Processed: Re: Bug#882724: stretch-pu: package ruby-ox/2.1.1-2+b6

2017-11-29 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + pending
Bug #882724 [release.debian.org] stretch-pu: package ruby-ox/2.1.1-2+b6
Added tag(s) pending.

-- 
882724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882724
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882724: stretch-pu: package ruby-ox/2.1.1-2+b6

2017-11-29 Thread Adam D. Barratt 

Control: tags -1 + pending

On 2017-11-26 13:49, Adam D. Barratt wrote:

Control: tags -1 + confirmed

On Sun, 2017-11-26 at 01:29 +0100, Cédric Boutillier wrote:

this update fixes bug #881445 [CVE-2017-15928]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
by cherrypicking a patch from upstream, to crash of the ruby
interpreter on a parse error.

Debdiff attached.


Please go ahead.


Uploaded and flagged for acceptance.

Regards,

Adam

Bug#882724: stretch-pu: package ruby-ox/2.1.1-2+b6

2017-11-26 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2017-11-26 at 01:29 +0100, Cédric Boutillier wrote:
> this update fixes bug #881445 [CVE-2017-15928]
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
> by cherrypicking a patch from upstream, to crash of the ruby
> interpreter on a parse error.
> 
> Debdiff attached.

Please go ahead.

> As jessie and stretch have the same version of this package, I am
> willing to upload the same fix to jessie (same diff except the
> version number with deb8 instead of deb9). Should I submit an
> independent bug report for the jessie proposed update ?

Yes, please.

Assuming the diff is otherwise identical, please feel free to upload
the jessie package without waiting for an additional ACK.

Regards,

Adam

Processed: Re: Bug#882724: stretch-pu: package ruby-ox/2.1.1-2+b6

2017-11-26 Thread Debian Bug Tracking System 
Processing control commands:

> tags -1 + confirmed
Bug #882724 [release.debian.org] stretch-pu: package ruby-ox/2.1.1-2+b6
Added tag(s) confirmed.

-- 
882724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882724
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882724: stretch-pu: package ruby-ox/2.1.1-2+b6

2017-11-25 Thread Cédric Boutillier 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

this update fixes bug #881445 [CVE-2017-15928]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
by cherrypicking a patch from upstream, to crash of the ruby interpreter
on a parse error.

Debdiff attached.

As jessie and stretch have the same version of this package, I am
willing to upload the same fix to jessie (same diff except the version
number with deb8 instead of deb9). Should I submit an independent bug
report for the jessie proposed update ?

Thanks in advance.

Cédric

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru ruby-ox-2.1.1/debian/changelog ruby-ox-2.1.1/debian/changelog
--- ruby-ox-2.1.1/debian/changelog  2014-04-04 12:58:15.0 +0200
+++ ruby-ox-2.1.1/debian/changelog  2017-11-26 01:08:40.0 +0100
@@ -1,3 +1,12 @@
+ruby-ox (2.1.1-2+deb9u1) stretch; urgency=medium
+
+  * Team upload
+  * Add fix_parse_obj_segfault.patch picked from upstream
++ fix CVE-2017-15928: segmentation fault in parse_obj
+(Closes: #881445)
+
+ -- Cédric Boutillier   Sun, 26 Nov 2017 01:08:40 +0100
+
 ruby-ox (2.1.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-ox-2.1.1/debian/gbp.conf ruby-ox-2.1.1/debian/gbp.conf
--- ruby-ox-2.1.1/debian/gbp.conf   1970-01-01 01:00:00.0 +0100
+++ ruby-ox-2.1.1/debian/gbp.conf   2017-11-26 00:52:18.0 +0100
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch=stretch/master
+upstream-branch=stretch/upstream
diff -Nru ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch 
ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch
--- ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch   1970-01-01 
01:00:00.0 +0100
+++ ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch   2017-11-26 
01:08:40.0 +0100
@@ -0,0 +1,51 @@
+Description: Avoid crash with invalid XML passed to Oj.parse_obj()
+ this fixes CVE-2017-15928
+Author: Peter Ohler 
+Origin: 
https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8.patch
+Bug: https://github.com/ohler55/ox/issues/194
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
+Last-Update: 2017-11-25
+
+--- a/ext/ox/obj_load.c
 b/ext/ox/obj_load.c
+@@ -791,8 +791,10 @@
+   Helper  gh;
+ 
+   helper_stack_pop(&pi->helpers);
+-  gh = helper_stack_peek(&pi->helpers);
+-
++  if (NULL == (gh = helper_stack_peek(&pi->helpers))) {
++  set_error(&pi->err, "Corrupt parse stack, container is 
wrong type", pi->str, pi->s);
++  return;
++  }
+   rb_hash_aset(gh->obj, ph->obj, h->obj);
+   }
+   break;
+--- a/ext/ox/err.c
 b/ext/ox/err.c
+@@ -42,7 +42,11 @@
+ va_end(ap);
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ ox_err_raise(Err e) {
+ rb_raise(e->clas, "%s", e->msg);
+ }
+--- a/ext/ox/ox.c
 b/ext/ox/ox.c
+@@ -990,7 +990,11 @@
+ #endif
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ _ox_raise_error(const char *msg, const char *xml, const char *current, const 
char* file, int line) {
+ int   xline = 1;
+ int   col = 1;
diff -Nru ruby-ox-2.1.1/debian/patches/series 
ruby-ox-2.1.1/debian/patches/series
--- ruby-ox-2.1.1/debian/patches/series 2014-03-22 13:16:52.0 +0100
+++ ruby-ox-2.1.1/debian/patches/series 2017-11-26 01:08:40.0 +0100
@@ -1 +1,2 @@
+fix_parse_obj_segfault.patch
 000-fix-so-load-path.patch