Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Hi Emilio, On Fri, Jul 10, 2020 at 11:27 PM Emilio Pozuelo Monfort wrote: > On 10/07/2020 19:49, Utkarsh Gupta wrote: > They got reverted here: > > commit 41a5070e43be50edc80c35082caa1a5005b06131 > Author: Branislav Makuch > Date: Wed Jul 1 13:31:49 2020 + > > Revert "Merge branch 'master' of salsa.debian.org:webmaster-team/webwml" > > This reverts commit 6bcdcddbc8ba89d14541d46617fc456725f69b29 > > Probably a mistake as it mentions commit 6bcdcd. I'd say just re-add your > changes, revert that revert :-) Aw, crap :/ Many thanks, reverted the revert! \o/ Best, Utkarsh
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On 10/07/2020 19:49, Utkarsh Gupta wrote: > Hi, > > On Mon, Jul 6, 2020 at 1:40 PM Holger Levsen wrote: >> Three DLAs have been reserved but not yet been published on www.debian.org: >> LTS: >> >> - DLA 2269-1 (reserved by Utkarsh Gupta) >> - DLA 2270-1 (reserved by Utkarsh Gupta) >> - DLA 2271-1 (reserved by Utkarsh Gupta) > > This is weird. These DLAs were pushed on July 1st itself via [1][2][3]. > Not sure what went wrong!? They got reverted here: commit 41a5070e43be50edc80c35082caa1a5005b06131 Author: Branislav Makuch Date: Wed Jul 1 13:31:49 2020 + Revert "Merge branch 'master' of salsa.debian.org:webmaster-team/webwml" This reverts commit 6bcdcddbc8ba89d14541d46617fc456725f69b29 Probably a mistake as it mentions commit 6bcdcd. I'd say just re-add your changes, revert that revert :-) Cheers, Emilio > > > Best, > Utkarsh > --- > [1]: > https://salsa.debian.org/webmaster-team/webwml/-/commit/3fa826e876fd342ecabeeaa0da6f1d21dd6a6181 > [2]: > https://salsa.debian.org/webmaster-team/webwml/-/commit/16a084b6ad0a1fbe83ac7b57a162d83d0356a334 > [3]: > https://salsa.debian.org/webmaster-team/webwml/-/commit/e52b2777d771f308ecdb741698e624a5ce128745 >
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
On Fri, Jul 10, 2020 at 11:19 PM Utkarsh Gupta wrote: > On Mon, Jul 6, 2020 at 1:40 PM Holger Levsen wrote: > > Three DLAs have been reserved but not yet been published on www.debian.org: > > LTS: > > > > - DLA 2269-1 (reserved by Utkarsh Gupta) > > - DLA 2270-1 (reserved by Utkarsh Gupta) > > - DLA 2271-1 (reserved by Utkarsh Gupta) > > This is weird. These DLAs were pushed on July 1st itself via [1][2][3]. > Not sure what went wrong!? Interesting. I can't seem them at https://www.debian.org/lts/security/. So they aren't published. Hm, I'll see what happened to them. In case someone has any clue, please let me know. Best, Utkarsh
Re: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Hi, On Mon, Jul 6, 2020 at 1:40 PM Holger Levsen wrote: > Three DLAs have been reserved but not yet been published on www.debian.org: > LTS: > > - DLA 2269-1 (reserved by Utkarsh Gupta) > - DLA 2270-1 (reserved by Utkarsh Gupta) > - DLA 2271-1 (reserved by Utkarsh Gupta) This is weird. These DLAs were pushed on July 1st itself via [1][2][3]. Not sure what went wrong!? Best, Utkarsh --- [1]: https://salsa.debian.org/webmaster-team/webwml/-/commit/3fa826e876fd342ecabeeaa0da6f1d21dd6a6181 [2]: https://salsa.debian.org/webmaster-team/webwml/-/commit/16a084b6ad0a1fbe83ac7b57a162d83d0356a334 [3]: https://salsa.debian.org/webmaster-team/webwml/-/commit/e52b2777d771f308ecdb741698e624a5ce128745
Re: rails update
