Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Dear release team, Please unblock package ruby-rack, which fixes grave security bugs: #698440 #700173 #700226 3 BTS contains 5 CVE adviseries tracked as: https://security-tracker.debian.org/tracker/source-package/ruby-rack All patches are backported from upstream fix. I've prepared nmu with maintainer's permission, and debdiff is below: (or, staging at mentors at: http://mentors.debian.net/debian/pool/main/r/ruby-rack/ruby-rack_1.4.1-2.1.dsc ) I'll ask for upload sponsor after this request would be approved. diff -Nru ruby-rack-1.4.1/debian/changelog ruby-rack-1.4.1/debian/changelog --- ruby-rack-1.4.1/debian/changelog 2012-06-26 03:07:51.000000000 +0900 +++ ruby-rack-1.4.1/debian/changelog 2013-02-20 21:21:25.000000000 +0900 @@ -1,3 +1,19 @@ +ruby-rack (1.4.1-2.1) testing-security; urgency=high + + [ KURASHIKI Satoru ] + * Non-maintainer upload. + * Create cherry-picked patches for Security Fix (Closes: #700173 #700226). + - CVE-2013-0262: 0004-Prevent-symlink-path-traversals.patch + - CVE-2013-0263: 0005-Use-secure_compare-for-hmac-comparison.patch + + [ Youhei SASAKI ] + * Create cherry-picked patches for Security Fix (Closes: #698440). + - CVE-2012-6109: 0001-Fix-parsing-performance-for-unquoted-filenames.patch + - CVE-2013-0183: 0002-multipart-parser-avoid-unbounded-gets-method.patch + - CVE-2013-0184: 0003-Reimplement-auth-scheme-fix.patch + + -- KURASHIKI Satoru <lur...@gmail.com> Wed, 20 Feb 2013 20:56:31 +0900 + ruby-rack (1.4.1-2) unstable; urgency=low * Bump build dependency on gem2deb to >= 0.3.0~ diff -Nru ruby-rack-1.4.1/debian/patches/0001-Fix-parsing-performance-for-unquoted-filenames.patch ruby-rack-1.4.1/debian/patches/0001-Fix-parsing-performance-for-unquoted-filenames.patch --- ruby-rack-1.4.1/debian/patches/0001-Fix-parsing-performance-for-unquoted-filenames.patch 1970-01-01 09:00:00.000000000 +0900 +++ ruby-rack-1.4.1/debian/patches/0001-Fix-parsing-performance-for-unquoted-filenames.patch 2013-02-10 23:07:16.000000000 +0900 @@ -0,0 +1,67 @@ +From: James Tucker <jftuc...@gmail.com> +Date: Sun, 13 May 2012 15:02:17 -0700 +Subject: Fix parsing performance for unquoted filenames + +Special thanks to Paul Rogers & Eric Wong + +Origin: upstream, https://github.com/rack/rack/commit/4fc44671b3cad569421f4f8b775c0590b86f575e +Bug: https://security-tracker.debian.org/tracker/CVE-2012-6109 +Bug-Debian: http://bugs.debian.org/698440 + +--- + lib/rack/multipart.rb | 4 ++-- + test/spec_multipart.rb | 21 +++++++++++++++++++++ + 2 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/lib/rack/multipart.rb b/lib/rack/multipart.rb +index 3777106..6849248 100644 +--- a/lib/rack/multipart.rb ++++ b/lib/rack/multipart.rb +@@ -12,7 +12,7 @@ module Rack + MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|n + TOKEN = /[^\s()<>,;:\\"\/\[\]?=]+/ + CONDISP = /Content-Disposition:\s*#{TOKEN}\s*/i +- DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})*/ ++ DISPPARM = /;\s*(#{TOKEN})=("(?:\\"|[^"])*"|#{TOKEN})/ + RFC2183 = /^#{CONDISP}(#{DISPPARM})+$/i + BROKEN_QUOTED = /^#{CONDISP}.*;\sfilename="(.*?)"(?:\s*$|\s*;\s*#{TOKEN}=)/i + BROKEN_UNQUOTED = /^#{CONDISP}.