[DRE-commits] [ruby-activesupport-3.2] 02/03: [CVE-2013-4389] Fix Possible DoS Vulnerability in Action Mailer

[Ondrej Sury]

This is an automated email from the git hooks/post-receive script.

ondrej pushed a commit to branch master-wheezy
in repository ruby-activesupport-3.2.

commit c3617e8f18fd2e5b1a9815816f2c5e524909c56b
Author: Ondřej Surý <ondrej at sury.org>
Date:   Thu Dec 5 12:03:46 2013 +0100

    [CVE-2013-4389] Fix Possible DoS Vulnerability in Action Mailer
---
 debian/patches/CVE-2013-4389.patch | 21 +++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 22 insertions(+)

diff --git a/debian/patches/CVE-2013-4389.patch b/debian/patches/CVE-2013-4389.patch
new file mode 100644
index 0000000..6d7cb07
--- /dev/null
+++ b/debian/patches/CVE-2013-4389.patch
@@ -0,0 +1,21 @@
+From 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Mon, 23 Sep 2013 10:17:58 +1200
+Subject: [PATCH] Remove the use of String#% when formatting durations in log
+ messages
+
+This avoids potential format string vulnerabilities where user-provided
+data is interpolated into the log message before String#% is called.
+
+--- ruby-activesupport-3.2.orig/lib/active_support/log_subscriber.rb
++++ ruby-activesupport-3.2/lib/active_support/log_subscriber.rb
+@@ -118,5 +118,9 @@ module ActiveSupport
+       bold  = bold ? BOLD : ""
+       "#{bold}#{color}#{text}#{CLEAR}"
+     end
++
++    def format_duration(duration)
++      "%.1fms" % duration
++    end
+   end
+ end
diff --git a/debian/patches/series b/debian/patches/series
index 3416ec5..0633dc7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 CVE-2012-3464.patch
 CVE-2013-0156.patch
 CVE-2013-1856.patch
+CVE-2013-4389.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-activesupport-3.2.git