Hi Antonio, On 08/07/2020 18:32, terce...@debian.org wrote: > On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: >> Back to the initial topic, the current tasks underway are: >> >> >> - stretch update review >> >> The update is ready: >> https://www.beuc.net/tmp/debian-lts/rails/ >> >> It includes an additional regression fix for CVE-2020-8163. >> https://security-tracker.debian.org/tracker/CVE-2020-8163 >> >> I requested upstream feedback but given that 4.x is EOL so far no luck. >> https://github.com/rails/rails/issues/39301#issuecomment-648885623 >> https://github.com/rails/rails/pull/39806 >> >> Hence we called for a review from a Ruby/Rails-savvy DD. >> (stretch moved from oldstable->LTS meanwhile, but the review would still >> be appreciated) >> Anyone up? >> >> >> - buster update >> >> I now "up-ported" my stretch work at: >> https://www.beuc.net/tmp/debian-lts/rails-buster/ >> + added the redis side of CVE-2020-8165 >> >> I believe I would do a disservice to the community if I did a one-time >> update masking possible problems with long-term maintenance, so I'm >> leaving the other CVEs to fix >> (cf. https://security-tracker.debian.org/tracker/source-package/rails) > > I looked briefly at both updates, and the new patches included in them > look sane and reasonable. Thanks for your review! Also my regression fix for CVE-2020-8163 (4.x) was merged: https://github.com/rails/rails/commit/0ecaaf76d1b79cf2717cdac754e55b4114ad6599 Cheers! Sylvain
Re: rails update
On Fri, Jul 10, 2020 at 11:55:37AM +0200, Sylvain Beucler wrote: > Hi, > > On 10/07/2020 10:28, Moritz Mühlenhoff wrote: > > On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: > >> Hi, > >> > >> - buster update > >> > >> I now "up-ported" my stretch work at: > >> https://www.beuc.net/tmp/debian-lts/rails-buster/ > >> + added the redis side of CVE-2020-8165 > > > > What do you mean with up-ported? Applying a patch made for an older release > > to a more recent release will miss all code which wasn't present in > > the older suite. > > To phrase it more precisely, I went back to the upstream patches for > 5.2, applied them and unit-tested them. Ah, ok! I'll have a look at this over the weekend. Cheers, Moritz
Re: rails update
Hi,
On 10/07/2020 10:28, Moritz Mühlenhoff wrote:
> On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote:
>> Hi,
>>
>> - buster update
>>
>> I now "up-ported" my stretch work at:
>> https://www.beuc.net/tmp/debian-lts/rails-buster/
>> + added the redis side of CVE-2020-8165
>
> What do you mean with up-ported? Applying a patch made for an older release
> to a more recent release will miss all code which wasn't present in
> the older suite.
To phrase it more precisely, I went back to the upstream patches for
5.2, applied them and unit-tested them.
(debdiff.txt from the above URL attached for reference.)
Cheers!
Sylvain
diff -Nru rails-5.2.2.1+dfsg/debian/changelog
rails-5.2.2.1+dfsg/debian/changelog
--- rails-5.2.2.1+dfsg/debian/changelog 2020-03-22 14:17:31.0 +0100
+++ rails-5.2.2.1+dfsg/debian/changelog 2020-07-08 11:38:00.0 +0200
@@ -1,3 +1,12 @@
+rails (2:5.2.2.1+dfsg-1+deb10u2) UNRELEASED; urgency=high
+
+ [ Sylvain Beucler ]
+ * CVE-2020-8164: possible Strong Parameters Bypass in ActionPack
+ * CVE-2020-8165: potentially unintended unmarshalling of user-provided
+objects in MemCacheStore and RedisCacheStore
+
+ -- debian Wed, 08 Jul 2020 11:38:00 +0200
+
rails (2:5.2.2.1+dfsg-1+deb10u1) buster; urgency=high
* Team upload.
