[DRE-maint] Wheezy update of rbenv?
Dear maintainer, (This is rather low impact so tagging no-dsa would be fine too but I wanted to check with you guys first). The Debian LTS team would like to fix the security issue which is currently open in the Wheezy version of rbenv: https://security-tracker.debian.org/tracker/CVE-2017-147 Would you like to take care of this yourself? If yes, please follow the workflow we have defined here: https://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-...@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. You can also opt-out from receiving future similar emails in your answer and then the LTS Team will take care of rbenv updates for the LTS releases. Thank you very much. Guido Günther, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#884808: vagrant-libvirt creates invalid xml for libvirt
control: tags -1 +patch Hi, On Tue, Dec 19, 2017 at 11:09:50PM +0100, Sascha Girrulat wrote: > There is a related Red Hat Bug with some other details: > https://bugzilla.redhat.com/show_bug.cgi?id=1518899 That's the fix applied by fedora: http://pkgs.fedoraproject.org/cgit/rpms/vagrant-libvirt.git/commit/?id=974e0af6dbe3b38696657d2963fe5c5b00491329 Cheers, -- Guido ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#502029: RFP: ruby-krb5 -- krb5 ruby bindings
Package: wnpp Severity: wishlist * Package name: ruby-krb5 * URL : http://rubyforge.org/projects/krb5-auth/ * License : LGPL Programming Lang: C, Ruby Description : basic kerberos ruby bindings Needed for Ovirt packaging. Would the ruby team be interested in packaging/maintaining this? -- Guido ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-ruby-extras-maintainers
Re: [DRE-maint] diff for passenger in Squeeze
Hi Thorsten, On Mon, Dec 28, 2015 at 11:13:32PM +0100, Thorsten Alteholz wrote: > Hi everybody, > > can someone please have a look at the diff for passenger=2.2.11debian-2 in > Squeeze that should solve CVE-2015-7519[1] and nod? > > Thanks! > Thorsten > > > [1] https://security-tracker.debian.org/tracker/CVE-2015-7519 > > > > diff -Nru passenger-2.2.11debian/ext/apache2/Hooks.cpp > passenger-2.2.11debian/ext/apache2/Hooks.cpp > --- passenger-2.2.11debian/ext/apache2/Hooks.cpp2010-03-05 > 10:35:16.0 +0100 > +++ passenger-2.2.11debian/ext/apache2/Hooks.cpp2015-12-28 > 20:04:14.0 +0100 > @@ -779,9 +779,33 @@ > char *lookupEnv(request_rec *r, const char *name) { > return lookupName(r->subprocess_env, name); > } > + > + static bool > + isAlphaNum(char ch) { > + return (ch >= '0' && ch <= '9') || (ch >= 'a' && ch <= 'z') > || (ch >= 'A' && ch <= 'Z'); > + } > + > + /** > +* For CGI, alphanum headers with optional dashes are mapped to > UPP3R_CAS3. This > +* function can be used to reject non-alphanum/dash headers that > would end up with > +* the same mapping (e.g. upp3r_cas3 and upp3r-cas3 would end up the > same, and > +* potentially collide each other in the receiving application). This > is > +* used to fix CVE-2015-7519. > +*/ > + static bool > + containsNonAlphaNumDash(const char *s) { > + size_t len = strlen(s); > + for (size_t i = 0; i < len; i++) { > + const char start = s[i]; > + if (start != '-' && !isAlphaNum(start)) { > + return true; > + } > + } > + return false; > + } > > void inline addHeader(apr_table_t *table, const char *name, const > char *value) { > - if (name != NULL && value != NULL) { > + if ((name != NULL && value != NULL) || > containsNonAlphaNumDash(name)) { > apr_table_addn(table, name, value); Isn't the logic reversed here? We want so _skip_ the header if it containsNonAlphaNumDash not add it? Cheers, -- Guido ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] librack-ruby update for CVE-2015-3225
Hi, I've used the attached debdiff to fix CVE-2015-3225. Any review is welcome! I've put packages to test here[1] in case anybody wants to try them. Besides verifying that the test suite still works with tests added to detect the issue I've used the package on a puppetmaster for testing. Cheers, -- Guido [1] http://honk.sigxcpu.org/projects/debian-lts/snapshots/ diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 000..a16803b --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,5 @@ +To run the tests use e.g.: + +RUBYLIB=lib rspec test/spec_rack_utils.rb + +with rspec + ruby-test-spec installed. diff --git a/debian/changelog b/debian/changelog index 643e6d1..a108214 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +librack-ruby (1.1.0-4+squeeze3) debian-lts; urgency=medium + + * CVE-2015-3225: Avoid infinite depth param normalization +Patch based on +http://seclists.org/oss-sec/2015/q2/729 + + -- Guido Günther Fri, 19 Jun 2015 17:52:46 +0200 + librack-ruby (1.1.0-4+squeeze2) oldstable-security; urgency=high * Team upload. diff --git a/lib/rack/utils.rb b/lib/rack/utils.rb index 3fb1663..72100fd 100644 --- a/lib/rack/utils.rb +++ b/lib/rack/utils.rb @@ -30,12 +30,17 @@ module Rack class << self attr_accessor :key_space_limit + attr_accessor :param_depth_limit end # The default number of bytes to allow parameter keys to take up. # This helps prevent a rogue client from flooding a Request. self.key_space_limit = 65536 +# Default depth at which the parameter parser will raise an exception for +# being too deep. This helps prevent SystemStackErrors +self.param_depth_limit = 100 + # Stolen from Mongrel, with some small modifications: # Parses a query string by breaking it up at the '&' # and ';' characters. You can also use this to parse @@ -98,7 +103,8 @@ module Rack end module_function :parse_nested_query -def normalize_params(params, name, v = nil) +def normalize_params(params, name, v = nil, depth = Utils.param_depth_limit) + raise RangeError if depth <= 0 if v and v =~ /^("|')(.*)\1$/ v = $2.gsub('\\'+$1, $1) end @@ -119,14 +125,14 @@ module Rack params[k] ||= [] raise TypeError, "expected Array (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Array) if params[k].last.is_a?(Hash) && !params[k].last.key?(child_key) - normalize_params(params[k].last, child_key, v) + normalize_params(params[k].last, child_key, v, depth - 1) else - params[k] << normalize_params({}, child_key, v) + params[k] << normalize_params({}, child_key, v, depth - 1) end else params[k] ||= {} raise TypeError, "expected Hash (got #{params[k].class.name}) for param `#{k}'" unless params[k].is_a?(Hash) -params[k] = normalize_params(params[k], after, v) +params[k] = normalize_params(params[k], after, v, depth - 1) end return params diff --git a/test/spec_rack_utils.rb b/test/spec_rack_utils.rb index 98c848c..7304f16 100644 --- a/test/spec_rack_utils.rb +++ b/test/spec_rack_utils.rb @@ -43,6 +43,18 @@ context "Rack::Utils" do Rack::Utils.parse_query("foo%3Dbaz=bar").should.equal "foo=baz" => "bar" end + specify "raise an exception if the params are too deep" do +len = Rack::Utils.param_depth_limit + +lambda { + Rack::Utils.parse_nested_query("foo#{"[a]" * len}=bar") +}.should.raise(RangeError) + +lambda { + Rack::Utils.parse_nested_query("foo#{"[a]" * (len - 1)}=bar") +}.should.not.raise + end + specify "should parse nested query strings correctly" do Rack::Utils.parse_nested_query("foo"). should.equal "foo" => nil ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
Re: [DRE-maint] Debian LTS Security update of ruby-activerecord-3.2
Hi Ola, On Thu, May 26, 2016 at 11:27:42PM +0200, Ola Lundqvist wrote: > Hi ruby-activerecord-3.2 maintainer(s) and Debian LTS team > > This is my third package contribution to Debian LTS. I'm doing this as a > training exercise and this is why the maintainer have not been asked to > this for me. > > I have prepared an update of the ruby-activerecord-3.2 package with a fix > for > https://security-tracker.debian.org/tracker/CVE-2015-7577 While looking into CVE-2016-0753 of ruby-activemodel-3.2 I noticed that ruby-activerecord-3.2 is affected as well and not fixed with your proposed debdiff. I'm just looking into this atm and don't want to duplicate efforts. Cheers, -- Guido ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
Re: [DRE-maint] Debian LTS Security update of ruby-activerecord-3.2
On Mon, May 30, 2016 at 08:11:23PM +0200, Ola Lundqvist wrote: > Hi Guido > > Yes that is true. I have not solved that problem. I focused on only one of > the issues as I had to look into two packages to solve the one you refer > to. Great that you will have a look at that one. > > I'll upload ruby-activerecord-3.2 shortly (read today) and it will look > like the one I had in the directory above. But I guess it is better to base > it on the one I upload just in case. Okay. Please make sure that ruby-activerecord-3.2 stays in dla-needed.txt needed then since it still needs CVEs fixed. Although I know a bit of ruby I don't know much ActiveRecord, ActiveModel yet so in case somebody in the LTS team knows this stuff in and out I'm glad to pass this over. Cheers, -- Guido ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers