[DRE-commits] [ruby-rack] 01/01: Update debian/changelog
Youhei SASAKI
uwabami-guest at moszumanska.debian.org
Thu Jul 30 09:37:47 UTC 2015
This is an automated email from the git hooks/post-receive script.
uwabami-guest pushed a commit to branch master-1.5.2-jessie
in repository ruby-rack.
commit c39bf7d35f71c22957b8c73412d727eb462e8f54
Author: Youhei SASAKI <uwabami at gfd-dennou.org>
Date: Thu Jul 30 18:27:22 2015 +0900
Update debian/changelog
Signed-off-by: Youhei SASAKI <uwabami at gfd-dennou.org>
---
debian/changelog | 12 ++++++++----
...5-deep_params.patch => 0001-Fix-Params_Depth.patch} | 18 +++++-------------
debian/patches/series | 2 +-
3 files changed, 14 insertions(+), 18 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index cff7dc3..a01cec0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,11 @@
-ruby-rack (1.5.2-4) unstable; urgency=medium
-
- * Create cherry-picked patch for Security Fix (Closes: #789311)
- - CVE-2015-3225: 1-4-deep_params.patch
+ruby-rack (1.5.2-3+deb8u1) unstable; urgency=high
+
+ * Create cherry-picked patch for Security Fix (Closes: #789311).
+ - CVE-2015-3225: 0001-Fix-Params_Depth.patch
+ Default depth at which the parameter parser will raise an exception
+ for being too deep, allows remote attackers to cause a denial of
+ service (SystemStackError) via a request with a large parameter
+ depth.
-- Youhei SASAKI <uwabami at gfd-dennou.org> Wed, 29 Jul 2015 17:12:00 +0900
diff --git a/debian/patches/1-5-deep_params.patch b/debian/patches/0001-Fix-Params_Depth.patch
similarity index 85%
rename from debian/patches/1-5-deep_params.patch
rename to debian/patches/0001-Fix-Params_Depth.patch
index deec66e..c825bfb 100644
--- a/debian/patches/1-5-deep_params.patch
+++ b/debian/patches/0001-Fix-Params_Depth.patch
@@ -1,7 +1,6 @@
-From fa15479e232663b2b5b048155b8e74228ab75d7e Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson () gmail com>
Date: Tue, 20 Jan 2015 14:30:13 -0800
-Subject: [PATCH] raise an exception if the parameters are too deep
+Subject: raise an exception if the parameters are too deep
CVE-2015-3225
@@ -13,11 +12,9 @@ Conflicts:
test/spec_utils.rb | 12 ++++++++++++
2 files changed, 23 insertions(+), 4 deletions(-)
-diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb
-index 561e46e..a163c49 100644
--- a/lib/rack/utils.rb
+++ b/lib/rack/utils.rb
-@@ -52,12 +52,17 @@ module Rack
+@@ -52,12 +52,17 @@
class << self
attr_accessor :key_space_limit
@@ -35,7 +32,7 @@ index 561e46e..a163c49 100644
# Stolen from Mongrel, with some small modifications:
# Parses a query string by breaking it up at the '&'
# and ';' characters. You can also use this to parse
-@@ -100,7 +105,9 @@ module Rack
+@@ -100,7 +105,9 @@
end
module_function :parse_nested_query
@@ -46,7 +43,7 @@ index 561e46e..a163c49 100644
name =~ %r(\A[\[\]]*([^\[\]]+)\]*)
k = $1 || ''
after = $' || ''
-@@ -118,14 +125,14 @@ module Rack
+@@ -118,14 +125,14 @@
params[k] ||= []
raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array)
if params_hash_type?(params[k].last) && !params[k].last.key?(child_key)
@@ -64,11 +61,9 @@ index 561e46e..a163c49 100644
end
return params
-diff --git a/test/spec_utils.rb b/test/spec_utils.rb
-index 622b8ff..c1a2207 100644
--- a/test/spec_utils.rb
+++ b/test/spec_utils.rb
-@@ -123,6 +123,18 @@ describe Rack::Utils do
+@@ -123,6 +123,18 @@
Rack::Utils.parse_query(",foo=bar;,", ";,").should.equal "foo" => "bar"
end
@@ -87,6 +82,3 @@ index 622b8ff..c1a2207 100644
should "parse nested query strings correctly" do
Rack::Utils.parse_nested_query("foo").
should.equal "foo" => nil
---
-2.2.1
-
diff --git a/debian/patches/series b/debian/patches/series
index f8c3b4b..3a39f9c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1 @@
-1-5-deep_params.patch
+0001-Fix-Params_Depth.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-rack.git
More information about the Pkg-ruby-extras-commits
mailing list