[DRE-commits] [SCM] ruby-rack.git branch, master, updated. debian/1.4.1-2-1-g8317290

Youhei SASAKI uwabami at gfd-dennou.org
Sat Jan 19 20:30:31 UTC 2013


The following commit has been merged in the master branch:
commit 8317290187bf5712fdd4ec37ddf906e5b40221f7
Author: Youhei SASAKI <uwabami at gfd-dennou.org>
Date:   Sun Jan 20 05:07:59 2013 +0900

    Fix CVE-2012-6109, CVE-2013-0183, CVE-2013-0184 (Closes: #698440)
    
    Signed-off-by: Youhei SASAKI <uwabami at gfd-dennou.org>

diff --git a/debian/changelog b/debian/changelog
index b1637d8..006d48e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ruby-rack (1.4.1-3) unstable; urgency=low
+
+  * Create cherry-picked patches for Security Fix (Closes: #698440).
+    - CVE-2012-6109: 0001-Fix-parsing-performance-for-unquoted-filenames.patch
+    - CVE-2013-0183: 0002-multipart-parser-avoid-unbounded-gets-method.patch
+    - CVE-2013-0184: 0003-Reimplement-auth-scheme-fix.patch
+
+ -- Youhei SASAKI <uwabami at gfd-dennou.org>  Sun, 20 Jan 2013 05:09:07 +0900
+
 ruby-rack (1.4.1-2) unstable; urgency=low
 
