[DRE-commits] [SCM] ruby-rack.git branch, master, updated. debian/1.4.1-2.1-9-g0dd441a
Antonio Terceiro
terceiro at debian.org
Tue Jun 4 01:14:01 UTC 2013
The following commit has been merged in the master branch:
commit 672280481cdc246168a5a74ff091e3e91c349374
Author: Antonio Terceiro <terceiro at debian.org>
Date: Mon Jun 3 21:31:20 2013 -0300
Remove patches, all already applied upstream
diff --git a/debian/patches/0004-Prevent-symlink-path-traversals.patch b/debian/patches/0004-Prevent-symlink-path-traversals.patch
deleted file mode 100644
index 3708946..0000000
--- a/debian/patches/0004-Prevent-symlink-path-traversals.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Description: Prevent symlink path traversals
- rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5
- allows attackers to access arbitrary files outside the intended root
- directory via a crafted PATH_INFO environment variable, probably a directory
- traversal vulnerability that is remotely exploitable, aka "symlink path traversals."
-
-Origin: upstream, https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30
-Bug: https://security-tracker.debian.org/tracker/CVE-2013-0262
-Bug-Debian: http://bugs.debian.org/700173
-
-Index: ruby-rack/lib/rack/file.rb
-===================================================================
---- ruby-rack.orig/lib/rack/file.rb 2013-02-20 21:36:40.000000000 +0900
-+++ ruby-rack/lib/rack/file.rb 2013-02-20 21:39:58.265999186 +0900
-@@ -40,19 +40,14 @@
- @path_info = Utils.unescape(env["PATH_INFO"])
- parts = @path_info.split SEPS
-
-- parts.inject(0) do |depth, part|
-- case part
-- when '', '.'
-- depth
-- when '..'
-- return fail(404, "Not Found") if depth - 1 < 0
-- depth - 1
-- else
-- depth + 1
-- end
-+ clean = []
-+
-+ parts.each do |part|
-+ next if part.empty? || part == '.'
-+ part == '..' ? clean.pop : clean << part
- end
-
-- @path = F.join(@root, *parts)
-+ @path = F.join(@root, *clean)
-
- available = begin
- F.file?(@path) && F.readable?(@path)
diff --git a/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch b/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch
deleted file mode 100644
index 15905b1..0000000
--- a/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-Description: Use secure compare for hmac comparison
- Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5,
- 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows
- remote attackers to guess the session cookie, gain privileges, and
- execute arbitrary code via a timing attack involving am HMAC
- comparison function that does not run in constant time.
-
-Origin: upstream,
- https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07,
- https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
-Bug: https://security-tracker.debian.org/tracker/CVE-2013-0263
-Bug-Debian: http://bugs.debian.org/700226
-
-Index: ruby-rack/lib/rack/session/cookie.rb
-===================================================================
---- ruby-rack.orig/lib/rack/session/cookie.rb 2013-02-11 15:09:25.000000000 +0900
-+++ ruby-rack/lib/rack/session/cookie.rb 2013-02-20 23:11:19.091085974 +0900
-@@ -108,7 +108,7 @@
-
- if session_data && digest
- ok = @secrets.any? do |secret|
-- secret && digest == generate_hmac(session_data, secret)
-+ secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret))
- end
- end
-
-Index: ruby-rack/lib/rack/utils.rb
-===================================================================
---- ruby-rack.orig/lib/rack/utils.rb 2013-02-11 15:09:25.000000000 +0900
-+++ ruby-rack/lib/rack/utils.rb 2013-02-20 23:12:39.171087876 +0900
-@@ -336,6 +336,18 @@
- end
- module_function :byte_ranges
-
-+ # Constant time string comparison.
-+ def secure_compare(a, b)
-+ return false unless bytesize(a) == bytesize(b)
-+
-+ l = a.unpack("C*")
-+
-+ r, i = 0, -1
-+ b.each_byte { |v| r |= v ^ l[i+=1] }
-+ r == 0
-+ end
-+ module_function :secure_compare
-+
- # Context allows the use of a compatible middleware at different points
- # in a request handling stack. A compatible middleware must define
- # #context which should take the arguments env and app. The first of which
-Index: ruby-rack/test/spec_utils.rb
-===================================================================
---- ruby-rack.orig/test/spec_utils.rb 2013-02-11 15:09:25.000000000 +0900
-+++ ruby-rack/test/spec_utils.rb 2013-02-20 23:13:55.627089693 +0900
-@@ -322,6 +322,11 @@
- Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6
- end
-
-+ should "should perform constant time string comparison" do
-+ Rack::Utils.secure_compare('a', 'a').should.equal true
-+ Rack::Utils.secure_compare('a', 'b').should.equal false
-+ end
-+
- should "return status code for integer" do
- Rack::Utils.status_code(200).should.equal 200
- end
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index e69de29..0000000
--
ruby-rack.git
More information about the Pkg-ruby-extras-commits
mailing list