Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: ruby-globa...@packages.debian.org
Control: affects -1 + src:ruby-globalid
Please unblock package ruby-globalid
[ Reason ]
Fixes CVE-2023-22799/#1029851
[ Impact ]
Security issue
[ Tests ]
Upstream test suite passing.
[ Risks ]
Patch backported from upstream and applies cleanly.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
unblock ruby-globalid/0.6.0-2
diff -Nru ruby-globalid-0.6.0/debian/changelog ruby-globalid-0.6.0/debian/changelog
--- ruby-globalid-0.6.0/debian/changelog 2021-11-30 09:42:23.000000000 +0530
+++ ruby-globalid-0.6.0/debian/changelog 2023-03-19 17:58:06.000000000 +0530
@@ -1,3 +1,17 @@
+ruby-globalid (0.6.0-2) unstable; urgency=medium
+
+ * Team Upload
+
+ [ Debian Janitor ]
+ * Remove constraints unnecessary since buster (oldstable):
+ + Build-Depends: Drop versioned constraint on ruby-activesupport.
+
+ [ Pirate Praveen ]
+ * Fix CVE-2023-22799 (Closes: #1029851)
+ * Bump Standards-Version to 4.6.2 (no changes needed)
+
+ -- Pirate Praveen <prav...@debian.org> Sun, 19 Mar 2023 17:58:06 +0530
+
ruby-globalid (0.6.0-1) unstable; urgency=medium
* Team upload.
diff -Nru ruby-globalid-0.6.0/debian/control ruby-globalid-0.6.0/debian/control
--- ruby-globalid-0.6.0/debian/control 2021-11-30 09:42:23.000000000 +0530
+++ ruby-globalid-0.6.0/debian/control 2023-03-19 17:58:06.000000000 +0530
@@ -6,9 +6,9 @@
Build-Depends: debhelper-compat (= 13),
gem2deb,
rake,
- ruby-activesupport (>= 2:5.0),
+ ruby-activesupport,
ruby-rails
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
Vcs-Git: https://salsa.debian.org/ruby-team/ruby-globalid.git
Vcs-Browser: https://salsa.debian.org/ruby-team/ruby-globalid
Homepage: https://github.com/rails/globalid
diff -Nru ruby-globalid-0.6.0/debian/patches/CVE-2023-22799.patch ruby-globalid-0.6.0/debian/patches/CVE-2023-22799.patch
--- ruby-globalid-0.6.0/debian/patches/CVE-2023-22799.patch 1970-01-01 05:30:00.000000000 +0530
+++ ruby-globalid-0.6.0/debian/patches/CVE-2023-22799.patch 2023-03-19 17:58:06.000000000 +0530
@@ -0,0 +1,48 @@
+From 3bc4349422e60f2235876a59dd415e98b072eb2b Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <tenderl...@ruby-lang.org>
+Date: Tue, 17 Jan 2023 13:32:28 -0800
+Subject: [PATCH] Fix ReDoS vulnerability in name parsing
+
+Thanks to @ooooooo_q for the patch!
+
+[CVE-2023-22799]
+---
+ lib/global_id/uri/gid.rb | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/lib/global_id/uri/gid.rb
++++ b/lib/global_id/uri/gid.rb
+@@ -123,9 +123,6 @@
+ private
+ COMPONENT = [ :scheme, :app, :model_name, :model_id, :params ].freeze
+
+- # Extracts model_name and model_id from the URI path.
+- PATH_REGEXP = %r(\A/([^/]+)/?([^/]+)?\z)
+-
+ def check_host(host)
+ validate_component(host)
+ super
+@@ -145,11 +142,11 @@
+ end
+
+ def set_model_components(path, validate = false)
+- _, model_name, model_id = path.match(PATH_REGEXP).to_a
+- model_id = CGI.unescape(model_id) if model_id
+-
++ _, model_name, model_id = path.split('/', 3)
+ validate_component(model_name) && validate_model_id(model_id, model_name) if validate
+
++ model_id = CGI.unescape(model_id) if model_id
++
+ @model_name = model_name
+ @model_id = model_id
+ end
+@@ -162,7 +159,7 @@
+ end
+
+ def validate_model_id(model_id, model_name)
+- return model_id unless model_id.blank?
++ return model_id unless model_id.blank? || model_id.include?('/')
+
+ raise MissingModelIdError, "Unable to create a Global ID for " \
+ "#{model_name} without a model id."
diff -Nru ruby-globalid-0.6.0/debian/patches/series ruby-globalid-0.6.0/debian/patches/series
--- ruby-globalid-0.6.0/debian/patches/series 2021-11-30 09:42:23.000000000 +0530
+++ ruby-globalid-0.6.0/debian/patches/series 2023-03-19 17:58:06.000000000 +0530
@@ -1 +1,2 @@
fix_test_helper.patch
+CVE-2023-22799.patch
