil,
   'written_on' = nil,
   'viewed_at'  = nil,
-  'content'= nil,
+  'content'= { 'type' = 'yaml' },
   'parent_id'  = nil
 }
 Hash.from_xml(topic_xml)[topic].should == expected_topic_hash
@@ -292,12 +292,12 @@
   # Changed this line where the key is :message.  The yaml specifies this 
as a symbol, and who am I to change what you specify
   # The line in ActiveSupport is
   # 'content' = { 'message' = Have a nice day, 1 = should be an 
integer, array = [{ should-have-dashes = true, should_have_underscores 
= true }] },
-  'content' = { :message = Have a nice day, 1 = should be an 
integer, array = [{ should-have-dashes = true, should_have_underscores 
= true }] },
+  'content' = --- \n1: should be an integer\n:message: Have a nice 
day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n,
   'author_email_address' = da...@loudthinking.com,
   'parent_id' = nil,
   'ad_revenue' = BigDecimal(1.50),
   'optimum_viewing_angle' = 135.0,
-  'resident' = :yes
+  'resident' = 'yes'
 }
 
 Hash.from_xml(topic_xml)[topic].each do |k,v|
only in patch2:
unchanged:
--- ruby-extlib-0.9.15.orig/lib/extlib/hash.rb
+++ ruby-extlib-0.9.15/lib/extlib/hash.rb
@@ -279,9 +279,7 @@
   self.typecasts[decimal]   = lambda{|v| BigDecimal(v)}
   self.typecasts[double]= lambda{|v| v.nil? ? nil : v.to_f}
   self.typecasts[float] = lambda{|v| v.nil? ? nil : v.to_f}
-  self.typecasts[symbol]= lambda{|v| v.to_sym}
   self.typecasts[string]= lambda{|v| v.to_s}
-  self.typecasts[yaml]  = lambda{|v| v.nil? ? nil : YAML.load(v)}
   self.typecasts[base64Binary]  = lambda{|v| v.unpack('m').first }
 
   self.available_typecasts = self.typecasts.keys

Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)

[Salvatore Bonaccorso]

Hi

(resending this as I missed the bugreport)

On Fri, Jan 11, 2013 at 12:06:54AM +, Joshua Timberman wrote:
 Package: libextlib-ruby
 
 Version: 0.9.13-2
 Severity: grave
 Tags: security
 
 Dan Kubb, upstream maintainer of the extlib RubyGem recently updated it to
 resolve security issues reported in CVE-2013-0156.
 
 The patches are are available from the extlib Git repository on GitHub to
 remove symbol and yaml coercion, respectively:
 
 https://github.com/datamapper/extlib/commit/4540e7102b803624cc2eade4bb8
 934fc31c5
 https://github.com/datamapper/extlib/commit/633974b2759d9b924657f3888473d5f
 d681538dd

(Disclaimer: I'm not the maintainer/part of team for ruby-extlib
package, but trying to help on this if needed).

Attached is the first debdiff for the version in Squeeze based on the
above commits. But I noticed when I rebuild the package I get the
following debdiff for libextlib-ruby-doc:

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_10.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_11.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_18.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_2.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_22.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_24.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_25.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_28.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_29.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_31.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_10_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_10_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_25_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_25_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_27_0.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_27_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_28_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_28_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_29_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_29_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_2_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_2_0.png

Files in first .deb but not in second
-
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_10.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_11.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_18.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_2.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_22.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_24.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_25.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_28.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_29.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_31.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_11_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_11_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_18_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_18_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_22_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_22_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_24_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_24_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_31_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_31_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_7_0.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_7_0.png

So it looks the compression is on other files.

Regards,
Salvatore
diff -u libextlib-ruby-0.9.13/debian/changelog 
libextlib-ruby-0.9.13/debian/changelog
--- libextlib-ruby-0.9.13/debian/changelog
+++ libextlib-ruby-0.9.13/debian/changelog
@@ -1,3 +1,11 @@
+libextlib-ruby (0.9.13-2+squeeze1) stable-security; urgency=high
+
+  * Non-maintainer upload.
+  *