[DRE-commits] [SCM] ruby-rack.git branch, master, updated. debian/1.4.1-2.1-9-g0dd441a

Antonio Terceiro terceiro at debian.org
Tue Jun 4 01:14:01 UTC 2013 

The following commit has been merged in the master branch:
commit 672280481cdc246168a5a74ff091e3e91c349374
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Mon Jun 3 21:31:20 2013 -0300

    Remove patches, all already applied upstream

diff --git a/debian/patches/0004-Prevent-symlink-path-traversals.patch b/debian/patches/0004-Prevent-symlink-path-traversals.patch
deleted file mode 100644
index 3708946..0000000
--- a/debian/patches/0004-Prevent-symlink-path-traversals.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Description: Prevent symlink path traversals
- rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5
- allows attackers to access arbitrary files outside the intended root
- directory via a crafted PATH_INFO environment variable, probably a directory
- traversal vulnerability that is remotely exploitable, aka "symlink path traversals."
-
-Origin: upstream, https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30
-Bug: https://security-tracker.debian.org/tracker/CVE-2013-0262
-Bug-Debian: http://bugs.debian.org/700173
-
-Index: ruby-rack/lib/rack/file.rb
-===================================================================
---- ruby-rack.orig/lib/rack/file.rb	2013-02-20 21:36:40.000000000 +0900
-+++ ruby-rack/lib/rack/file.rb	2013-02-20 21:39:58.265999186 +0900
-@@ -40,19 +40,14 @@
-       @path_info = Utils.unescape(env["PATH_INFO"])
-       parts = @path_info.split SEPS
- 
--      parts.inject(0) do |depth, part|
--        case part
--        when '', '.'
--          depth
--        when '..'
--          return fail(404, "Not Found") if depth - 1 < 0
--          depth - 1
--        else
--          depth + 1
--        end
-+      clean = []
-+
-+      parts.each do |part|
-+        next if part.empty? || part == '.'
-+        part == '..' ? clean.pop : clean << part
-       end
- 
--      @path = F.join(@root, *parts)
-+      @path = F.join(@root, *clean)
- 
-       available = begin
-         F.file?(@path) && F.readable?(@path)
diff --git a/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch b/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch
deleted file mode 100644
index 15905b1..0000000
--- a/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-Description: Use secure compare for hmac comparison
- Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5,
- 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows
- remote attackers to guess the session cookie, gain privileges, and
- execute arbitrary code via a timing attack involving am HMAC
- comparison function that does not run in constant time.
-
-Origin: upstream,
- https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07,
- https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
-Bug: https://security-tracker.debian.org/tracker/CVE-2013-0263
-Bug-Debian: http://bugs.debian.org/700226
-
-Index: ruby-rack/lib/rack/session/cookie.rb
-===================================================================
---- ruby-rack.orig/lib/rack/session/cookie.rb	2013-02-11 15:09:25.000000000 +0900
-+++ ruby-rack/lib/rack/session/cookie.rb	2013-02-20 23:11:19.091085974 +0900
-@@ -108,7 +108,7 @@
- 
-             if session_data && digest
-               ok = @secrets.any? do |secret|
--                secret && digest == generate_hmac(session_data, secret)
-+                secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret))
-               end
-             end
- 
-Index: ruby-rack/lib/rack/utils.rb
-===================================================================
---- ruby-rack.orig/lib/rack/utils.rb	2013-02-11 15:09:25.000000000 +0900
-+++ ruby-rack/lib/rack/utils.rb	2013-02-20 23:12:39.171087876 +0900
-@@ -336,6 +336,18 @@
-     end
-     module_function :byte_ranges
- 
-+    # Constant time string comparison.
-+    def secure_compare(a, b)
-+      return false unless bytesize(a) == bytesize(b)
-+
-+      l = a.unpack("C*")
-+
-+      r, i = 0, -1
-+      b.each_byte { |v| r |= v ^ l[i+=1] }
-+      r == 0
-+    end
-+    module_function :secure_compare
-+
-     # Context allows the use of a compatible middleware at different points
-     # in a request handling stack. A compatible middleware must define
-     # #context which should take the arguments env and app. The first of which
-Index: ruby-rack/test/spec_utils.rb
-===================================================================
---- ruby-rack.orig/test/spec_utils.rb	2013-02-11 15:09:25.000000000 +0900
-+++ ruby-rack/test/spec_utils.rb	2013-02-20 23:13:55.627089693 +0900
-@@ -322,6 +322,11 @@
-     Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
-   end
- 
-+  should "should perform constant time string comparison" do
-+    Rack::Utils.secure_compare('a', 'a').should.equal true
-+    Rack::Utils.secure_compare('a', 'b').should.equal false
-+  end
-+
-   should "return status code for integer" do
-     Rack::Utils.status_code(200).should.equal 200
-   end
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index e69de29..0000000

-- 
ruby-rack.git

More information about the Pkg-ruby-extras-commits mailing list