[DRE-commits] [SCM] ruby-rack.git branch, master, updated. debian/1.4.1-2-3-gea74a01

Nobuhiro Iwamatsu iwamatsu at nigauri.org
Wed Feb 27 07:44:54 UTC 2013 

The following commit has been merged in the master branch:
commit ea74a0168890769ca9137711dac5346d220b88c3
Author: Nobuhiro Iwamatsu <iwamatsu at nigauri.org>
Date:   Wed Feb 27 16:44:00 2013 +0900

    Fix CVE-2013-0262 and CVE-2013-0263
    
    Signed-off-by: Nobuhiro Iwamatsu <iwamatsu at nigauri.org>

diff --git a/debian/changelog b/debian/changelog
index 006d48e..102e76e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,18 @@
-ruby-rack (1.4.1-3) unstable; urgency=low
+ruby-rack (1.4.1-2.1) unstable; urgency=high
 
+  [ KURASHIKI Satoru ]
+  * Non-maintainer upload.
+  * Create cherry-picked patches for Security Fix (Closes: #700173 #700226).
+    - CVE-2013-0262: 0004-Prevent-symlink-path-traversals.patch
+    - CVE-2013-0263: 0005-Use-secure_compare-for-hmac-comparison.patch
+
+  [ Youhei SASAKI ]
   * Create cherry-picked patches for Security Fix (Closes: #698440).
     - CVE-2012-6109: 0001-Fix-parsing-performance-for-unquoted-filenames.patch
     - CVE-2013-0183: 0002-multipart-parser-avoid-unbounded-gets-method.patch
     - CVE-2013-0184: 0003-Reimplement-auth-scheme-fix.patch
 
- -- Youhei SASAKI <uwabami at gfd-dennou.org>  Sun, 20 Jan 2013 05:09:07 +0900
+ -- KURASHIKI Satoru <lurdan at gmail.com>  Wed, 20 Feb 2013 20:56:31 +0900
 
 ruby-rack (1.4.1-2) unstable; urgency=low
 
diff --git a/debian/patches/0004-Prevent-symlink-path-traversals.patch b/debian/patches/0004-Prevent-symlink-path-traversals.patch
new file mode 100644
index 0000000..3708946
--- /dev/null
+++ b/debian/patches/0004-Prevent-symlink-path-traversals.patch
@@ -0,0 +1,40 @@
+Description: Prevent symlink path traversals
+ rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5
+ allows attackers to access arbitrary files outside the intended root
+ directory via a crafted PATH_INFO environment variable, probably a directory
+ traversal vulnerability that is remotely exploitable, aka "symlink path traversals."
+
+Origin: upstream, https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30
+Bug: https://security-tracker.debian.org/tracker/CVE-2013-0262
+Bug-Debian: http://bugs.debian.org/700173
+
+Index: ruby-rack/lib/rack/file.rb
+===================================================================
+--- ruby-rack.orig/lib/rack/file.rb	2013-02-20 21:36:40.000000000 +0900
++++ ruby-rack/lib/rack/file.rb	2013-02-20 21:39:58.265999186 +0900
+@@ -40,19 +40,14 @@
+       @path_info = Utils.unescape(env["PATH_INFO"])
+       parts = @path_info.split SEPS
+ 
+-      parts.inject(0) do |depth, part|
+-        case part
+-        when '', '.'
+-          depth
+-        when '..'
+-          return fail(404, "Not Found") if depth - 1 < 0
+-          depth - 1
+-        else
+-          depth + 1
+-        end
++      clean = []
++
++      parts.each do |part|
++        next if part.empty? || part == '.'
++        part == '..' ? clean.pop : clean << part
+       end
+ 
+-      @path = F.join(@root, *parts)
++      @path = F.join(@root, *clean)
+ 
+       available = begin
+         F.file?(@path) && F.readable?(@path)
diff --git a/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch b/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch
new file mode 100644
index 0000000..15905b1
--- /dev/null
+++ b/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch
@@ -0,0 +1,65 @@
+Description: Use secure compare for hmac comparison
+ Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5,
+ 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows
+ remote attackers to guess the session cookie, gain privileges, and
+ execute arbitrary code via a timing attack involving am HMAC
+ comparison function that does not run in constant time.
+
+Origin: upstream,
+ https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07,
+ https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
+Bug: https://security-tracker.debian.org/tracker/CVE-2013-0263
+Bug-Debian: http://bugs.debian.org/700226
+
+Index: ruby-rack/lib/rack/session/cookie.rb
+===================================================================
+--- ruby-rack.orig/lib/rack/session/cookie.rb	2013-02-11 15:09:25.000000000 +0900
++++ ruby-rack/lib/rack/session/cookie.rb	2013-02-20 23:11:19.091085974 +0900
+@@ -108,7 +108,7 @@
+ 
+             if session_data && digest
+               ok = @secrets.any? do |secret|
+-                secret && digest == generate_hmac(session_data, secret)
++                secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret))
+               end
+             end
+ 
+Index: ruby-rack/lib/rack/utils.rb
+===================================================================
+--- ruby-rack.orig/lib/rack/utils.rb	2013-02-11 15:09:25.000000000 +0900
++++ ruby-rack/lib/rack/utils.rb	2013-02-20 23:12:39.171087876 +0900
+@@ -336,6 +336,18 @@
+     end
+     module_function :byte_ranges
+ 
++    # Constant time string comparison.
++    def secure_compare(a, b)
++      return false unless bytesize(a) == bytesize(b)
++
++      l = a.unpack("C*")
++
++      r, i = 0, -1
++      b.each_byte { |v| r |= v ^ l[i+=1] }
++      r == 0
++    end
++    module_function :secure_compare
++
+     # Context allows the use of a compatible middleware at different points
+     # in a request handling stack. A compatible middleware must define
+     # #context which should take the arguments env and app. The first of which
+Index: ruby-rack/test/spec_utils.rb
+===================================================================
+--- ruby-rack.orig/test/spec_utils.rb	2013-02-11 15:09:25.000000000 +0900
++++ ruby-rack/test/spec_utils.rb	2013-02-20 23:13:55.627089693 +0900
+@@ -322,6 +322,11 @@
+     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
+   end
+ 
++  should "should perform constant time string comparison" do
++    Rack::Utils.secure_compare('a', 'a').should.equal true
++    Rack::Utils.secure_compare('a', 'b').should.equal false
++  end
++
+   should "return status code for integer" do
+     Rack::Utils.status_code(200).should.equal 200
+   end
diff --git a/debian/patches/series b/debian/patches/series
index ca14375..41e134c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,5 @@
 0001-Fix-parsing-performance-for-unquoted-filenames.patch
 0002-multipart-parser-avoid-unbounded-gets-method.patch
 0003-Reimplement-auth-scheme-fix.patch
+0004-Prevent-symlink-path-traversals.patch
+0005-Use-secure_compare-for-hmac-comparison.patch

-- 
ruby-rack.git

More information about the Pkg-ruby-extras-commits mailing list