   * Bump build dependency on gem2deb to >= 0.3.0~
diff --git a/debian/patches/0001-Fix-parsing-performance-for-unquoted-filenames.patch b/debian/patches/0001-Fix-parsing-performance-for-unquoted-filenames.patch
new file mode 100644
index 0000000..4b52465
--- /dev/null
+++ b/debian/patches/0001-Fix-parsing-performance-for-unquoted-filenames.patch
@@ -0,0 +1,67 @@
+From: James Tucker <jftucker at gmail.com>
+Date: Sun, 13 May 2012 15:02:17 -0700
+Subject: Fix parsing performance for unquoted filenames
+
+Special thanks to Paul Rogers & Eric Wong
+
+Origin: upstream, https://github.com/rack/rack/commit/4fc44671b3cad569421f4f8b775c0590b86f575e
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=895277
+Bug-Debian: http://bugs.debian.org/698440
+
+---
+ lib/rack/multipart.rb  |    4 ++--
+ test/spec_multipart.rb |   21 +++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb
+index 3777106..6849248 100644
+--- a/lib/rack/multipart.rb
++++ b/lib/rack/multipart.rb
+@@ -12,7 +12,7 @@ module Rack
+     MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|n
+     TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/
+     CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i
+-    DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})*/
++    DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})/
+     RFC2183 = /^#{CONDISP}(#{DISPPARM})+$/i
+     BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i
+     BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i
+@@ -31,4 +31,4 @@ module Rack
+     end
+
+   end
+-end
+\ No newline at end of file
++end
+diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb
+index b0bf57c..e4e5981 100644
+--- a/test/spec_multipart.rb
++++ b/test/spec_multipart.rb
+@@ -48,6 +48,27 @@ describe Rack::Multipart do
+     params['profile']['bio'].should.include 'hello'
+   end
+
++  should "parse very long unquoted multipart file names" do
++    data = <<-EOF
++--AaB03x\r
++Content-Type: text/plain\r
++Content-Disposition: attachment; name=file; filename=#{'long' * 100}\r
++\r
++contents\r
++--AaB03x--\r
++    EOF
++
++    options = {
++      "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
++      "CONTENT_LENGTH" => data.length.to_s,
++      :input => StringIO.new(data)
++    }
++    env = Rack::MockRequest.env_for("/", options)
++    params = Rack::Utils::Multipart.parse_multipart(env)
++
++    params["file"][:filename].should.equal('long' * 100)
++  end
++
+   should "parse multipart upload with text file" do
+     env = Rack::MockRequest.env_for("/", multipart_fixture(:text))
+     params = Rack::Multipart.parse_multipart(env)
diff --git a/debian/patches/0002-multipart-parser-avoid-unbounded-gets-method.patch b/debian/patches/0002-multipart-parser-avoid-unbounded-gets-method.patch
new file mode 100644
index 0000000..fb5b70f
--- /dev/null
+++ b/debian/patches/0002-multipart-parser-avoid-unbounded-gets-method.patch
@@ -0,0 +1,104 @@
+From: Eric Wong <normalperson at yhbt.net>
+Date: Wed, 22 Aug 2012 22:48:23 +0000
+Subject: multipart/parser: avoid unbounded #gets method
+
+Malicious clients may send excessively long lines
+to trigger out-of-memory errors in a Rack web server.
+
+Origin: upstream, https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=895282
+Bug-Debian: http://bugs.debian.org/698440
+
+---
+ lib/rack/multipart/parser.rb |   13 ++++++++---
+ test/spec_multipart.rb       |   53 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb
+index 98eceaa..3773de7 100644
+--- a/lib/rack/multipart/parser.rb
++++ b/lib/rack/multipart/parser.rb
+@@ -68,9 +68,16 @@ module Rack
+
+       def fast_forward_to_first_boundary
+         loop do
+-          read_buffer = @io.gets
+-          break if read_buffer == full_boundary
+-          raise EOFError, "bad content body" if read_buffer.nil?
++          content = @io.read(BUFSIZE)
++          raise EOFError, "bad content body" unless content
++          @buf << content
++
++          while @buf.gsub!(/\A([^\n]*\n)/, '')
++            read_buffer = $1
++            return if read_buffer == full_boundary
++          end
++
++          raise EOFError, "bad content body" if Utils.bytesize(@buf) >= BUFSIZE
+         end
+       end
+
+diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb
+index e4e5981..1c50d9a 100644
+--- a/test/spec_multipart.rb
++++ b/test/spec_multipart.rb
+@@ -69,6 +69,59 @@ contents\r
+     params["file"][:filename].should.equal('long' * 100)
+   end
+
++  should "reject insanely long boundaries" do
++    # using a pipe since a tempfile can use up too much space
++    rd, wr = IO.pipe
++
++    # we only call rewind once at start, so make sure it succeeds
++    # and doesn't hit ESPIPE
++    def rd.rewind; end
++    wr.sync = true
++
++    # mock out length to make this pipe look like a Tempfile
++    def rd.length
++      1024 * 1024 * 8
++    end
++
++    # write to a pipe in a background thread, this will write a lot
++    # unless Rack (properly) shuts down the read end
++    thr = Thread.new do
++      begin
++        wr.write("--AaB03x")
++
++        # make the initial boundary a few gigs long
++        longer = "0123456789" * 1024 * 1024
++        (1024 * 1024).times { wr.write(longer) }
++
++        wr.write("\r\n")
++        wr.write('Content-Disposition: form-data; name="a"; filename="a.txt"')
++        wr.write("\r\n")
++        wr.write("Content-Type: text/plain\r\n")
++        wr.write("\r\na")
++        wr.write("--AaB03x--\r\n")
++        wr.close
++      rescue => err # this is EPIPE if Rack shuts us down
++        err
++      end
++    end
++
++    fixture = {
