Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package ruby-activemodel-3.2, ruby-activerecord-2.3 and
ruby-activeresource-2.3.
Hi,
another round of ruby on rails CVEs, and one FTBFS fix and a CVE fix; debdiffs
are attached.
$ diffstat /tmp/ruby-activemodel-3.2_3.2.6-3.debdiff
changelog | 6 ++++++
patches/CVE-2013-0276.patch | 34 ++++++++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 41 insertions(+)
$ diffstat /tmp/ruby-activerecord-2.3_2.3.14-5.debdiff
changelog | 7 +++++
patches/CVE-2013-0276.patch | 38 ++++++++++++++++++++++++++++
patches/CVE-2013-0277.patch | 58 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 2 +
4 files changed, 105 insertions(+)
$ diffstat /tmp/ruby-activeresource-2.3_2.3.14-3.debdiff
changelog | 10 ++++
patches/0003-remove-test-for-XML-YAML-parsing.patch | 48 ++++++++++++++++++++
patches/series | 1
3 files changed, 59 insertions(+)
Ondrej
unblock ruby-activemodel-3.2/3.2.6-3
unblock ruby-activerecord-2.3/2.3.14-5
unblock ruby-activeresource-2.3/2.3.14-3
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru ruby-activemodel-3.2-3.2.6/debian/changelog ruby-activemodel-3.2-3.2.6/debian/changelog
--- ruby-activemodel-3.2-3.2.6/debian/changelog 2012-06-25 00:24:14.000000000 +0200
+++ ruby-activemodel-3.2-3.2.6/debian/changelog 2013-02-12 16:58:28.000000000 +0100
@@ -1,3 +1,9 @@
+ruby-activemodel-3.2 (3.2.6-3) unstable; urgency=low
+
+ * Fix circumvention of attr_protected [CVE-2013-0276]
+
+ -- Ondřej Surý <ond...@debian.org> Tue, 12 Feb 2013 16:58:09 +0100
+
ruby-activemodel-3.2 (3.2.6-2) unstable; urgency=low
* Bump build dependency on gem2deb to >- 0.3.0~
diff -Nru ruby-activemodel-3.2-3.2.6/debian/patches/CVE-2013-0276.patch ruby-activemodel-3.2-3.2.6/debian/patches/CVE-2013-0276.patch
--- ruby-activemodel-3.2-3.2.6/debian/patches/CVE-2013-0276.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-activemodel-3.2-3.2.6/debian/patches/CVE-2013-0276.patch 2013-02-12 16:58:28.000000000 +0100
@@ -0,0 +1,34 @@
+From 060bb7250b963609a0d8a5d0559e36b99d2402c6 Mon Sep 17 00:00:00 2001
+From: joernchen of Phenoelit <joernc...@phenoelit.de>
+Date: Sat, 9 Feb 2013 15:46:44 -0800
+Subject: [PATCH] Fix issue with attr_protected where malformed input could
+ circumvent protection
+
+Fixes: CVE-2013-0276
+---
+ activemodel/lib/active_model/attribute_methods.rb | 2 +-
+ activemodel/lib/active_model/mass_assignment_security/permission_set.rb | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/lib/active_model/attribute_methods.rb
++++ b/lib/active_model/attribute_methods.rb
+@@ -365,7 +365,7 @@ module ActiveModel
+ end
+
+ @prefix, @suffix = options[:prefix] || '', options[:suffix] || ''
+- @regex = /^(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})$/
++ @regex = /\A(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})\z/
+ @method_missing_target = "#{@prefix}attribute#{@suffix}"
+ @method_name = "#{prefix}%s#{suffix}"
+ end
+--- a/lib/active_model/mass_assignment_security/permission_set.rb
++++ b/lib/active_model/mass_assignment_security/permission_set.rb
+@@ -19,7 +19,7 @@ module ActiveModel
+ protected
+
+ def remove_multiparameter_id(key)
+- key.to_s.gsub(/\(.+/, '')
++ key.to_s.gsub(/\(.+/m, '')
+ end
+ end
+
diff -Nru ruby-activemodel-3.2-3.2.6/debian/patches/series ruby-activemodel-3.2-3.2.6/debian/patches/series
--- ruby-activemodel-3.2-3.2.6/debian/patches/series 2012-06-16 14:41:53.000000000 +0200
+++ ruby-activemodel-3.2-3.2.6/debian/patches/series 2013-02-12 16:58:28.000000000 +0100
@@ -1 +1,2 @@
remove-rubygems-requirement.patch
+CVE-2013-0276.patch
diff -Nru ruby-activeresource-2.3-2.3.14/debian/changelog ruby-activeresource-2.3-2.3.14/debian/changelog
--- ruby-activeresource-2.3-2.3.14/debian/changelog 2012-06-29 20:17:48.000000000 +0200
+++ ruby-activeresource-2.3-2.3.14/debian/changelog 2013-02-12 16:56:48.000000000 +0100
@@ -1,3 +1,13 @@
+ruby-activeresource-2.3 (2.3.14-3) unstable; urgency=high
+
+ [Sebastian Ramacher]
+ * debian/patches/0003-remove-test-for-XML-YAML-parsing.patch: Backport patch
+ from upstream to disable test for XML YAML parsing. XML YAML parsing has
+ been removed in ruby-activesupport-2.3/2.3.14-5 to fix CVE-2013-0156.
