Your message dated Wed, 09 Jan 2013 22:09:11 +0000 with message-id <1357769351.21796.3.ca...@jacala.jungle.funky-badger.org> and subject line Re: Bug#697812: unblock: ruby-activerecord-3.2/3.2.6-4 has caused the Debian Bug report #697812, regarding unblock: ruby-activerecord-3.2/3.2.6-4 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 697812: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697812 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock Please unblock packages ruby-activerecord-3.2 and ruby-actionpack-3.2. The new versions uploaded do unstable fix CVE-2013-0155. Since the fix is spread across those two packages, I think they should handled together, and that's why I am filing a single unblock request for both packages. The debdiffs against the packages in testing are attached. You will notice a buid-dependency bump change, but that's in debian/control.in, not debian/control, so it's harmless. unblock ruby-activerecord-3.2/3.2.6-4 unblock ruby-actionpack-3.2/3.2.6-5 TIA, -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terce...@debian.org>diff -Nru ruby-activerecord-3.2-3.2.6/debian/changelog ruby-activerecord-3.2-3.2.6/debian/changelog --- ruby-activerecord-3.2-3.2.6/debian/changelog 2013-01-03 11:21:21.000000000 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/changelog 2013-01-09 18:22:50.000000000 -0300 @@ -1,3 +1,10 @@ +ruby-activerecord-3.2 (3.2.6-4) unstable; urgency=high + + * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk + [CVE-2013-0155] (Closes: #697744). + + -- Antonio Terceiro <terce...@debian.org> Wed, 09 Jan 2013 18:18:07 -0300 + ruby-activerecord-3.2 (3.2.6-3) unstable; urgency=high * debian/patches/3-2-dynamic_finder_injection.patch: fix SQL injection diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch --- ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch 2013-01-09 18:25:01.000000000 -0300 @@ -0,0 +1,25 @@ +From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <aaron.patter...@gmail.com> +Date: Fri, 4 Jan 2013 12:02:22 -0800 +Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts. + [CVE-2013-0155] * dealing with empty hashes. Thanks + Damien Mathieu + +diff --git a/lib/active_record/relation/predicate_builder.rb b/lib/active_record/relation/predicate_builder.rb +index 6b118b4..b31fdfd 100644 +--- a/lib/active_record/relation/predicate_builder.rb ++++ b/lib/active_record/relation/predicate_builder.rb +@@ -6,7 +6,12 @@ module ActiveRecord + + if allow_table_name && value.is_a?(Hash) + table = Arel::Table.new(column, engine) +- build_from_hash(engine, value, table, false) ++ ++ if value.empty? ++ '1 = 2' ++ else ++ build_from_hash(engine, value, table, false) ++ end + else + column = column.to_s + diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/series ruby-activerecord-3.2-3.2.6/debian/patches/series --- ruby-activerecord-3.2-3.2.6/debian/patches/series 2013-01-03 11:04:55.000000000 -0300 +++ ruby-activerecord-3.2-3.2.6/debian/patches/series 2013-01-09 18:17:11.000000000 -0300 @@ -1,2 +1,3 @@ Remove_rubygems_dependency.patch 3-2-dynamic_finder_injection.patch +CVE-2013-0155.patchdiff -Nru ruby-actionpack-3.2-3.2.6/debian/changelog ruby-actionpack-3.2-3.2.6/debian/changelog --- ruby-actionpack-3.2-3.2.6/debian/changelog 2012-08-10 13:33:44.000000000 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/changelog 2013-01-09 18:27:16.000000000 -0300 @@ -1,3 +1,10 @@ +ruby-actionpack-3.2 (3.2.6-5) unstable; urgency=high + + * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk + [CVE-2013-0155] (Closes: #697802) + + -- Antonio Terceiro <terce...@debian.org> Wed, 09 Jan 2013 18:25:45 -0300 + ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high * Add patches for security problems (Closes: #684454): diff -Nru ruby-actionpack-3.2-3.2.6/debian/control.in ruby-actionpack-3.2-3.2.6/debian/control.in --- ruby-actionpack-3.2-3.2.6/debian/control.in 2012-06-16 21:11:38.000000000 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/control.in 2012-11-14 09:42:31.000000000 -0300 @@ -7,7 +7,7 @@ Antonio Terceiro <terce...@debian.org>, DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), - gem2deb (>= 0.2.13~), + gem2deb (>= 0.3.0~), ruby-activesupport-3.2 (>= @RAILS_VERSION@), ruby-activesupport-3.2 (<< @RAILS_VERSION@.), ruby-activerecord-3.2 (>= @RAILS_VERSION@), diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch --- ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch 2013-01-09 18:28:16.000000000 -0300 @@ -0,0 +1,57 @@ +From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <aaron.patter...@gmail.com> +Date: Fri, 4 Jan 2013 12:02:22 -0800 +Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts. + [CVE-2013-0155] * dealing with empty hashes. Thanks + Damien Mathieu + +--- a/lib/action_dispatch/http/request.rb ++++ b/lib/action_dispatch/http/request.rb +@@ -247,18 +247,14 @@ module ActionDispatch + LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip } + end + +- protected +- + # Remove nils from the params hash + def deep_munge(hash) +- keys = hash.keys.find_all { |k| hash[k] == [nil] } +- keys.each { |k| hash[k] = nil } +- +- hash.each_value do |v| ++ hash.each do |k, v| + case v + when Array + v.grep(Hash) { |x| deep_munge(x) } + v.compact! ++ hash[k] = nil if v.empty? + when Hash + deep_munge(v) + end +@@ -267,6 +263,8 @@ module ActionDispatch + hash + end + ++ protected ++ + def parse_query(qs) + deep_munge(super) + end +--- a/lib/action_dispatch/middleware/params_parser.rb ++++ b/lib/action_dispatch/middleware/params_parser.rb +@@ -38,13 +38,13 @@ module ActionDispatch + when Proc + strategy.call(request.raw_post) + when :xml_simple, :xml_node +- data = Hash.from_xml(request.body.read) || {} ++ data = request.deep_munge(Hash.from_xml(request.body.read) || {}) + request.body.rewind if request.body.respond_to?(:rewind) + data.with_indifferent_access + when :yaml + YAML.load(request.raw_post) + when :json +- data = ActiveSupport::JSON.decode(request.body) ++ data = request.deep_munge ActiveSupport::JSON.decode(request.body) + request.body.rewind if request.body.respond_to?(:rewind) + data = {:_json => data} unless data.is_a?(Hash) + data.with_indifferent_access diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/series ruby-actionpack-3.2-3.2.6/debian/patches/series --- ruby-actionpack-3.2-3.2.6/debian/patches/series 2012-08-10 13:29:41.000000000 -0300 +++ ruby-actionpack-3.2-3.2.6/debian/patches/series 2013-01-09 18:24:02.000000000 -0300 @@ -1,3 +1,4 @@ CVE-2012-3424.patch CVE-2012-3463.patch CVE-2012-3465.patch +CVE-2013-0155.patchsignature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---On Wed, 2013-01-09 at 18:47 -0300, Antonio Terceiro wrote: > Please unblock packages ruby-activerecord-3.2 and ruby-actionpack-3.2. > The new versions uploaded do unstable fix CVE-2013-0155. Since the fix > is spread across those two packages, I think they should handled > together, and that's why I am filing a single unblock request for both > packages. Unblocked; thanks. Regards, Adam
--- End Message ---