diff -Nru rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8164.patch
rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8164.patch
--- rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8164.patch 1970-01-01
01:00:00.0 +0100
+++ rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8164.patch 2020-07-08
11:38:00.0 +0200
@@ -0,0 +1,48 @@
+Origin:
https://github.com/rails/rails/commit/7a3ee4fea90b7555f8d09c6c05c15fe7ab5a06ec
+Last-Update: 2029-07-08
+Reviewed-by: Sylvain Beucler
+
+From 7a3ee4fea90b7555f8d09c6c05c15fe7ab5a06ec Mon Sep 17 00:00:00 2001
+From: Jack McCracken
+Date: Wed, 13 May 2020 15:25:12 -0400
+Subject: [PATCH] Return self when calling #each, #each_pair, and #each_value
+ instead of the raw @parameters hash
+
+[CVE-2020-8164]
+---
+ .../lib/action_controller/metal/strong_parameters.rb | 2 ++
+ actionpack/test/controller/parameters/accessors_test.rb | 8
+ 2 files changed, 10 insertions(+)
+
+diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb
b/actionpack/lib/action_controller/metal/strong_parameters.rb
+index 510cb353b493..8532b21d94b0 100644
+--- a/actionpack/lib/action_controller/metal/strong_parameters.rb
b/actionpack/lib/action_controller/metal/strong_parameters.rb
+@@ -337,6 +337,8 @@ def each_pair(&block)
+ @parameters.each_pair do |key, value|
+ yield [key, convert_hashes_to_parameters(key, value)]
+ end
++
++ self
+ end
+ alias_method :each, :each_pair
+
+diff --git a/actionpack/test/controller/parameters/accessors_test.rb
b/actionpack/test/controller/parameters/accessors_test.rb
+index db9359876c9a..25a9cee0109e 100644
+--- a/actionpack/test/controller/parameters/accessors_test.rb
b/actionpack/test/controller/parameters/accessors_test.rb
+@@ -20,6 +20,14 @@ class ParametersAccessorsTest < ActiveSupport::TestCase
+ )
+ end
+
++ test "each returns self" do
++assert_same @params, @params.each { |_| _ }
++ end
++
++ test "each_pair returns self" do
++assert_same @params, @params.each_pair { |_| _ }
++ end
++
+ test "[] retains permitted status" do
+ @params.permit!
+ assert_predicate @params[:person], :permitted?
diff -Nru rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8165.patch
rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8165.patch
--- rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8165.patch 1970-01-01
01:00:00.0 +0100
+++ rails-5.2.2.1+dfsg/debian/patches/CVE-2020-8165.patch 2020-07-08
11:38:00.0 +0200
@@ -0,0 +1,293 @@
+Origin:
https://github.com/rails/rails/commit/f7e077f85e61fc0b7381963eda0ceb0e457546b5
+Origin:
https://github.com/rails/rails/commit/467e3399c9007996c03ffe3212689d48dd25ae99
+Last-Update: 2029-07-08
+Reviewed-by: Sylvain Beucler
+
+From f7e077f85e61fc0b7381963eda0ceb0e457546b5 Mon Sep 17 00:00:00 2001
+From: Dylan Thacker-Smith
+Date: Sat, 22 Sep 2018 17:57:58 -0400
+Subject: [PATCH] activesupport: Avoid Marshal.load on raw cache value in
+ MemCacheStore
+
+Dalli is already being used for marshalling, so we should also rely
+on it for unmarshalling. Since Dalli tags the cache value as marshalled
+it can avoid unmarshalling a raw string which might have come from
+an untrusted source.
+
+[CVE-2020-8165]
+
+From 467e3399c9007996c03ffe3212689d48dd25ae99 Mon Sep 17 00:00:00 2001
+From: Dylan Thacker-Smith
+Date: Sat, 22 Sep 2018 21:17:07 -0400
+Subject: [PATCH] activesupport: Deprecate Marshal.load on raw cache read in
+ RedisCacheStore
+
+The same value for the `raw` option should be provided for both reading and
+writing to avoid Marshal.load being called on untrusted data.
+
+[CVE-2020-8165]
+
+Index:
rails-5.2.2.1+dfsg/activesupport/lib/active_support/cac
Re: rails update
On Wed, Jul 08, 2020 at 12:45:08PM +0200, Sylvain Beucler wrote: > Hi, > > - buster update > > I now "up-ported" my stretch work at: > https://www.beuc.net/tmp/debian-lts/rails-buster/ > + added the redis side of CVE-2020-8165 What do you mean with up-ported? Applying a patch made for an older release to a more recent release will miss all code which wasn't present in the older suite. Cheers, Moritz