+ (Closes: #699255)
+
+ -- Ondřej Surý <ond...@debian.org> Sun, 10 Feb 2013 22:46:39 +0100
+
ruby-activeresource-2.3 (2.3.14-2) unstable; urgency=low
* Team upload.
diff -Nru ruby-activeresource-2.3-2.3.14/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch ruby-activeresource-2.3-2.3.14/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch
--- ruby-activeresource-2.3-2.3.14/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-activeresource-2.3-2.3.14/debian/patches/0003-remove-test-for-XML-YAML-parsing.patch 2013-02-12 16:56:48.000000000 +0100
@@ -0,0 +1,48 @@
+Description: Remove test for XML YAML parsing
+ The support for YAML parsing in XML has been removed from Active Support
+ since it introduced an security risk (CVE-2013-0156).
+Origin: backport, https://github.com/rails/activeresource/commit/a0589575
+Last-Update: 2013-02-10
+
+--- a/test/base_test.rb
++++ b/test/base_test.rb
+@@ -49,25 +49,11 @@
+ :children => [{:name => 'Natacha'}]},
+ {:name => 'Milena',
+ :children => []}]}]}.to_xml(:root => 'customer')
+- # - resource with yaml array of strings; for ActiveRecords using serialize :bar, Array
+- @marty = <<-eof.strip
+- <?xml version=\"1.0\" encoding=\"UTF-8\"?>
+- <person>
+- <id type=\"integer\">5</id>
+- <name>Marty</name>
+- <colors type=\"yaml\">---
+- - \"red\"
+- - \"green\"
+- - \"blue\"
+- </colors>
+- </person>
+- eof
+
+ ActiveResource::HttpMock.respond_to do |mock|
+ mock.get "/people/1.xml", {}, @matz
+ mock.get "/people/2.xml", {}, @david
+ mock.get "/people/6.json", {}, @joe
+- mock.get "/people/5.xml", {}, @marty
+ mock.get "/people/Greg.xml", {}, @greg
+ mock.get "/people/4.xml", {'key' => 'value'}, nil, 404
+ mock.put "/people/1.xml", {}, nil, 204
+@@ -1075,13 +1061,4 @@
+ end
+ end
+
+- def test_load_yaml_array
+- assert_nothing_raised do
+- marty = Person.find(5)
+- assert_equal 3, marty.colors.size
+- marty.colors.each do |color|
+- assert_kind_of String, color
+- end
+- end
+- end
+ end
diff -Nru ruby-activeresource-2.3-2.3.14/debian/patches/series ruby-activeresource-2.3-2.3.14/debian/patches/series
--- ruby-activeresource-2.3-2.3.14/debian/patches/series 2012-02-02 23:56:24.000000000 +0100
+++ ruby-activeresource-2.3-2.3.14/debian/patches/series 2013-02-12 16:56:48.000000000 +0100
@@ -1,2 +1,3 @@
0001-comment_out_failing_upstream_tests.patch
0002-require_abstract_unit_needs_test_directory.patch
+0003-remove-test-for-XML-YAML-parsing.patch
diff -Nru ruby-activerecord-2.3-2.3.14/debian/changelog ruby-activerecord-2.3-2.3.14/debian/changelog
--- ruby-activerecord-2.3-2.3.14/debian/changelog 2013-01-16 01:16:58.000000000 +0100
+++ ruby-activerecord-2.3-2.3.14/debian/changelog 2013-02-12 17:05:09.000000000 +0100
@@ -1,3 +1,10 @@
+ruby-activerecord-2.3 (2.3.14-5) unstable; urgency=high
+
+ * Fix circumvention of attr_protected [CVE-2013-0276]
+ * Fix serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 [CVE-2013-0277]
+
+ -- Ondřej Surý <ond...@debian.org> Tue, 12 Feb 2013 17:04:53 +0100
+
ruby-activerecord-2.3 (2.3.14-4) unstable; urgency=high
* Team upload.
