Control: tags -1 patch Dear maintainer(s),
I have prepared a debdiff that implements the necessary changes for Apache 2.4, fixes CVE-2013-2119 (bug #710351) and contains a fix to make it build against glibc 2.17. This is kind of urgent as the Apache 2.4 upload to unstable is scheduled for today. Are you planning to do a maintainer upload or want me to go forward with an NMU? Cheers, Felix
diff -Nru ruby-passenger-3.0.13debian/debian/changelog ruby-passenger-3.0.13debian/debian/changelog --- ruby-passenger-3.0.13debian/debian/changelog 2012-06-28 17:00:51.000000000 +0200 +++ ruby-passenger-3.0.13debian/debian/changelog 2013-05-30 12:41:00.000000000 +0200 @@ -1,3 +1,18 @@ +ruby-passenger (3.0.13debian-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Transition towards Apache 2.4. (Closes: #707063) + - Build-depend on apache2-dev and apache2. + - Use apache2 dh helper. + - Drop libapache2-mod-passenger maintainer scripts, now handled by + dh_apache2. + * Fix buiding against glibc 2.17. + - Add fix_ftbfs_glibc217.patch, cherry-picked from upstream. + * Fix CVE-2013-2119: insecure temporary file usage. (Closes: #710351) + - Add CVE-2013-2119.patch, cherry-picked from upstream. + + -- Felix Geyer <fge...@debian.org> Thu, 30 May 2013 09:27:46 +0200 + ruby-passenger (3.0.13debian-1) unstable; urgency=low * Team upload. diff -Nru ruby-passenger-3.0.13debian/debian/control ruby-passenger-3.0.13debian/debian/control --- ruby-passenger-3.0.13debian/debian/control 2012-06-28 17:00:51.000000000 +0200 +++ ruby-passenger-3.0.13debian/debian/control 2013-05-30 09:45:18.000000000 +0200 @@ -3,8 +3,8 @@ Priority: optional Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org> Uploaders: Filipe Lautert <fil...@debian.org>, Micah Anderson <mi...@debian.org>, David Moreno <da...@debian.org> -Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.2.12~), apache2-mpm-worker | apache2-mpm, - apache2-threaded-dev, libapr1-dev, doxygen, asciidoc (>= 8.2), graphviz, rake, +Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.2.12~), apache2 (>= 2.4), + apache2-dev (>= 2.4), libapr1-dev, doxygen, asciidoc (>= 8.2), graphviz, rake, source-highlight, libjs-scriptaculous, libcurl4-openssl-dev, libev-dev Standards-Version: 3.9.3 Homepage: http://www.modrails.com/ @@ -27,9 +27,7 @@ Package: libapache2-mod-passenger Architecture: any Section: web -Depends: ${shlibs:Depends}, ${misc:Depends}, apache2-mpm-worker (>= 2.2.9-9) | - apache2-mpm-prefork (>= 2.2.9-9) | apache2-mpm-itk (>= 2.2.9-9) | apache2-mpm-event (>= 2.2.9-9), - ruby-passenger (= ${binary:Version}) +Depends: ${shlibs:Depends}, ${misc:Depends}, ruby-passenger (= ${binary:Version}) Description: Rails and Rack support for Apache2 Phusion Passenger — a.k.a. mod_rails or mod_rack — makes deployment of Ruby web applications, such as those built on the diff -Nru ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.apache2 ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.apache2 --- ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.apache2 1970-01-01 01:00:00.000000000 +0100 +++ ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.apache2 2013-05-30 09:25:58.000000000 +0200 @@ -0,0 +1,2 @@ +mod debian/passenger.load +mod debian/passenger.conf diff -Nru ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.install ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.install --- ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.install 2012-06-28 17:00:51.000000000 +0200 +++ ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.install 2013-05-30 09:23:40.000000000 +0200 @@ -1,3 +1 @@ usr/lib/apache2/modules/ -../passenger.conf etc/apache2/mods-available -../passenger.load etc/apache2/mods-available diff -Nru ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.postinst ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.postinst --- ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.postinst 2012-06-28 17:00:51.000000000 +0200 +++ ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.postinst 1970-01-01 01:00:00.000000000 +0100 @@ -1,36 +0,0 @@ -#!