[DRE-commits] [ruby-actionmailer-3.2] 02/03: [CVE-2013-4389] Fix Possible DoS Vulnerability in Action Mailer

Ondrej Sury ondrej at moszumanska.debian.org
Wed Feb 12 13:31:50 UTC 2014 

This is an automated email from the git hooks/post-receive script.

ondrej pushed a commit to branch master-wheezy
in repository ruby-actionmailer-3.2.

commit 39376b957452ab0d6235024f3b262a42ef158af8
Author: Ondřej Surý <ondrej at sury.org>
Date:   Thu Dec 5 11:58:19 2013 +0100

    [CVE-2013-4389] Fix Possible DoS Vulnerability in Action Mailer
---
 debian/patches/CVE-2013-4389.patch | 33 +++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 34 insertions(+)

diff --git a/debian/patches/CVE-2013-4389.patch b/debian/patches/CVE-2013-4389.patch
new file mode 100644
index 0000000..f802e0b
--- /dev/null
+++ b/debian/patches/CVE-2013-4389.patch
@@ -0,0 +1,33 @@
+From 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Mon, 23 Sep 2013 10:17:58 +1200
+Subject: [PATCH] Remove the use of String#% when formatting durations in log
+ messages
+
+This avoids potential format string vulnerabilities where user-provided
+data is interpolated into the log message before String#% is called.
+
+--- ruby-actionmailer-3.2.orig/lib/action_mailer/log_subscriber.rb
++++ ruby-actionmailer-3.2/lib/action_mailer/log_subscriber.rb
+@@ -4,12 +4,12 @@ module ActionMailer
+   class LogSubscriber < ActiveSupport::LogSubscriber
+     def deliver(event)
+       recipients = Array.wrap(event.payload[:to]).join(', ')
+-      info("\nSent mail to #{recipients} (%1.fms)" % event.duration)
++      info("\nSent mail to #{recipients} (#{format_duration(event.duration)})")
+       debug(event.payload[:mail])
+     end
+ 
+     def receive(event)
+-      info("\nReceived mail (%.1fms)" % event.duration)
++      info("\nReceived mail (#{format_duration(event.duration)})")
+       debug(event.payload[:mail])
+     end
+ 
+@@ -19,4 +19,4 @@ module ActionMailer
+   end
+ end
+ 
+-ActionMailer::LogSubscriber.attach_to :action_mailer
+\ No newline at end of file
++ActionMailer::LogSubscriber.attach_to :action_mailer
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..6e46c82
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2013-4389.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-actionmailer-3.2.git

More information about the Pkg-ruby-extras-commits mailing list