Bug#684518: unblock: ruby-actionpack-3.2/3.2.6-4

Antonio Terceiro Fri, 10 Aug 2012 10:27:15 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock


Please unblock package ruby-actionpack-3.2

This new versio includes fixes for two security problems (CVE-2012-3463,
CVE-2012-3465), closing 1 RC bug (#684454).

Follows a debdiff between the version in testing and this new version,
which was just uploaded to untable.

unblock ruby-actionpack-3.2/3.2.6-4

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terce...@debian.org>

diff -Nru ruby-actionpack-3.2-3.2.6/debian/changelog ruby-actionpack-3.2-3.2.6/debian/changelog
--- ruby-actionpack-3.2-3.2.6/debian/changelog	2012-08-04 09:29:24.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/changelog	2012-08-10 13:33:44.000000000 -0300
@@ -1,3 +1,16 @@
+ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high
+
+  * Add patches for security problems (Closes: #684454):
+    + CVE-2012-3463 - Ruby on Rails Potential XSS Vulnerability in select_tag
+      prompt
+    + CVE-2012-3465 - XSS Vulnerability in strip_tags
+    + Both patches were edited from their original versions in two ways:
+      - the leading a/ and b/ from the filenames were stripped
+      - changes over test files were removed, since the Debian package
+        contains no test files.
+
+ -- Antonio Terceiro <terce...@debian.org>  Fri, 10 Aug 2012 13:08:08 -0300
+
 ruby-actionpack-3.2 (3.2.6-3) unstable; urgency=high
 
   * Add patch by Aaron Patterson for CVE-2012-3424 (Closes: #683370)
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3463.patch ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3463.patch
--- ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3463.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3463.patch	2012-08-10 13:31:17.000000000 -0300
@@ -0,0 +1,30 @@
+From ec30fba02d2d3a0c90dfc9a38629d2c0d55bf8c1 Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santi...@wyeworks.com>
+Date: Wed, 8 Aug 2012 15:10:35 -0700
+Subject: [PATCH] escape select_tag :prompt values
+
+---
+ actionpack/lib/action_view/helpers/form_tag_helper.rb | 4 ++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git actionpack/lib/action_view/helpers/form_tag_helper.rb actionpack/lib/action_view/helpers/form_tag_helper.rb
+index 066b98d..9e0ec17 100644
+--- actionpack/lib/action_view/helpers/form_tag_helper.rb
++++ actionpack/lib/action_view/helpers/form_tag_helper.rb
+@@ -122,11 +122,11 @@ module ActionView
+         html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
+ 
+         if options.delete(:include_blank)
+-          option_tags = "<option value=\"\"></option>".html_safe + option_tags
++          option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
+         end
+ 
+         if prompt = options.delete(:prompt)
+-          option_tags = "<option value=\"\">#{prompt}</option>".html_safe + option_tags
++          option_tags = content_tag(:option, prompt, :value => '').safe_concat(option_tags)
+         end
+ 
+         content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
+-- 
+1.7.11.1
+
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3465.patch ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3465.patch
--- ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3465.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2012-3465.patch	2012-08-10 13:31:39.000000000 -0300
@@ -0,0 +1,26 @@
+From bb98352d42d654970299450b009223968a53c6f8 Mon Sep 17 00:00:00 2001
+From: Santiago Pastorino <santi...@wyeworks.com>
+Date: Wed, 8 Aug 2012 14:33:39 -0700
+Subject: [PATCH] Do not mark strip_tags result as html_safe
+
+Thanks to Marek Labos & Nethemba
+---
+ actionpack/lib/action_view/helpers/sanitize_helper.rb | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git actionpack/lib/action_view/helpers/sanitize_helper.rb actionpack/lib/action_view/helpers/sanitize_helper.rb
+index 7768c8c..0f6a5ed 100644
+--- actionpack/lib/action_view/helpers/sanitize_helper.rb
++++ actionpack/lib/action_view/helpers/sanitize_helper.rb
+@@ -80,7 +80,7 @@ module ActionView
+       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
+       #   # => Welcome to my website!
+       def strip_tags(html)
+-        self.class.full_sanitizer.sanitize(html).try(:html_safe)
++        self.class.full_sanitizer.sanitize(html)
+       end
+ 
+       # Strips all link tags from +text+ leaving just the link text.
+-- 
+1.7.11.1
+
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/series ruby-actionpack-3.2-3.2.6/debian/patches/series
--- ruby-actionpack-3.2-3.2.6/debian/patches/series	2012-08-04 09:26:26.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/patches/series	2012-08-10 13:29:41.000000000 -0300
@@ -1 +1,3 @@
 CVE-2012-3424.patch
+CVE-2012-3463.patch
+CVE-2012-3465.patch

signature.asc
Description: Digital signature

Bug#684518: unblock: ruby-actionpack-3.2/3.2.6-4

Reply via email to