[DRE-commits] [ruby-actionpack-3.2] 03/03: CVE-2014-0081 + CVE-2014-0082
Antonio Terceiro
terceiro at moszumanska.debian.org
Wed May 14 17:58:04 UTC 2014
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch master-wheezy
in repository ruby-actionpack-3.2.
commit afc324e70822d8a99c4f52c7ba56c6345c8f65f7
Author: Antonio Terceiro <terceiro at debian.org>
Date: Wed May 14 10:00:21 2014 -0300
CVE-2014-0081 + CVE-2014-0082
---
debian/changelog | 4 +++
debian/patches/CVE-2014-0081.patch | 66 ++++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2014-0082.patch | 33 +++++++++++++++++++
debian/patches/series | 2 ++
4 files changed, 105 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 2318865..8ddc706 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
ruby-actionpack-3.2 (3.2.6-6+deb7u2) wheezy-security; urgency=medium
+ * [CVE-2014-0081] XSS Vulnerability in number_to_currency,
+ number_to_percentage and number_to_human
+ * [CVE-2014-0082] Denial of Service Vulnerability in Action View when using
+ render :text
* [CVE-2014-0130] Directory Traversal Vulnerability With Certain Route
Configurations (Closes: #747641)
diff --git a/debian/patches/CVE-2014-0081.patch b/debian/patches/CVE-2014-0081.patch
new file mode 100644
index 0000000..5f2f32e
--- /dev/null
+++ b/debian/patches/CVE-2014-0081.patch
@@ -0,0 +1,66 @@
+From af9cac1d311f6564a2927c23f42e7194e4a189ed Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafaelmfranca at gmail.com>
+Date: Tue, 11 Feb 2014 23:29:27 -0200
+Subject: [PATCH] Escape format, negative_format and units options of number
+ helpers
+
+Previously the values of these options were trusted leading to
+potential XSS vulnerabilities.
+
+Fixes: CVE-2014-0081
+---
+ .../lib/action_view/helpers/number_helper.rb | 14 +++++-
+ actionpack/test/template/number_helper_test.rb | 51 ++++++++++++++++++++++
+ 2 files changed, 64 insertions(+), 1 deletion(-)
+
+--- a/lib/action_view/helpers/number_helper.rb
++++ b/lib/action_view/helpers/number_helper.rb
+@@ -126,12 +126,18 @@ module ActionView
+
+ options.symbolize_keys!
+
++ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
++ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
++ options[:format] = ERB::Util.html_escape(options[:format]) if options[:format]
++ options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
++
+ defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {})
+ currency = I18n.translate(:'number.currency.format', :locale => options[:locale], :default => {})
+ currency[:negative_format] ||= "-" + currency[:format] if currency[:format]
+
+ defaults = DEFAULT_CURRENCY_VALUES.merge(defaults).merge!(currency)
+ defaults[:negative_format] = "-" + options[:format] if options[:format]
++
+ options = defaults.merge!(options)
+
+ unit = options.delete(:unit)
+@@ -188,6 +194,9 @@ module ActionView
+
+ options.symbolize_keys!
+
++ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
++ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
++
+ defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {})
+ percentage = I18n.translate(:'number.percentage.format', :locale => options[:locale], :default => {})
+ defaults = defaults.merge(percentage)
+@@ -232,6 +241,9 @@ module ActionView
+ def number_with_delimiter(number, options = {})
+ options.symbolize_keys!
+
++ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
++ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
++
+ begin
+ Float(number)
+ rescue ArgumentError, TypeError
+@@ -507,7 +519,7 @@ module ActionView
+ units = options.delete :units
+ unit_exponents = case units
+ when Hash
+- units
++ units = Hash[units.map { |k, v| [k, ERB::Util.html_escape(v)] }]
+ when String, Symbol
+ I18n.translate(:"#{units}", :locale => options[:locale], :raise => true)
+ when nil
diff --git a/debian/patches/CVE-2014-0082.patch b/debian/patches/CVE-2014-0082.patch
new file mode 100644
index 0000000..c488eef
--- /dev/null
+++ b/debian/patches/CVE-2014-0082.patch
@@ -0,0 +1,33 @@
+From f103fe6031a1e36000d4dc430a3b130d381b2c0e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafaelmfranca at gmail.com>
+Date: Tue, 11 Feb 2014 22:56:50 -0200
+Subject: [PATCH] Use the reference for the mime type to get the format
+
+Before we were calling to_sym in the mime type, even when it is unknown
+what can cause denial of service since symbols are not removed by the
+garbage collector.
+
+Fixes: CVE-2014-0082
+---
+ actionpack/lib/action_view/template/text.rb | 2 +-
+ actionpack/test/template/text_test.rb | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+ create mode 100644 actionpack/test/template/text_test.rb
+
+diff --git a/lib/action_view/template/text.rb b/actionpack/lib/action_view/template/text.rb
+index 4261c3b..d90e43b 100644
+--- a/lib/action_view/template/text.rb
++++ b/lib/action_view/template/text.rb
+@@ -23,7 +23,7 @@ module ActionView #:nodoc:
+ end
+
+ def formats
+- [@mime_type.to_sym]
++ [@mime_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
+ end
+ end
+ end
+--
+1.8.4.3
+
diff --git a/debian/patches/series b/debian/patches/series
index 2d1a6e1..f7fde32 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,4 +9,6 @@ CVE-2013-6414.patch
CVE-2013-6415.patch
CVE-2013-6417.patch
CVE-2013-4389.patch
+CVE-2014-0081.patch
+CVE-2014-0082.patch
CVE-2014-0130.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-actionpack-3.2.git
More information about the Pkg-ruby-extras-commits
mailing list