/bin/sh - -set -e - -if [ "$1" != "configure" ]; then - exit 0 -fi - -reload_apache() -{ - if apache2ctl configtest 2>/dev/null; then - invoke-rc.d apache2 force-reload || true - else - echo "Your apache2 configuration is broken, so we're not restarting it for you." - fi -} - -if [ -n "$2" ]; then -# we're upgrading. test if we're enabled, and if so, restart to reload the module. - if [ -e /etc/apache2/mods-enabled/passenger.load ]; then - reload_apache - fi - exit 0 -fi - -if [ -e /etc/apache2/apache2.conf ]; then -# Enable the module, but hide a2enmod's misleading message about apachectl -# and force-reload the thing ourselves. - a2enmod passenger >/dev/null || true - reload_apache -fi - -#DEBHELPER# - -exit 0 - diff -Nru ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.prerm ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.prerm --- ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.prerm 2012-06-28 17:00:51.000000000 +0200 +++ ruby-passenger-3.0.13debian/debian/libapache2-mod-passenger.prerm 1970-01-01 01:00:00.000000000 +0100 @@ -1,16 +0,0 @@ -#!/bin/sh - -set -e - -if [ "$1" != "remove" -a "$1" != "purge" ]; then - exit 0 -fi; - -if [ -e /etc/apache2/apache2.conf ]; then - a2dismod passenger || true -fi - -#DEBHELPER# - -exit 0 - diff -Nru ruby-passenger-3.0.13debian/debian/patches/CVE-2013-2119.patch ruby-passenger-3.0.13debian/debian/patches/CVE-2013-2119.patch --- ruby-passenger-3.0.13debian/debian/patches/CVE-2013-2119.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-passenger-3.0.13debian/debian/patches/CVE-2013-2119.patch 2013-05-30 09:31:09.000000000 +0200 @@ -0,0 +1,199 @@ +From 0eaebb00f6b7327374069a7998064c68cc54e9f1 Mon Sep 17 00:00:00 2001 +From: "Hongli Lai (Phusion)" <hon...@phusion.nl> +Date: Tue, 28 May 2013 22:30:53 +0200 +Subject: [PATCH] Ensure that temporary files and directories didn't already + exist. + +--- + bin/passenger-install-nginx-module | 7 ++--- + lib/phusion_passenger/dependencies.rb | 32 ++++++++-------------- + lib/phusion_passenger/standalone/command.rb | 9 +++--- + .../standalone/runtime_installer.rb | 7 ++--- + 4 files changed, 23 insertions(+), 32 deletions(-) + +diff --git a/bin/passenger-install-nginx-module b/bin/passenger-install-nginx-module +index 629240c..450252c 100755 +--- a/bin/passenger-install-nginx-module ++++ b/bin/passenger-install-nginx-module +@@ -27,6 +27,7 @@ $LOAD_PATH.unshift("#{passenger_root}/lib") + require 'phusion_passenger' + require 'optparse' + require 'fileutils' ++require 'tmpdir' + require 'phusion_passenger/platform_info/ruby' + require 'phusion_passenger/dependencies' + require 'phusion_passenger/abstract_installer' +@@ -108,14 +109,12 @@ class Installer < PhusionPassenger::AbstractInstaller + def before_install + super + myself = `whoami`.strip +- @working_dir = "/tmp/#{myself}-passenger-#{Process.pid}" +- FileUtils.rm_rf(@working_dir) +- FileUtils.mkdir_p(@working_dir) ++ @working_dir = Dir.mktmpdir("passenger.") + end + + def after_install + super +- FileUtils.rm_rf(@working_dir) ++ FileUtils.remove_entry_secure(@working_dir) if @working_dir + end + + private +diff --git a/lib/phusion_passenger/dependencies.rb