*;\sfilename=(#{TOKEN})/i +@@ -31,4 +31,4 @@ module Rack + end + + end +-end +\ No newline at end of file ++end +diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb +index b0bf57c..e4e5981 100644 +--- a/test/spec_multipart.rb ++++ b/test/spec_multipart.rb +@@ -48,6 +48,27 @@ describe Rack::Multipart do + params['profile']['bio'].should.include 'hello' + end + ++ should "parse very long unquoted multipart file names" do ++ data = <<-EOF ++--AaB03x\r ++Content-Type: text/plain\r ++Content-Disposition: attachment; name=file; filename=#{'long' * 100}\r ++\r ++contents\r ++--AaB03x--\r ++ EOF ++ ++ options = { ++ "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x", ++ "CONTENT_LENGTH" => data.length.to_s, ++ :input => StringIO.new(data) ++ } ++ env = Rack::MockRequest.env_for("/", options) ++ params = Rack::Utils::Multipart.parse_multipart(env) ++ ++ params["file"][:filename].should.equal('long' * 100) ++ end ++ + should "parse multipart upload with text file" do + env = Rack::MockRequest.env_for("/", multipart_fixture(:text)) + params = Rack::Multipart.parse_multipart(env) diff -Nru ruby-rack-1.4.1/debian/patches/0002-multipart-parser-avoid-unbounded-gets-method.patch ruby-rack-1.4.1/debian/patches/0002-multipart-parser-avoid-unbounded-gets-method.patch --- ruby-rack-1.4.1/debian/patches/0002-multipart-parser-avoid-unbounded-gets-method.patch 1970-01-01 09:00:00.000000000 +0900 +++ ruby-rack-1.4.1/debian/patches/0002-multipart-parser-avoid-unbounded-gets-method.patch 2013-02-10 23:07:16.000000000 +0900 @@ -0,0 +1,104 @@ +From: Eric Wong <normalper...@yhbt.net> +Date: Wed, 22 Aug 2012 22:48:23 +0000 +Subject: multipart/parser: avoid unbounded #gets method + +Malicious clients may send excessively long lines +to trigger out-of-memory errors in a Rack web server. + +Origin: upstream, https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18 +Bug: https://security-tracker.debian.org/tracker/CVE-2013-0183 +Bug-Debian: http://bugs.debian.org/698440 + +--- + lib/rack/multipart/parser.rb | 13 ++++++++--- + test/spec_multipart.rb | 53 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb +index 98eceaa..3773de7 100644 +--- a/lib/rack/multipart/parser.rb ++++ b/lib/rack/multipart/parser.rb +@@ -68,9 +68,16 @@ module Rack + + def fast_forward_to_first_boundary + loop do +- read_buffer = @io.gets +- break if read_buffer == full_boundary +- raise EOFError, "bad content body" if read_buffer.nil? ++ content = @io.read(BUFSIZE) ++ raise EOFError, "bad content body" unless content ++ @buf << content ++ ++ while @buf.gsub!(/\A([^\n]*\n)/, '') ++ read_buffer = $1 ++ return if read_buffer == full_boundary ++ end ++ ++ raise EOFError, "bad content body" if Utils.bytesize(@buf) >= BUFSIZE + end + end + +diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb +index e4e5981..1c50d9a 100644 +--- a/test/spec_multipart.rb ++++ b/test/spec_multipart.rb +@@ -69,6 +69,59 @@ contents\r + params["file"][:filename].should.equal('long' * 100) + end + ++ should "reject insanely long boundaries" do ++ # using a pipe since a tempfile can use up too much space ++ rd, wr = IO.pipe ++ ++ # we only call rewind once at start, so make sure it succeeds ++ # and doesn't hit ESPIPE ++ def rd.rewind; end ++ wr.sync = true ++ ++ # mock out length to make this pipe look like a Tempfile ++ def rd.length ++ 1024 * 1024 * 8 ++ end ++ ++ # write to a pipe in a background thread, this will write a lot ++ # unless Rack (properly) shuts down the read end ++ thr = Thread.new do ++ begin ++ wr.write("--AaB03x") ++ ++ # make the initial boundary a few gigs long ++ longer = "0123456789" * 1024 * 1024 ++ (1024 * 