[DRE-commits] [SCM] ruby-activesupport-3.2.git branch, master, updated. debian/3.2.6-5-3-g199e2a4

Ondřej Surý ondrej at sury.org
Tue Mar 19 08:58:30 UTC 2013 

The following commit has been merged in the master branch:
commit 46f292913aa4d03b7687a926d540fd256a27ba86
Author: Ondřej Surý <ondrej at sury.org>
Date:   Tue Mar 19 09:39:29 2013 +0100

    [CVE-2013-1856]: Fix XML Parsing Vulnerability affecting JRuby users

diff --git a/debian/patches/CVE-2013-1856.patch b/debian/patches/CVE-2013-1856.patch
new file mode 100644
index 0000000..e4d92cc
--- /dev/null
+++ b/debian/patches/CVE-2013-1856.patch
@@ -0,0 +1,38 @@
+diff --git a/lib/active_support/xml_mini/jdom.rb b/lib/active_support/xml_mini/jdom.rb
+index 6c222b8..8d23ce4 100644
+--- a/lib/active_support/xml_mini/jdom.rb
++++ b/lib/active_support/xml_mini/jdom.rb
+@@ -38,6 +38,12 @@ module ActiveSupport
+         {}
+       else
+         @dbf = DocumentBuilderFactory.new_instance
++        # secure processing of java xml
++        # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html
++        @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
++        @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false)
++        @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
++        @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true)
+         xml_string_reader = StringReader.new(data)
+         xml_input_source = InputSource.new(xml_string_reader)
+         doc = @dbf.new_document_builder.parse(xml_input_source)
+diff --git a/test/fixtures/xml/jdom_doctype.dtd b/test/fixtures/xml/jdom_doctype.dtd
+new file mode 100644
+index 0000000..8948049
+--- /dev/null
++++ b/test/fixtures/xml/jdom_doctype.dtd
+@@ -0,0 +1 @@
++<!ENTITY a "external entity">
+diff --git a/test/fixtures/xml/jdom_entities.txt b/test/fixtures/xml/jdom_entities.txt
+new file mode 100644
+index 0000000..0337fda
+--- /dev/null
++++ b/test/fixtures/xml/jdom_entities.txt
+@@ -0,0 +1 @@
++<!ENTITY a "hello">
+diff --git a/test/fixtures/xml/jdom_include.txt b/test/fixtures/xml/jdom_include.txt
+new file mode 100644
+index 0000000..239ca3a
+--- /dev/null
++++ b/test/fixtures/xml/jdom_include.txt
+@@ -0,0 +1,1 @@
++include me
diff --git a/debian/patches/series b/debian/patches/series
index 2d3de0f..3416ec5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 CVE-2012-3464.patch
 CVE-2013-0156.patch
+CVE-2013-1856.patch

-- 
ruby-activesupport-3.2.git

More information about the Pkg-ruby-extras-commits mailing list