Bug#882724: marked as done (stretch-pu: package ruby-ox/2.1.1-2+b6)

Sat, 09 Dec 2017 03:02:07 -0800 

Your message dated Sat, 09 Dec 2017 10:46:36 +0000
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #882724,
regarding stretch-pu: package ruby-ox/2.1.1-2+b6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
882724: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882724
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

this update fixes bug #881445 [CVE-2017-15928]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
by cherrypicking a patch from upstream, to crash of the ruby interpreter
on a parse error.

Debdiff attached.

As jessie and stretch have the same version of this package, I am
willing to upload the same fix to jessie (same diff except the version
number with deb8 instead of deb9). Should I submit an independent bug
report for the jessie proposed update ?

Thanks in advance.

Cédric

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru ruby-ox-2.1.1/debian/changelog ruby-ox-2.1.1/debian/changelog
--- ruby-ox-2.1.1/debian/changelog      2014-04-04 12:58:15.000000000 +0200
+++ ruby-ox-2.1.1/debian/changelog      2017-11-26 01:08:40.000000000 +0100
@@ -1,3 +1,12 @@
+ruby-ox (2.1.1-2+deb9u1) stretch; urgency=medium
+
+  * Team upload
+  * Add fix_parse_obj_segfault.patch picked from upstream
+    + fix CVE-2017-15928: segmentation fault in parse_obj
+    (Closes: #881445)
+
+ -- Cédric Boutillier <bou...@debian.org>  Sun, 26 Nov 2017 01:08:40 +0100
+
 ruby-ox (2.1.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-ox-2.1.1/debian/gbp.conf ruby-ox-2.1.1/debian/gbp.conf
--- ruby-ox-2.1.1/debian/gbp.conf       1970-01-01 01:00:00.000000000 +0100
+++ ruby-ox-2.1.1/debian/gbp.conf       2017-11-26 00:52:18.000000000 +0100
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch=stretch/master
+upstream-branch=stretch/upstream
diff -Nru ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch 
ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch
--- ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch   1970-01-01 
01:00:00.000000000 +0100
+++ ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch   2017-11-26 
01:08:40.000000000 +0100
@@ -0,0 +1,51 @@
+Description: Avoid crash with invalid XML passed to Oj.parse_obj()
+ this fixes CVE-2017-15928
+Author: Peter Ohler <pe...@ohler.com>
+Origin: 
https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8.patch
+Bug: https://github.com/ohler55/ox/issues/194
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
+Last-Update: 2017-11-25
+
+--- a/ext/ox/obj_load.c
++++ b/ext/ox/obj_load.c
+@@ -791,8 +791,10 @@
+                   Helper      gh;
+ 
+                   helper_stack_pop(&pi->helpers);
+-                  gh = helper_stack_peek(&pi->helpers);
+-
++                  if (NULL == (gh = helper_stack_peek(&pi->helpers))) {
++                      set_error(&pi->err, "Corrupt parse stack, container is 
wrong type", pi->str, pi->s);
++                      return;
++                  }
+                   rb_hash_aset(gh->obj, ph->obj, h->obj);
+               }
+               break;
+--- a/ext/ox/err.c
++++ b/ext/ox/err.c
+@@ -42,7 +42,11 @@
+     va_end(ap);
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ ox_err_raise(Err e) {
+     rb_raise(e->clas, "%s", e->msg);
+ }
+--- a/ext/ox/ox.c
++++ b/ext/ox/ox.c
+@@ -990,7 +990,11 @@
+ #endif
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ _ox_raise_error(const char *msg, const char *xml, const char *current, const 
char* file, int line) {
+     int       xline = 1;
+     int       col = 1;
diff -Nru ruby-ox-2.1.1/debian/patches/series 
ruby-ox-2.1.1/debian/patches/series
--- ruby-ox-2.1.1/debian/patches/series 2014-03-22 13:16:52.000000000 +0100
+++ ruby-ox-2.1.1/debian/patches/series 2017-11-26 01:08:40.000000000 +0100
@@ -1 +1,2 @@
+fix_parse_obj_segfault.patch
 000-fix-so-load-path.patch

--- End Message ---
--- Begin Message --- 
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam

--- End Message ---

Reply via email to