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0276.patch ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0276.patch
--- ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0276.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0276.patch 2013-02-12 17:05:09.000000000 +0100
@@ -0,0 +1,38 @@
+From 9a48f4cf329f66682c34c86822d625d63dbb6919 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patter...@gmail.com>
+Date: Sat, 9 Feb 2013 16:31:04 -0800
+Subject: [PATCH] fixing attr_protected CVE-2013-0276
+
+---
+ activerecord/lib/active_record/attribute_methods.rb | 2 +-
+ activerecord/lib/active_record/base.rb | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/lib/active_record/attribute_methods.rb
++++ b/lib/active_record/attribute_methods.rb
+@@ -130,7 +130,7 @@ module ActiveRecord
+ # Suffixes a, ?, c become regexp /(a|\?|c)$/
+ def rebuild_attribute_method_regexp
+ suffixes = attribute_method_suffixes.map { |s| Regexp.escape(s) }
+- @@attribute_method_regexp = /(#{suffixes.join('|')})$/.freeze
++ @@attribute_method_regexp = /(#{suffixes.join('|')})\z/.freeze
+ end
+
+ # Default to =, ?, _before_type_cast
+--- a/lib/active_record/base.rb
++++ b/lib/active_record/base.rb
+@@ -2998,11 +2998,11 @@ module ActiveRecord #:nodoc:
+ def remove_attributes_protected_from_mass_assignment(attributes)
+ safe_attributes =
+ if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
+- attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
++ attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
+ elsif self.class.protected_attributes.nil?
+- attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
++ attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/m, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
+ elsif self.class.accessible_attributes.nil?
+- attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
++ attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/m,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
+ else
+ raise "Declare either attr_protected or attr_accessible for #{self.class}, but not both."
+ end
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0277.patch ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0277.patch
--- ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0277.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0277.patch 2013-02-12 17:05:09.000000000 +0100
@@ -0,0 +1,58 @@
+From d4a53b2e02106c6734bbfea2a0e209febd5f36bd Mon Sep 17 00:00:00 2001
+From: Tobias Kraze <tob...@kraze.eu>
+Date: Fri, 8 Feb 2013 12:52:10 +0100
+Subject: [PATCH] fix serialization vulnerability
+
+---
+ .../lib/active_record/attribute_methods.rb | 17 ++++++++++++++++-
+ activerecord/test/cases/base_test.rb | 6 ++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+--- a/lib/active_record/attribute_methods.rb
++++ b/lib/active_record/attribute_methods.rb
+@@ -80,7 +80,9 @@ module ActiveRecord
+ end
+
+ unless instance_method_already_implemented?("#{name}=")
+- if create_time_zone_conversion_attribute?(name, column)
++ if self.serialized_attributes[name]
++ define_write_method_for_serialized_attribute(name)
++ elsif create_time_zone_conversion_attribute?(name, column)
+ define_write_method_for_time_zone_conversion(name)
+ else
+ define_write_method(name.to_sym)
+@@ -184,6 +186,19 @@ module ActiveRecord
+ def define_write_method(attr_name)
+ evaluate_attribute_method attr_name, "def #{attr_name}=(new_value);write_attribute('#{attr_name}', new_value);end", "#{attr_name}="
+ end
++
++ # Defined for all serialized attributes. Disallows assigning already serialized YAML.
++ def define_write_method_for_serialized_attribute(attr_name)
++ method_body = <<-EOV
++ def #{attr_name}=(value)
++ if value.is_a?(String) and value =~ /^---/
++ raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues."
++ end
++ write_attribute(:#{attr_name}, value)
++ end
++ EOV
++ evaluate_attribute_method attr_name, method_body, "#{attr_name}="
++ end
+
+ # Defined for all +datetime+ and +timestamp+ attributes when +time_zone_aware_attributes+ are enabled.
+ # This enhanced write method will automatically convert the time passed to it to the zone stored in Time.zone.
+--- a/test/cases/base_test.rb
++++ b/test/cases/base_test.rb
+@@ -1499,6 +1499,12 @@ class BasicsTest < ActiveRecord::TestCas
+ assert_nil topic.content
+ end
+
++ def test_should_raise_exception_on_assigning_already_serialized_content
++ topic = Topic.new
++ serialized_content = %w[foo bar].to_yaml
++ assert_raise(ActiveRecord::ActiveRecordError) { topic.content = serialized_content }
++ end
++
+ def test_should_raise_exception_on_serialized_attribute_with_type_mismatch
+ myobj = MyObject.new('value1', 'value2')
+ topic = Topic.new(:content => myobj)
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/series ruby-activerecord-2.3-2.3.14/debian/patches/series
--- ruby-activerecord-2.3-2.3.14/debian/patches/series 2013-01-16 01:16:07.000000000 +0100
+++ ruby-activerecord-2.3-2.3.14/debian/patches/series 2013-02-12 17:05:09.000000000 +0100
@@ -2,3 +2,5 @@
activerecord-2.3.5-1.patch
2-3-dynamic_finder_injection.patch
CVE-2013-0155.patch
+CVE-2013-0276.patch
+CVE-2013-0277.patch