1024).times { wr.write(longer) } ++ ++ wr.write("\r\n") ++ wr.write('Content-Disposition: form-data; name="a"; filename="a.txt"') ++ wr.write("\r\n") ++ wr.write("Content-Type: text/plain\r\n") ++ wr.write("\r\na") ++ wr.write("--AaB03x--\r\n") ++ wr.close ++ rescue => err # this is EPIPE if Rack shuts us down ++ err ++ end ++ end ++ ++ fixture = { ++ "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x", ++ "CONTENT_LENGTH" => rd.length.to_s, ++ :input => rd, ++ } ++ ++ env = Rack::MockRequest.env_for '/', fixture ++ lambda { ++ Rack::Multipart.parse_multipart(env) ++ }.should.raise(EOFError) ++ rd.close ++ ++ err = thr.value ++ err.should.be.instance_of Errno::EPIPE ++ wr.close ++ end ++ + should "parse multipart upload with text file" do + env = Rack::MockRequest.env_for("/", multipart_fixture(:text)) + params = Rack::Multipart.parse_multipart(env) diff -Nru ruby-rack-1.4.1/debian/patches/0003-Reimplement-auth-scheme-fix.patch ruby-rack-1.4.1/debian/patches/0003-Reimplement-auth-scheme-fix.patch --- ruby-rack-1.4.1/debian/patches/0003-Reimplement-auth-scheme-fix.patch 1970-01-01 09:00:00.000000000 +0900 +++ ruby-rack-1.4.1/debian/patches/0003-Reimplement-auth-scheme-fix.patch 2013-02-11 11:20:43.000000000 +0900 @@ -0,0 +1,131 @@ +From: James Tucker <jftuc...@gmail.com> +Date: Sun, 13 Jan 2013 13:10:20 -0800 +Subject: Reimplement auth scheme fix + + * Add Rack::Auth.add_scheme to enable folks to fix anything that breaks + * Add common auth schemes, MS ones, AWS ones, etc are missing, as unlikely + * Checked Rails - they don't use our authorization code + * Checked Warden - uses rails + * Checked Omniauth - uses rails + * Checked doorkeeper - users rails + * Checked rack-authentication - does it's own thing + * Checked warden-oauth - doesn't do headers + * Checked devise - uses rails + * Checked oauth2-rack - header creation only + * Checked rack-oauth2-server - does it's own thing + * Probably missed a bunch, but that'll have to do + +Origin: upstream, https://github.com/rack/rack/commit/87df8796a6e4555ec8fd3817c419c6b44b7ca459 +Bug: https://security-tracker.debian.org/tracker/CVE-2013-0184 +Bug-Debian: http://bugs.debian.org/698440 + +--- + lib/rack.rb | 12 ++++++++ + lib/rack/auth/abstract/request.rb | 6 +++- + test/spec_auth.rb | 57 +++++++++++++++++++++++++++++++++++++ + 3 files changed, 74 insertions(+), 1 deletion(-) + create mode 100644 test/spec_auth.rb + +diff --git a/lib/rack.rb b/lib/rack.rb +index acfcb5a..18d5097 100644 +--- a/lib/rack.rb ++++ b/lib/rack.rb +@@ -73,6 +73,18 @@ module Rack + autoload :Params, "rack/auth/digest/params" + autoload :Request, "rack/auth/digest/request" + end ++ ++ # Not all of the following schemes are "standards", but they are used often. ++ @schemes = %w[basic digest bearer mac token oauth oauth2] ++ ++ def self.add_scheme scheme ++ @schemes << scheme ++ @schemes.uniq! ++ end ++ ++ def self.schemes ++ @schemes.dup ++ end + end + + module Session +diff --git a/lib/rack/auth/abstract/request.rb b/lib/rack/auth/abstract/request.rb +index 9e15c72..c1553bf 100644 +--- a/lib/rack/auth/abstract/request.rb ++++ b/lib/rack/auth/abstract/request.rb +@@ -21,7 +21,11 @@ module Rack + end + + def scheme +- @scheme ||= parts.first.downcase.to_sym ++ @scheme ||= ++ begin ++ s = parts.first.downcase ++ Rack::Auth.schemes.include?