diff -Nru librack-ruby-1.1.0/debian/changelog librack-ruby-1.1.0/debian/changelog --- librack-ruby-1.1.0/debian/changelog 2013-02-20 00:05:43.000000000 +0000 +++ librack-ruby-1.1.0/debian/changelog 2013-02-20 00:05:43.000000000 +0000 @@ -1,3 +1,12 @@ +librack-ruby (1.1.0-4.1+squeeze1) stable-security; urgency=high + + * Non Maintainer Upload. + * Create cherry-picked patches for Security Fix (cf. #700226 #698440). + - CVE-2013-0184: 0001-Reimplement-auth-scheme-fix.patch + - CVE-2013-0263: 0002-Use-secure_compare-for-hmac-comparison.patch + + -- KURASHIKI Satoru Mon, 11 Feb 2013 10:49:37 +0900 + librack-ruby (1.1.0-4) unstable; urgency=low * Team upload. diff -Nru librack-ruby-1.1.0/debian/patches/0001-Reimplement-auth-scheme-fix.patch librack-ruby-1.1.0/debian/patches/0001-Reimplement-auth-scheme-fix.patch --- librack-ruby-1.1.0/debian/patches/0001-Reimplement-auth-scheme-fix.patch 1970-01-01 00:00:00.000000000 +0000 +++ librack-ruby-1.1.0/debian/patches/0001-Reimplement-auth-scheme-fix.patch 2013-02-20 00:05:43.000000000 +0000 @@ -0,0 +1,97 @@ +--- a/lib/rack.rb 2013-02-11 02:31:24.375449225 +0000 ++++ b/lib/rack.rb 2013-02-11 02:33:48.735596653 +0000 +@@ -71,6 +71,18 @@ module Rack + autoload :Params, "rack/auth/digest/params" + autoload :Request, "rack/auth/digest/request" + end ++ ++ # Not all of the following schemes are "standards", but they are used often. ++ @schemes = %w[basic digest bearer mac token oauth oauth2] ++ ++ def self.add_scheme scheme ++ @schemes << scheme ++ @schemes.uniq! ++ end ++ ++ def self.schemes ++ @schemes.dup ++ end + end + + module Session +--- a/lib/rack/auth/abstract/request.rb 2013-02-11 02:36:39.864688680 +0000 ++++ b/lib/rack/auth/abstract/request.rb 2013-02-11 02:39:02.948692080 +0000 +@@ -15,7 +15,11 @@ + end + + def scheme +- @scheme ||= parts.first.downcase.to_sym ++ @scheme ||= ++ begin ++ s = parts.first.downcase ++ Rack::Auth.schemes.include?(s) ? s.to_sym : s ++ end + end + + def params +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ b/test/spec_auth.rb 2013-02-11 02:28:44.635615432 +0000 +@@ -0,0 +1,57 @@ ++require 'rack' ++ ++describe Rack::Auth do ++ it "should have all common authentication schemes" do ++ Rack::Auth.schemes.should.include? 'basic' ++ Rack::Auth.schemes.should.include? 'digest' ++ Rack::Auth.schemes.should.include? 'bearer' ++ Rack::Auth.schemes.should.include? 'token' ++ end ++ ++ it "should allow registration of new auth schemes" do ++ Rack::Auth.schemes.should.not.include "test" ++ Rack::Auth.add_scheme "test" ++ Rack::Auth.schemes.should.include "test" ++ end ++end ++ ++describe Rack::Auth::AbstractRequest do ++ it "should symbolize known auth schemes" do ++ env = Rack::MockRequest.env_for('/') ++ env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :basic ++ ++ ++ env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :digest ++ ++ env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :bearer ++ ++ env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :mac ++ ++ env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :token ++ ++ env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :oauth ++ ++ env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :oauth2 ++ end ++ ++ it "should not symbolize unknown auth schemes" do ++ env = Rack::MockRequest.env_for('/') ++ env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == "magic" ++ end ++end + diff -Nru librack-ruby-1.1.0/debian/patches/0002-Use-secure_compare-for-hmac-comparison.patch librack-ruby-1.1.0/debian/patches/0002-Use-secure_compare-for-hmac-comparison.patch --- librack-ruby-1.1.0/debian/patches/0002-Use-secure_compare-for-hmac-comparison.patch 1970-01-01 00:00:00.000000000 +0000 +++ librack-ruby-1.1.0/debian/patches/0002-Use-secure_compare-for-hmac-comparison.patch 2013-02-20 00:05:43.000000000 +0000 @@ -0,0 +1,46 @@ +--- a/lib/rack/session/cookie.rb 2013-02-11 01:54:07.291302061 +0000 ++++ b/lib/rack/session/cookie.rb 2013-02-11 01:55:10.135303555 +0000 +@@ -46,7 +46,7 @@ + + if @secret && session_data + session_data, digest = session_data.split("--") +- session_data = nil unless digest == generate_hmac(session_data) ++ session_data = nil unless Rack::Utils.secure_compare(digest, generate_hmac(session_data)) + end + + begin +--- a/lib/rack/utils.rb 2013-02-11 01:55:45.791304402 +0000 ++++ b/lib/rack/utils.rb 2013-02-11 01:56:43.395305772 +0000 +@@ -234,6 +234,18 @@ + end + module_function :bytesize + ++ # Constant time string comparison. ++ def secure_compare(a, b) ++ return false unless bytesize(a) == bytesize(b) ++ ++ l = a.unpack("C*") ++ ++ r, i = 0, -1 ++ b.each_byte { |v| r |= v ^ l[i+=1] } ++ r == 0 ++ end ++ module_function :secure_compare ++ + # Context allows the use of a compatible middleware at different points + # in a request handling stack. A compatible middleware must define + # #context which should take the arguments env and app. The first of which +--- a/test/spec_rack_utils.rb 2013-02-11 01:57:17.383306580 +0000 ++++ b/test/spec_rack_utils.rb 2013-02-11 01:58:12.775307896 +0000 +@@ -205,6 +205,11 @@ + Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6 + end + ++ specify "should perform constant time string comparison" do ++ Rack::Utils.secure_compare('a', 'a').should.equal true ++ Rack::Utils.secure_compare('a', 'b').should.equal false ++ end ++ + specify "should return status code for integer" do + Rack::Utils.status_code(200).should.equal 200 + end diff -Nru librack-ruby-1.1.0/debian/rules librack-ruby-1.1.0/debian/rules --- librack-ruby-1.1.0/debian/rules 2013-02-20 00:05:43.000000000 +0000 +++ librack-ruby-1.1.0/debian/rules 2013-02-20 00:05:43.000000000 +0000 @@ -1,5 +1,6 @@ #!/usr/bin/make -f +include /usr/share/cdbs/1/rules/simple-patchsys.mk include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/ruby-pkg-tools/1/class/ruby-setup-rb.mk