++      "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
++      "CONTENT_LENGTH" => rd.length.to_s,
++      :input => rd,
++    }
++
++    env = Rack::MockRequest.env_for '/', fixture
++    lambda {
++      Rack::Multipart.parse_multipart(env)
++    }.should.raise(EOFError)
++    rd.close
++
++    err = thr.value
++    err.should.be.instance_of Errno::EPIPE
++    wr.close
++  end
++
+   should "parse multipart upload with text file" do
+     env = Rack::MockRequest.env_for("/", multipart_fixture(:text))
+     params = Rack::Multipart.parse_multipart(env)
diff --git a/debian/patches/0003-Reimplement-auth-scheme-fix.patch b/debian/patches/0003-Reimplement-auth-scheme-fix.patch
new file mode 100644
index 0000000..f5c50a2
--- /dev/null
+++ b/debian/patches/0003-Reimplement-auth-scheme-fix.patch
@@ -0,0 +1,131 @@
+From: James Tucker <jftucker at gmail.com>
+Date: Sun, 13 Jan 2013 13:10:20 -0800
+Subject: Reimplement auth scheme fix
+
+ * Add Rack::Auth.add_scheme to enable folks to fix anything that breaks
+ * Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely
+ * Checked Rails - they don't use our authorization code
+ * Checked Warden - uses rails
+ * Checked Omniauth - uses rails
+ * Checked doorkeeper - users rails
+ * Checked rack-authentication - does it's own thing
+ * Checked warden-oauth - doesn't do headers
+ * Checked devise - uses rails
+ * Checked oauth2-rack - header creation only
+ * Checked rack-oauth2-server - does it's own thing
+ * Probably missed a bunch, but that'll have to do
+
+Origin: upstream, https://github.com/rack/rack/commit/87df8796a6e4555ec8fd3817c419c6b44b7ca459
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=895384
+Bug-Debian: http://bugs.debian.org/698440
+
+---
+ lib/rack.rb                       |   12 ++++++++
+ lib/rack/auth/abstract/request.rb |    6 +++-
+ test/spec_auth.rb                 |   57 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 74 insertions(+), 1 deletion(-)
+ create mode 100644 test/spec_auth.rb
+
+diff --git a/lib/rack.rb b/lib/rack.rb
+index acfcb5a..18d5097 100644
+--- a/lib/rack.rb
++++ b/lib/rack.rb
+@@ -73,6 +73,18 @@ module Rack
+       autoload :Params, "rack/auth/digest/params"
+       autoload :Request, "rack/auth/digest/request"
+     end
++
++    # Not all of the following schemes are "standards", but they are used often.
++    @schemes = %w[basic digest bearer mac token oauth oauth2]
++
++    def self.add_scheme scheme
++      @schemes << scheme
++      @schemes.uniq!
++    end
++
++    def self.schemes
++      @schemes.dup
++    end
+   end
+
+   module Session
+diff --git a/lib/rack/auth/abstract/request.rb b/lib/rack/auth/abstract/request.rb
+index 9e15c72..c1553bf 100644
+--- a/lib/rack/auth/abstract/request.rb
++++ b/lib/rack/auth/abstract/request.rb
+@@ -21,7 +21,11 @@ module Rack
+       end
+
+       def scheme
+-        @scheme ||= parts.first.downcase.to_sym
++        @scheme ||=
++          begin
++            s = parts.first.downcase
++            Rack::Auth.schemes.include?(s) ? s.to_sym : s
++          end
+       end
+
+       def params
+diff --git a/test/spec_auth.rb b/test/spec_auth.rb
+new file mode 100644
+index 0000000..6588bd1
+--- /dev/null
++++ b/test/spec_auth.rb
+@@ -0,0 +1,57 @@
++require 'rack'
++
++describe Rack::Auth do
++  it "should have all common authentication schemes" do
++    Rack::Auth.schemes.should.include? 'basic'
++    Rack::Auth.schemes.should.include? 'digest'
++    Rack::Auth.schemes.should.include? 'bearer'
++    Rack::Auth.schemes.should.include? 'token'
++  end
++
++  it "should allow registration of new auth schemes" do
++    Rack::Auth.schemes.should.not.include "test"
++    Rack::Auth.add_scheme "test"
++    Rack::Auth.schemes.should.include "test"
++  end
++end
++
++describe Rack::Auth::AbstractRequest do
++  it "should symbolize known auth schemes" do
++    env = Rack::MockRequest.env_for('/')
++    env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
++    req = Rack::Auth::AbstractRequest.new(env)
++    req.scheme.should == :basic
++
++
++    env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
++    req = Rack::Auth::AbstractRequest.new(env)
++    req.scheme.should == :digest
++
++    env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
++    req = Rack::Auth::AbstractRequest.new(env)
++    req.scheme.should == :bearer
++
++    env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
++    req = Rack::Auth::AbstractRequest.new(env)
++    req.scheme.should == :mac
++
++    env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
++    req = Rack::Auth::AbstractRequest.new(env)
++    req.scheme.should == :token
++
++    env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
++    req = Rack::Auth::AbstractRequest.new(env)
++    req.scheme.should == :oauth
++
++    env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
++    req = Rack::Auth::AbstractRequest.new(env)
++    req.scheme.should == :oauth2
++  end
++
++  it "should not symbolize unknown auth schemes" do
++    env = Rack::MockRequest.env_for('/')
++    env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
++    req = Rack::Auth::AbstractRequest.new(env)
++    req.scheme.should == "magic"
++  end
++end
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..ca14375
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,3 @@
+0001-Fix-parsing-performance-for-unquoted-filenames.patch
+0002-multipart-parser-avoid-unbounded-gets-method.patch
+0003-Reimplement-auth-scheme-fix.patch

-- 
ruby-rack.git



More information about the Pkg-ruby-extras-commits mailing list