(s) ? s.to_sym : s ++ end + end + + def params +diff --git a/test/spec_auth.rb b/test/spec_auth.rb +new file mode 100644 +index 0000000..6588bd1 +--- /dev/null ++++ b/test/spec_auth.rb +@@ -0,0 +1,57 @@ ++require 'rack' ++ ++describe Rack::Auth do ++ it "should have all common authentication schemes" do ++ Rack::Auth.schemes.should.include? 'basic' ++ Rack::Auth.schemes.should.include? 'digest' ++ Rack::Auth.schemes.should.include? 'bearer' ++ Rack::Auth.schemes.should.include? 'token' ++ end ++ ++ it "should allow registration of new auth schemes" do ++ Rack::Auth.schemes.should.not.include "test" ++ Rack::Auth.add_scheme "test" ++ Rack::Auth.schemes.should.include "test" ++ end ++end ++ ++describe Rack::Auth::AbstractRequest do ++ it "should symbolize known auth schemes" do ++ env = Rack::MockRequest.env_for('/') ++ env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :basic ++ ++ ++ env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :digest ++ ++ env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :bearer ++ ++ env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :mac ++ ++ env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :token ++ ++ env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :oauth ++ ++ env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == :oauth2 ++ end ++ ++ it "should not symbolize unknown auth schemes" do ++ env = Rack::MockRequest.env_for('/') ++ env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ==' ++ req = Rack::Auth::AbstractRequest.new(env) ++ req.scheme.should == "magic" ++ end ++end diff -Nru ruby-rack-1.4.1/debian/patches/0004-Prevent-symlink-path-traversals.patch ruby-rack-1.4.1/debian/patches/0004-Prevent-symlink-path-traversals.patch --- ruby-rack-1.4.1/debian/patches/0004-Prevent-symlink-path-traversals.patch 1970-01-01 09:00:00.000000000 +0900 +++ ruby-rack-1.4.1/debian/patches/0004-Prevent-symlink-path-traversals.patch 2013-02-20 21:41:42.000000000 +0900 @@ -0,0 +1,40 @@ +Description: Prevent symlink path traversals + rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 + allows attackers to access arbitrary files outside the intended root + directory via a crafted PATH_INFO environment variable, probably a directory + traversal vulnerability that is remotely exploitable, aka "symlink path traversals." + +Origin: upstream, https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30 +Bug: https://security-tracker.debian.org/tracker/CVE-2013-0262 +Bug-Debian: http://bugs.debian.org/700173 + +Index: ruby-rack/lib/rack/file.rb +=================================================================== +--- ruby-rack.orig/lib/rack/file.rb 2013-02-20 21:36:40.000000000 +0900 ++++ ruby-rack/lib/rack/file.rb 2013-02-20 21:39:58.265999186 +0900 +@@ -40,19 +40,14 @@ + @path_info = Utils.unescape(env["PATH_INFO"]) + parts = @path_info.split SEPS + +- parts.inject(0) do |depth, part| +- case part +- when '', '.' +- depth +- when '..' +- return fail(404, "Not Found") if depth - 1 < 0 +- depth - 1 +- else +- depth + 1 +- end ++ clean = [] ++ ++ parts.each do |part| ++ next if part.empty? || part == '.' ++ part == '..' ? clean.pop : clean << part + end + +- @path = F.join(@root, *parts) ++ @path = F.join(@root, *clean) + + available = begin + F.file?(@path) && F.readable?