Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: ruby-globa...@packages.debian.org Control: affects -1 + src:ruby-globalid
Please unblock package ruby-globalid [ Reason ] Fixes CVE-2023-22799/#1029851 [ Impact ] Security issue [ Tests ] Upstream test suite passing. [ Risks ] Patch backported from upstream and applies cleanly. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] unblock ruby-globalid/0.6.0-2
diff -Nru ruby-globalid-0.6.0/debian/changelog ruby-globalid-0.6.0/debian/changelog --- ruby-globalid-0.6.0/debian/changelog 2021-11-30 09:42:23.000000000 +0530 +++ ruby-globalid-0.6.0/debian/changelog 2023-03-19 17:58:06.000000000 +0530 @@ -1,3 +1,17 @@ +ruby-globalid (0.6.0-2) unstable; urgency=medium + + * Team Upload + + [ Debian Janitor ] + * Remove constraints unnecessary since buster (oldstable): + + Build-Depends: Drop versioned constraint on ruby-activesupport. + + [ Pirate Praveen ] + * Fix CVE-2023-22799 (Closes: #1029851) + * Bump Standards-Version to 4.6.2 (no changes needed) + + -- Pirate Praveen <prav...@debian.org> Sun, 19 Mar 2023 17:58:06 +0530 + ruby-globalid (0.6.0-1) unstable; urgency=medium * Team upload. diff -Nru ruby-globalid-0.6.0/debian/control ruby-globalid-0.6.0/debian/control --- ruby-globalid-0.6.0/debian/control 2021-11-30 09:42:23.000000000 +0530 +++ ruby-globalid-0.6.0/debian/control 2023-03-19 17:58:06.000000000 +0530 @@ -6,9 +6,9 @@ Build-Depends: debhelper-compat (= 13), gem2deb, rake, - ruby-activesupport (>= 2:5.0), + ruby-activesupport, ruby-rails -Standards-Version: 4.6.0 +Standards-Version: 4.6.2 Vcs-Git: https://salsa.debian.org/ruby-team/ruby-globalid.git Vcs-Browser: https://salsa.debian.org/ruby-team/ruby-globalid Homepage: https://github.com/rails/globalid diff -Nru ruby-globalid-0.6.0/debian/patches/CVE-2023-22799.patch ruby-globalid-0.6.0/debian/patches/CVE-2023-22799.patch --- ruby-globalid-0.6.0/debian/patches/CVE-2023-22799.patch 1970-01-01 05:30:00.000000000 +0530 +++ ruby-globalid-0.6.0/debian/patches/CVE-2023-22799.patch 2023-03-19 17:58:06.000000000 +0530 @@ -0,0 +1,48 @@ +From 3bc4349422e60f2235876a59dd415e98b072eb2b Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <tenderl...@ruby-lang.org> +Date: Tue, 17 Jan 2023 13:32:28 -0800 +Subject: [PATCH] Fix ReDoS vulnerability in name parsing + +Thanks to @ooooooo_q for the patch! + +[CVE-2023-22799] +--- + lib/global_id/uri/gid.rb | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/lib/global_id/uri/gid.rb ++++ b/lib/global_id/uri/gid.rb +@@ -123,9 +123,6 @@ + private + COMPONENT = [ :scheme, :app, :model_name, :model_id, :params ].freeze + +- # Extracts model_name and model_id from the URI path. +- PATH_REGEXP = %r(\A/([^/]+)/?([^/]+)?\z) +- + def check_host(host) + validate_component(host) + super +@@ -145,11 +142,11 @@ + end + + def set_model_components(path, validate = false) +- _, model_name, model_id = path.match(PATH_REGEXP).to_a +- model_id = CGI.unescape(model_id) if model_id +- ++ _, model_name, model_id = path.split('/', 3) + validate_component(model_name) && validate_model_id(model_id, model_name) if validate + ++ model_id = CGI.unescape(model_id) if model_id ++ + @model_name = model_name + @model_id = model_id + end +@@ -162,7 +159,7 @@ + end + + def validate_model_id(model_id, model_name) +- return model_id unless model_id.blank? ++ return model_id unless model_id.blank? || model_id.include?('/') + + raise MissingModelIdError, "Unable to create a Global ID for " \ + "#{model_name} without a model id." diff -Nru ruby-globalid-0.6.0/debian/patches/series ruby-globalid-0.6.0/debian/patches/series --- ruby-globalid-0.6.0/debian/patches/series 2021-11-30 09:42:23.000000000 +0530 +++ ruby-globalid-0.6.0/debian/patches/series 2023-03-19 17:58:06.000000000 +0530 @@ -1 +1,2 @@ fix_test_helper.patch +CVE-2023-22799.patch