Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)
Control: retitle -1 Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-1802) Hi A separate CVE was assigned to this vulerability: CVE-2013-1802 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)
Processing control commands: retitle -1 Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-1802) Bug #697895 {Done: Cédric Boutillier bou...@debian.org} [libextlib-ruby] Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156) Changed Bug title to 'Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-1802)' from 'Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)' -- 697895: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697895 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)
Thank you, Salvatore and Cédric, for your help and quick turnaround with this! -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)
Hi Attached the upstream commits applied to the unstable version and generated debdiff. But this creates too some additional files in one of the binary packages created: ruby-extlib: [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .deb but not in first - -rw-r--r-- root/root /usr/share/rubygems-integration/1.8/specifications/extlib-0.9.15.gemspec -rw-r--r-- root/root /usr/share/rubygems-integration/1.9.1/specifications/extlib-0.9.15.gemspec Regards, Salvatore diff -u ruby-extlib-0.9.15/debian/changelog ruby-extlib-0.9.15/debian/changelog --- ruby-extlib-0.9.15/debian/changelog +++ ruby-extlib-0.9.15/debian/changelog @@ -1,3 +1,11 @@ +ruby-extlib (0.9.15-2.1) unstable; urgency=high + + * Non-maintainer upload. + * [SECURITY] CVE-2013-0156: Remove symbol and yaml coercion from the +XML parser. (Closes: #697895) (LP: #1098357) + + -- Salvatore Bonaccorso car...@debian.org Fri, 11 Jan 2013 21:14:26 +0100 + ruby-extlib (0.9.15-2) unstable; urgency=low * Add full text of the Ruby licence. @@ -49 +56,0 @@ - only in patch2: unchanged: --- ruby-extlib-0.9.15.orig/spec/hash_spec.rb +++ ruby-extlib-0.9.15/spec/hash_spec.rb @@ -254,7 +254,7 @@ 'approved' = nil, 'written_on' = nil, 'viewed_at' = nil, - 'content'= nil, + 'content'= { 'type' = 'yaml' }, 'parent_id' = nil } Hash.from_xml(topic_xml)[topic].should == expected_topic_hash @@ -292,12 +292,12 @@ # Changed this line where the key is :message. The yaml specifies this as a symbol, and who am I to change what you specify # The line in ActiveSupport is # 'content' = { 'message' = Have a nice day, 1 = should be an integer, array = [{ should-have-dashes = true, should_have_underscores = true }] }, - 'content' = { :message = Have a nice day, 1 = should be an integer, array = [{ should-have-dashes = true, should_have_underscores = true }] }, + 'content' = --- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n should_have_underscores: true\n, 'author_email_address' = da...@loudthinking.com, 'parent_id' = nil, 'ad_revenue' = BigDecimal(1.50), 'optimum_viewing_angle' = 135.0, - 'resident' = :yes + 'resident' = 'yes' } Hash.from_xml(topic_xml)[topic].each do |k,v| only in patch2: unchanged: --- ruby-extlib-0.9.15.orig/lib/extlib/hash.rb +++ ruby-extlib-0.9.15/lib/extlib/hash.rb @@ -279,9 +279,7 @@ self.typecasts[decimal] = lambda{|v| BigDecimal(v)} self.typecasts[double]= lambda{|v| v.nil? ? nil : v.to_f} self.typecasts[float] = lambda{|v| v.nil? ? nil : v.to_f} - self.typecasts[symbol]= lambda{|v| v.to_sym} self.typecasts[string]= lambda{|v| v.to_s} - self.typecasts[yaml] = lambda{|v| v.nil? ? nil : YAML.load(v)} self.typecasts[base64Binary] = lambda{|v| v.unpack('m').first } self.available_typecasts = self.typecasts.keys
Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)
Hi (resending this as I missed the bugreport) On Fri, Jan 11, 2013 at 12:06:54AM +, Joshua Timberman wrote: Package: libextlib-ruby Version: 0.9.13-2 Severity: grave Tags: security Dan Kubb, upstream maintainer of the extlib RubyGem recently updated it to resolve security issues reported in CVE-2013-0156. The patches are are available from the extlib Git repository on GitHub to remove symbol and yaml coercion, respectively: https://github.com/datamapper/extlib/commit/4540e7102b803624cc2eade4bb8 934fc31c5 https://github.com/datamapper/extlib/commit/633974b2759d9b924657f3888473d5f d681538dd (Disclaimer: I'm not the maintainer/part of team for ruby-extlib package, but trying to help on this if needed). Attached is the first debdiff for the version in Squeeze based on the above commits. But I noticed when I rebuild the package I get the following debdiff for libextlib-ruby-doc: [The following lists of changes regard files as different if they have different names, permissions or owners.] Files in second .deb but not in first - -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_10.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_11.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_18.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_2.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_22.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_24.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_25.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_28.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_29.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_31.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_10_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_10_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_25_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_25_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_27_0.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_27_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_28_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_28_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_29_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_29_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_2_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_2_0.png Files in first .deb but not in second - -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_10.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_11.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_18.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_2.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_22.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_24.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_25.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_28.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_29.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_31.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_11_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_11_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_18_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_18_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_22_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_22_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_24_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_24_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_31_0.dot.gz -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_31_0.png -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_7_0.dot -rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_7_0.png So it looks the compression is on other files. Regards, Salvatore diff -u libextlib-ruby-0.9.13/debian/changelog libextlib-ruby-0.9.13/debian/changelog --- libextlib-ruby-0.9.13/debian/changelog +++ libextlib-ruby-0.9.13/debian/changelog @@ -1,3 +1,11 @@ +libextlib-ruby (0.9.13-2+squeeze1) stable-security; urgency=high + + * Non-maintainer upload. + *