b/lib/phusion_passenger/dependencies.rb +index e37a212..685b37d 100644 +--- a/lib/phusion_passenger/dependencies.rb ++++ b/lib/phusion_passenger/dependencies.rb +@@ -22,6 +22,7 @@ + # THE SOFTWARE. + + require 'rbconfig' ++require 'tmpdir' + require 'phusion_passenger' + require 'phusion_passenger/packaging' + require 'phusion_passenger/platform_info' +@@ -117,6 +118,12 @@ def self.mizuho_required? + end + end + ++ def self.create_temp_files(name1, name2, dir = PlatformInfo.tmpexedir) ++ Dir.mktmpdir("passenger.", dir) do |subdir| ++ yield "#{subdir}/#{name1}", "#{subdir}/#{name2}" ++ end ++ end ++ + GCC = Dependency.new do |dep| + dep.name = "GNU C++ compiler" + dep.define_checker do |result| +@@ -456,9 +463,7 @@ def self.mizuho_required? + Curl_Dev = Dependency.new do |dep| + dep.name = "Curl development headers with SSL support" + dep.define_checker do |result| +- source_file = "#{PlatformInfo.tmpexedir}/passenger-curl-check.c" +- output_file = "#{PlatformInfo.tmpexedir}/passenger-curl-check" +- begin ++ Dependencies.create_temp_files("check.c", "check") do |source_file, output_file| + found = true + File.open(source_file, 'w') do |f| + f.puts("#include <curl/curl.h>") +@@ -482,9 +487,6 @@ def self.mizuho_required? + found = false + end + result.found(found) +- ensure +- File.unlink(source_file) rescue nil +- File.unlink(output_file) rescue nil + end + end + dep.install_instructions = "Please download Curl from <b>http://curl.haxx.se/libcurl</b> " + +@@ -514,22 +516,17 @@ def self.mizuho_required? + OpenSSL_Dev = Dependency.new do |dep| + dep.name = "OpenSSL development headers" + dep.define_checker do |result| +- source_file = "#{PlatformInfo.tmpexedir}/passenger-openssl-check.c" +- object_file = "#{PlatformInfo.tmpexedir}/passenger-openssl-check.o" +- begin ++ Dependencies.create_temp_files("check.c", "check.o") do |source_file, output_file| + File.open(source_file, 'w') do |f| + f.write("#include <openssl/ssl.h>") + end + Dir.chdir(File.dirname(source_file)) do +- if system("(gcc #{ENV['CFLAGS']} -c '#{source_file}') >/dev/null 2>/dev/null") ++ if system("(gcc #{ENV['CFLAGS']} -c '#{source_file}' -o '#{output_file}') >/dev/null 2>/dev/null") + result.found + else + result.not_found + end + end +- ensure +- File.unlink(source_file) rescue nil +- File.unlink(object_file) rescue nil + end + end + if RUBY_PLATFORM =~ /linux/ +@@ -546,22 +543,17 @@ def self.mizuho_required? + Zlib_Dev = Dependency.new do |dep| + dep.name = "Zlib development headers" + dep.define_checker do |result| +- source_file = "#{PlatformInfo.tmpexedir}/zlib-check.c" +- object_file = "#{PlatformInfo.tmpexedir}/zlib-check.o" +- begin ++ Dependencies.create_temp_files("check.c", "check.o") do |source_file, output_file| + File.open(source_file, 'w') do |f| + f.write("#include <zlib.h>") + end + Dir.chdir(File.dirname(source_file)) do +- if system("(g++ -c zlib-check.c) >/dev/null 2>/dev/null") ++ if system("(g++ -c '#{source_file}' -o '#{output_file}') >/dev/null 2>/dev/null") + result.found + else + result.not_found + end + end +- ensure +- File.unlink(source_file) rescue nil +- File.unlink(object_file) rescue nil + end + end + if RUBY_PLATFORM =~ /linux/ +diff --git a/lib/phusion_passenger/standalone/command.rb b/lib/phusion_passenger/standalone/command.rb +index 8810427..b84909f 100644 +--- a/lib/phusion_passenger/standalone/command.rb ++++ b/lib/phusion_passenger/standalone/command.rb +@@ -172,8 +172,11 @@ def determine_various_resource_locations(create_subdirs = true) + + def write_nginx_config_file + require 'phusion_passenger/platform_info/ruby' +- ensure_directory_exists(@temp_dir) +- ++ require 'tmpdir' ++ @temp_dir = Dir.mktmpdir("passenger.", "/tmp") ++ @config_filename = "#{@temp_dir}/config" ++ File.chmod(0755, @temp_dir) ++ + File.open(@config_filename, 'w') do |f| + f.chmod(0644) + template_filename = File.join(TEMPLATES_DIR, "standalone", "config.erb") +@@ -213,8 +216,6 @@ def nginx_ping_port + def create_nginx_controller(extra_options = {}) + require_daemon_controller + require 'socket' unless defined?