[DRE-commits] [ruby-bson] 01/02: Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)

[Prach Pongpanich]

This is an automated email from the git hooks/post-receive script.

prach-guest pushed a commit to branch master
in repository ruby-bson.

commit 517b42897cf69dd7387aa2ae7cc92a497e280841
Author: Prach Pongpanich <prach at debian.org>
Date:   Sun Nov 15 12:12:42 2015 +0700

    Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)
---
 debian/patches/Update_BSON_ObjectId_validation.patch | 18 ++++++++++++++++++
 debian/patches/series                                |  1 +
 2 files changed, 19 insertions(+)

diff --git a/debian/patches/Update_BSON_ObjectId_validation.patch b/debian/patches/Update_BSON_ObjectId_validation.patch
new file mode 100644
index 0000000..559932b
--- /dev/null
+++ b/debian/patches/Update_BSON_ObjectId_validation.patch
@@ -0,0 +1,18 @@
+From bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade Mon Sep 17 00:00:00 2001
+From: Emily Stolfo <emily at 10gen.com>
+Date: Thu, 4 Jun 2015 11:19:36 -0400
+Subject: [PATCH] RUBY-941 Update BSON ObjectId validation
+
+diff --git a/lib/bson/types/object_id.rb b/lib/bson/types/object_id.rb
+index 5de7f66..6e44efa 100644
+--- a/lib/bson/types/object_id.rb
++++ b/lib/bson/types/object_id.rb
+@@ -51,7 +51,7 @@ def initialize(data=nil, time=nil)
+     #
+     # @return [Boolean]
+     def self.legal?(str)
+-      str =~ /^[0-9a-f]{24}$/i ? true : false
++      str =~ /\A[0-9a-f]{24}\z/i ? true : false
+     end
+ 
+     # Create an object id from the given time. This is useful for doing range
diff --git a/debian/patches/series b/debian/patches/series
index b0b3f6e..c269047 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 #change_require_activesupport.patch
 #add_to_bson_code.patch
 remove_rubygems_from_bins.patch
+Update_BSON_ObjectId_validation.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-bson.git