Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Fixes three issues in rails, debdiff below. Passes all regressions tests and a quick functional test. Cheers, Moritz diff -Nru rails-4.2.7.1/debian/changelog rails-4.2.7.1/debian/changelog --- rails-4.2.7.1/debian/changelog 2016-08-22 19:33:48.000000000 +0200 +++ rails-4.2.7.1/debian/changelog 2019-04-18 16:51:20.000000000 +0200 @@ -1,3 +1,10 @@ +rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium + + * CVE-2018-16476 (Closes: #914847) + * CVE-2019-5418 / CVE-2019-5419 (Closes: #924520) + + -- Moritz Mühlenhoff <j...@debian.org> Thu, 18 Apr 2019 20:48:13 +0200 + rails (2:4.2.7.1-1) unstable; urgency=medium * New upstream release; includes fixes for the following issues: diff -Nru rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch --- rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch 1970-01-01 01:00:00.000000000 +0100 +++ rails-4.2.7.1/debian/patches/006-CVE-2018-16476.patch 2019-04-18 16:44:58.000000000 +0200 @@ -0,0 +1,47 @@ +From 4f03411fd07d714b525655e2457bbd761c9f03a5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= + <rafaelmfra...@gmail.com> +Date: Wed, 5 Sep 2018 17:38:09 -0400 +Subject: [PATCH] Do not deserialize GlobalID objects that were not generated by + Active Job + +Trusting any GlobaID object when deserializing jobs can allow +attackers to access information that should not be accessible to them. + +Fix CVE-2018-16476. +--- + activejob/lib/active_job/arguments.rb | 2 +- + activejob/test/cases/argument_serialization_test.rb | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb +index ecd81f2099..e33ee649cd 100644 +--- a/activejob/lib/active_job/arguments.rb ++++ b/activejob/lib/active_job/arguments.rb +@@ -75,7 +75,7 @@ module ActiveJob + def deserialize_argument(argument) + case argument + when String +- GlobalID::Locator.locate(argument) || argument ++ argument + when *TYPE_WHITELIST + argument + when Array +diff --git a/activejob/test/cases/argument_serialization_test.rb b/activejob/test/cases/argument_serialization_test.rb +index 1f11e916c4..058a828b86 100644 +--- a/activejob/test/cases/argument_serialization_test.rb ++++ b/activejob/test/cases/argument_serialization_test.rb +@@ -35,6 +35,10 @@ class ArgumentSerializationTest < ActiveSupport::TestCase + assert_arguments_roundtrip [@person] + end + ++ test "should keep Global IDs strings as they are" do ++ assert_arguments_roundtrip [@person.to_gid.to_s] ++ end ++ + test 'should dive deep into arrays and hashes' do + assert_arguments_roundtrip [3, [@person]] + assert_arguments_roundtrip [{ 'a' => @person }] +-- +2.18.0 + diff -Nru rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch --- rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch 1970-01-01 01:00:00.000000000 +0100 +++ rails-4.2.7.1/debian/patches/007-CVE-2019-5418_CVE-2019-5419.patch 2019-04-18 16:45:44.000000000 +0200 @@ -0,0 +1,113 @@ +From 58ed245e80a8710fbe31e91417bfd19f9f934cc4 Mon Sep 17 00:00:00 2001 +From: John Hawthorn <john@hawthorn.email> +Date: Mon, 4 Mar 2019 18:24:51 -0800 +Subject: [PATCH] Only accept formats from registered mime types + +[CVE-2019-5418] +[CVE-2019-5419] +--- + .../lib/action_dispatch/http/mime_negotiation.rb | 6 +++++- + .../test/controller/mime/respond_to_test.rb | 14 ++++++++------ + .../new_base/content_negotiation_test.rb | 16 +++++++++++++--- + 3 files changed, 26 insertions(+), 10 deletions(-) + +diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb +index 53a98c5d0a..00fd3d03df 100644 +--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb ++++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb +@@ -61,7 +61,7 @@ module ActionDispatch + false + end + +- if params_readable ++ v = if params_readable + Array(Mime[parameters[:format]]) + elsif use_accept_header && valid_accept_header + accepts +@@ -70,6 +70,10 @@ module ActionDispatch + else + [Mime::HTML] + end ++ ++ v.select do |format| ++ format.symbol || format.ref == "*/*" ++ end + end + end + +diff --git a/actionpack/test/controller/mime/respond_to_test.rb b/actionpack/test/controller/mime/respond_to_test.rb +index 66d2fd7716..07ad0085fc 100644 +--- a/actionpack/test/controller/mime/respond_to_test.rb ++++ b/actionpack/test/controller/mime/respond_to_test.rb +@@ -87,9 +87,9 @@ class RespondToController < ActionController::Base + + def custom_type_handling + respond_to do |type| +- type.html { render :text => "HTML" } +- type.custom("application/crazy-xml") { render :text => "Crazy XML" } +- type.all { render :text => "Nothing" } ++ type.html { render text: "HTML" } ++ type.custom("application/fancy-xml") { render text: "Fancy XML" } ++ type.all { render text: "Nothing" } + end + end + +@@ -269,12 +269,14 @@ class RespondToControllerTest < ActionController::TestCase + @request.host = "www.example.com" + Mime::Type.register_alias("text/html", :iphone) + Mime::Type.register("text/x-mobile", :mobile) ++ Mime::Type.register("application/fancy-xml", :fancy_xml) + end + + def teardown + super + Mime::Type.unregister(:iphone) + Mime::Type.unregister(:mobile) ++ Mime::Type.unregister(:fancy_xml) + end + + def test_html +@@ -430,10 +432,10 @@ class RespondToControllerTest < ActionController::TestCase + end + + def test_custom_types +- @request.accept = "application/crazy-xml" ++ @request.accept = "application/fancy-xml" + get :custom_type_handling +- assert_equal "application/crazy-xml", @response.content_type +- assert_equal 'Crazy XML', @response.body ++ assert_equal "application/fancy-xml", @response.content_type ++ assert_equal "Fancy XML", @response.body + + @request.accept = "text/html" + get :custom_type_handling +diff --git a/actionpack/test/controller/new_base/content_negotiation_test.rb b/actionpack/test/controller/new_base/content_negotiation_test.rb +index 5fd5946619..57bf16ac9c 100644 +--- a/actionpack/test/controller/new_base/content_negotiation_test.rb ++++ b/actionpack/test/controller/new_base/content_negotiation_test.rb +@@ -19,9 +19,19 @@ module ContentNegotiation + assert_body "Hello world */*!" + end + +- test "Not all mimes are converted to symbol" do +- get "/content_negotiation/basic/all", {}, "HTTP_ACCEPT" => "text/plain, mime/another" +- assert_body '[:text, "mime/another"]' ++ test "A js or */* Accept header will return HTML" do ++ get "/content_negotiation/basic/hello", {}, { "HTTP_ACCEPT" => "text/javascript, */*" } ++ assert_body "Hello world text/html!" ++ end ++ ++ test "A js or */* Accept header on xhr will return HTML" do ++ xhr :get, "/content_negotiation/basic/hello", {}, { "HTTP_ACCEPT" => "text/javascript, */*" } ++ assert_body "Hello world text/javascript!" ++ end ++ ++ test "Unregistered mimes are ignored" do ++ get "/content_negotiation/basic/all", {}, { "HTTP_ACCEPT" => "text/plain, mime/another" } ++ assert_body '[:text]' + end + end + end +-- +2.21.0 + diff -Nru rails-4.2.7.1/debian/patches/series rails-4.2.7.1/debian/patches/series --- rails-4.2.7.1/debian/patches/series 2016-08-22 19:33:48.000000000 +0200 +++ rails-4.2.7.1/debian/patches/series 2019-04-18 16:48:04.000000000 +0200 @@ -2,3 +2,5 @@ 0002-load_paths.rb-don-t-load-bundler.patch 0004-ActiveRecord-adjust-test-suite-for-Debian-build.patch 0005-relax-json.patch +006-CVE-2018-16476.patch +007-CVE-2019-5418_CVE-2019-5419.patch -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled