[DRE-commits] [ruby-actionpack-3.2] 04/06: [CVE-2013-6414] Denial of Service Vulnerability in Action View
Ondrej Sury
ondrej at moszumanska.debian.org
Wed Dec 4 11:12:33 UTC 2013
This is an automated email from the git hooks/post-receive script.
ondrej pushed a commit to branch master-wheezy
in repository ruby-actionpack-3.2.
commit 006a14f153095e4cdfdb1c046635940433807ae8
Author: Ondřej Surý <ondrej at sury.org>
Date: Wed Dec 4 11:46:19 2013 +0100
[CVE-2013-6414] Denial of Service Vulnerability in Action View
---
debian/patches/CVE-2013-6414.patch | 23 +++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 24 insertions(+)
diff --git a/debian/patches/CVE-2013-6414.patch b/debian/patches/CVE-2013-6414.patch
new file mode 100644
index 0000000..f021ae2
--- /dev/null
+++ b/debian/patches/CVE-2013-6414.patch
@@ -0,0 +1,23 @@
+From bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Sat, 30 Nov 2013 17:02:53 -0800
+Subject: [PATCH] Only use valid mime type symbols as cache keys
+
+CVE-2013-6414
+
+--- ruby-actionpack-3.2.orig/lib/action_view/lookup_context.rb
++++ ruby-actionpack-3.2/lib/action_view/lookup_context.rb
+@@ -56,6 +56,13 @@ module ActionView
+ @details_keys = Hash.new
+
+ def self.get(details)
++ if details[:formats]
++ details = details.dup
++ syms = Set.new Mime::SET.symbols
++ details[:formats] = details[:formats].select { |v|
++ syms.include? v
++ }
++ end
+ @details_keys[details] ||= new
+ end
+
diff --git a/debian/patches/series b/debian/patches/series
index 07e0d65..4b9d9cc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,4 +5,5 @@ CVE-2013-0155.patch
CVE-2013-1855.patch
CVE-2013-1857.patch
CVE-2013-4491.patch
+CVE-2013-6414.patch
CVE-2013-6417.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-actionpack-3.2.git
More information about the Pkg-ruby-extras-commits
mailing list