(@path) diff -Nru ruby-rack-1.4.1/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch ruby-rack-1.4.1/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch --- ruby-rack-1.4.1/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch 1970-01-01 09:00:00.000000000 +0900 +++ ruby-rack-1.4.1/debian/patches/0005-Use-secure_compare-for-hmac-comparison.patch 2013-02-20 23:15:59.000000000 +0900 @@ -0,0 +1,65 @@ +Description: Use secure compare for hmac comparison + Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, + 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows + remote attackers to guess the session cookie, gain privileges, and + execute arbitrary code via a timing attack involving am HMAC + comparison function that does not run in constant time. + +Origin: upstream, + https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07, + https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11 +Bug: https://security-tracker.debian.org/tracker/CVE-2013-0263 +Bug-Debian: http://bugs.debian.org/700226 + +Index: ruby-rack/lib/rack/session/cookie.rb +=================================================================== +--- ruby-rack.orig/lib/rack/session/cookie.rb 2013-02-11 15:09:25.000000000 +0900 ++++ ruby-rack/lib/rack/session/cookie.rb 2013-02-20 23:11:19.091085974 +0900 +@@ -108,7 +108,7 @@ + + if session_data && digest + ok = @secrets.any? do |secret| +- secret && digest == generate_hmac(session_data, secret) ++ secret && Rack::Utils.secure_compare(digest, generate_hmac(session_data, secret)) + end + end + +Index: ruby-rack/lib/rack/utils.rb +=================================================================== +--- ruby-rack.orig/lib/rack/utils.rb 2013-02-11 15:09:25.000000000 +0900 ++++ ruby-rack/lib/rack/utils.rb 2013-02-20 23:12:39.171087876 +0900 +@@ -336,6 +336,18 @@ + end + module_function :byte_ranges + ++ # Constant time string comparison. ++ def secure_compare(a, b) ++ return false unless bytesize(a) == bytesize(b) ++ ++ l = a.unpack("C*") ++ ++ r, i = 0, -1 ++ b.each_byte { |v| r |= v ^ l[i+=1] } ++ r == 0 ++ end ++ module_function :secure_compare ++ + # Context allows the use of a compatible middleware at different points + # in a request handling stack. A compatible middleware must define + # #context which should take the arguments env and app. The first of which +Index: ruby-rack/test/spec_utils.rb +=================================================================== +--- ruby-rack.orig/test/spec_utils.rb 2013-02-11 15:09:25.000000000 +0900 ++++ ruby-rack/test/spec_utils.rb 2013-02-20 23:13:55.627089693 +0900 +@@ -322,6 +322,11 @@ + Rack::Utils.bytesize("FOO\xE2\x82\xAC").should.equal 6 + end + ++ should "should perform constant time string comparison" do ++ Rack::Utils.secure_compare('a', 'a').should.equal true ++ Rack::Utils.secure_compare('a', 'b').should.equal false ++ end ++ + should "return status code for integer" do + Rack::Utils.status_code(200).should.equal 200 + end diff -Nru ruby-rack-1.4.1/debian/patches/series ruby-rack-1.4.1/debian/patches/series --- ruby-rack-1.4.1/debian/patches/series 1970-01-01 09:00:00.000000000 +0900 +++ ruby-rack-1.4.1/debian/patches/series 2013-02-21 21:10:07.000000000 +0900 @@ -0,0 +1,5 @@ +0001-Fix-parsing-performance-for-unquoted-filenames.patch +0002-multipart-parser-avoid-unbounded-gets-method.patch +0003-Reimplement-auth-scheme-fix.patch +0004-Prevent-symlink-path-traversals.patch +0005-Use-secure_compare-for-hmac-comparison.patch unblock ruby-rack/1.4.1-2.1 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130221143142.24315.29364.report...@dandelion.in.yoikaze.org
