[DRE-commits] [SCM] ruby-activesupport-3.2.git branch, master, updated. debian/3.2.6-3-1-g9a1515d

Antonio Terceiro terceiro at debian.org
Fri Aug 10 17:28:19 UTC 2012 

The following commit has been merged in the master branch:
commit 9a1515da7586d28eda206e5b631b3a66c8add232
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Fri Aug 10 14:24:34 2012 -0300

    CVE-2012-3464 (Closes: #684517)

diff --git a/debian/changelog b/debian/changelog
index 812384c..082c00f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-activesupport-3.2 (3.2.6-4) unstable; urgency=high
+
+  * debian/patches/CVE-2012-3464.patch: fixes potential XSS vulnerability.
+    CVE-2012-3464 (Closes: #684517).
+
+ -- Antonio Terceiro <terceiro at debian.org>  Fri, 10 Aug 2012 14:10:41 -0300
+
 ruby-activesupport-3.2 (3.2.6-3) unstable; urgency=low
 
   * Bump build dependency on gem2deb to >= 0.3.0~
diff --git a/debian/patches/CVE-2012-3464.patch b/debian/patches/CVE-2012-3464.patch
new file mode 100644
index 0000000..674a656
--- /dev/null
+++ b/debian/patches/CVE-2012-3464.patch
@@ -0,0 +1,32 @@
+Description: [PATCH] html_escape should escape single quotes
+ This patch was adapted by Antonio Terceiro <terceiro at debian.org> to
+ activesupport 3.2.6, which was the version in testing at the time.
+Author: Santiago Pastorino <santiago at wyeworks.com>
+
+---
+
+Origin: upstream
+Bug: https://github.com/rails/rails/issues/7215
+Reviewed-By: Antonio Terceiro <terceiro at debian.org>
+Last-Update: 2012-08-10
+
+--- ruby-activesupport-3.2-3.2.6.orig/lib/active_support/core_ext/string/output_safety.rb
++++ ruby-activesupport-3.2-3.2.6/lib/active_support/core_ext/string/output_safety.rb
+@@ -3,7 +3,7 @@ require 'active_support/core_ext/kernel/
+ 
+ class ERB
+   module Util
+-    HTML_ESCAPE = { '&' => '&',  '>' => '>',   '<' => '<', '"' => '"' }
++    HTML_ESCAPE = { '&' => '&',  '>' => '>',   '<' => '<', '"' => '"', "'" => '&#x27;' }
+     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
+ 
+     # Detect whether 1.9 can transcode with XML escaping.
+@@ -22,7 +22,7 @@ class ERB
+         if s.html_safe?
+           s
+         else
+-          s.encode(s.encoding, :xml => :attr)[1...-1].html_safe
++          s.gsub(/[&"'><]/, HTML_ESCAPE).html_safe
+         end
+       end
+     else
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..cd6330b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2012-3464.patch

-- 
ruby-activesupport-3.2.git

More information about the Pkg-ruby-extras-commits mailing list