[DRE-commits] [SCM] ruby-activesupport-2.3.git branch, master, updated. debian/2.3.14-4-2-g846bd0a
Antonio Terceiro
terceiro at debian.org
Wed Jan 9 19:48:05 UTC 2013
The following commit has been merged in the master branch:
commit 846bd0ad272913cebec68bb5efe2f45d1e4bd6da
Author: Antonio Terceiro <terceiro at debian.org>
Date: Wed Jan 9 16:35:53 2013 -0300
Fix CVE-2013-0156
diff --git a/debian/changelog b/debian/changelog
index ffc0b54..afe9d4d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ruby-activesupport-2.3 (2.3.14-5) unstable; urgency=high
+
+ * Team upload.
+ * Add fix for vulnerabilities in parameter parsing [CVE-2013-0156].
+ Closes: #697789
+
+ -- Antonio Terceiro <terceiro at debian.org> Wed, 09 Jan 2013 16:34:24 -0300
+
ruby-activesupport-2.3 (2.3.14-4) unstable; urgency=low
* Team upload.
diff --git a/debian/patches/CVE-2013-0156.patch b/debian/patches/CVE-2013-0156.patch
new file mode 100644
index 0000000..9fa8a11
--- /dev/null
+++ b/debian/patches/CVE-2013-0156.patch
@@ -0,0 +1,82 @@
+From 70adb9613e4a40c5645c99da374639c41012e4fc Mon Sep 17 00:00:00 2001
+From: Jeremy Kemper <jeremy at bitsweat.net>
+Date: Sat, 5 Jan 2013 17:46:26 -0700
+Subject: [PATCH] CVE-2013-0156: Safe XML params parsing. Doesn't allow
+ symbols or yaml.
+
+diff --git a/lib/active_support/core_ext/hash/conversions.rb b/lib/active_support/core_ext/hash/conversions.rb
+index a43763f..d7a8c1e 100644
+--- a/lib/active_support/core_ext/hash/conversions.rb
++++ b/lib/active_support/core_ext/hash/conversions.rb
+@@ -26,6 +26,13 @@ module ActiveSupport #:nodoc:
+ end
+ end
+
++ DISALLOWED_XML_TYPES = %w(symbol yaml)
++ class DisallowedType < StandardError #:nodoc:
++ def initialize(type)
++ super "Disallowed type attribute: #{type.inspect}"
++ end
++ end
++
+ XML_TYPE_NAMES = {
+ "Symbol" => "symbol",
+ "Fixnum" => "integer",
+@@ -160,14 +167,24 @@ module ActiveSupport #:nodoc:
+ end
+
+ module ClassMethods
+- def from_xml(xml)
+- typecast_xml_value(unrename_keys(XmlMini.parse(xml)))
++ def from_xml(xml, disallowed_types = nil)
++ typecast_xml_value(unrename_keys(XmlMini.parse(xml)), disallowed_types)
++ end
++
++ def from_trusted_xml(xml)
++ from_xml xml, []
+ end
+
+ private
+- def typecast_xml_value(value)
++ def typecast_xml_value(value, disallowed_types = nil)
++ disallowed_types ||= DISALLOWED_XML_TYPES
++
+ case value.class.to_s
+ when 'Hash'
++ if value.include?('type') && !value['type'].is_a?(Hash) && disallowed_types.include?(value['type'])
++ raise DisallowedType, value['type']
++ end
++
+ if value['type'] == 'array'
+ child_key, entries = value.detect { |k,v| k != 'type' } # child_key is throwaway
+ if entries.nil? || (c = value['__content__'] && c.blank?)
+@@ -175,9 +192,9 @@ module ActiveSupport #:nodoc:
+ else
+ case entries.class.to_s # something weird with classes not matching here. maybe singleton methods breaking is_a?
+ when "Array"
+- entries.collect { |v| typecast_xml_value(v) }
++ entries.collect { |v| typecast_xml_value(v, disallowed_types) }
+ when "Hash"
+- [typecast_xml_value(entries)]
++ [typecast_xml_value(entries, disallowed_types)]
+ else
+ raise "can't typecast #{entries.inspect}"
+ end
+@@ -205,7 +222,7 @@ module ActiveSupport #:nodoc:
+ nil
+ else
+ xml_value = value.inject({}) do |h,(k,v)|
+- h[k] = typecast_xml_value(v)
++ h[k] = typecast_xml_value(v, disallowed_types)
+ h
+ end
+
+@@ -214,7 +231,7 @@ module ActiveSupport #:nodoc:
+ xml_value["file"].is_a?(StringIO) ? xml_value["file"] : xml_value
+ end
+ when 'Array'
+- value.map! { |i| typecast_xml_value(i) }
++ value.map! { |i| typecast_xml_value(i, disallowed_types) }
+ case value.length
+ when 0 then nil
+ when 1 then value.first
diff --git a/debian/patches/series b/debian/patches/series
index 46b7aea..bea4652 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
0001-remove_vendor_directory.patch
0002-remove_rubygems_require.patch
+CVE-2013-0156.patch
--
ruby-activesupport-2.3.git
More information about the Pkg-ruby-extras-commits
mailing list