(UNIXSocket) +- @temp_dir = "/tmp/passenger-standalone.#{$$}" +- @config_filename = "#{@temp_dir}/config" + if @options[:socket_file] + ping_spec = [:unix, @options[:socket_file]] + else +diff --git a/lib/phusion_passenger/standalone/runtime_installer.rb b/lib/phusion_passenger/standalone/runtime_installer.rb +index 730f776..31b6fd8 100644 +--- a/lib/phusion_passenger/standalone/runtime_installer.rb ++++ b/lib/phusion_passenger/standalone/runtime_installer.rb +@@ -23,6 +23,7 @@ + # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + # THE SOFTWARE. + require 'fileutils' ++require 'tmpdir' + require 'phusion_passenger' + require 'phusion_passenger/abstract_installer' + require 'phusion_passenger/packaging' +@@ -164,16 +165,14 @@ def install! + def before_install + super + @plugin.call_hook(:runtime_installer_start, self) if @plugin +- @working_dir = "/tmp/#{myself}-passenger-standalone-#{Process.pid}" +- FileUtils.rm_rf(@working_dir) +- FileUtils.mkdir_p(@working_dir) ++ @working_dir = Dir.mktmpdir("passenger.") + @download_binaries = true if !defined?(@download_binaries) + @binaries_url_root ||= STANDALONE_BINARIES_URL_ROOT + end + + def after_install + super +- FileUtils.rm_rf(@working_dir) ++ FileUtils.remove_entry_secure(@working_dir) if @working_dir + @plugin.call_hook(:runtime_installer_cleanup) if @plugin + end + +-- +1.8.1.6 + diff -Nru ruby-passenger-3.0.13debian/debian/patches/fix_ftbfs_glibc217.patch ruby-passenger-3.0.13debian/debian/patches/fix_ftbfs_glibc217.patch --- ruby-passenger-3.0.13debian/debian/patches/fix_ftbfs_glibc217.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-passenger-3.0.13debian/debian/patches/fix_ftbfs_glibc217.patch 2013-05-30 09:34:56.000000000 +0200 @@ -0,0 +1,164 @@ +From 27894da4c7a5da30ef7ab4b03f914d1dec8531ac Mon Sep 17 00:00:00 2001 +From: "Hongli Lai (Phusion)" <hon...@phusion.nl> +Date: Sun, 26 Aug 2012 14:27:39 +0200 +Subject: [PATCH] Backport fix from + https://svn.boost.org/trac/boost/ticket/6940 This allows passenger to build + on Fedora 18/19. + +--- + ext/boost/config/suffix.hpp | 12 ++++++++++++ + ext/boost/src/pthread/thread.cpp | 4 ++-- + ext/boost/src/pthread/timeconv.inl | 16 ++++++++-------- + ext/boost/thread/locks.hpp | 6 +++--- + ext/boost/thread/xtime.hpp | 4 ++-- + ext/common/ApplicationPool/Pool.h | 2 +- + 7 files changed, 30 insertions(+), 16 deletions(-) + +diff --git a/ext/boost/config/suffix.hpp b/ext/boost/config/suffix.hpp +index 3408d22..6464f33 100644 +--- a/ext/boost/config/suffix.hpp ++++ b/ext/boost/config/suffix.hpp +@@ -103,6 +103,18 @@ + #endif + + // ++// constexpr workarounds ++// ++#if defined(BOOST_NO_CONSTEXPR) ++#define BOOST_CONSTEXPR ++#define BOOST_CONSTEXPR_OR_CONST const ++#else ++#define BOOST_CONSTEXPR constexpr ++#define BOOST_CONSTEXPR_OR_CONST constexpr ++#endif ++#define BOOST_STATIC_CONSTEXPR static BOOST_CONSTEXPR_OR_CONST ++ ++// + // if there is no __int64 then there is no specialisation + // for numeric_limits<__int64> either: + // +diff --git a/ext/boost/src/pthread/thread.cpp b/ext/boost/src/pthread/thread.cpp +index b5a0572..f90cfcd 100644 +--- a/ext/boost/src/pthread/thread.cpp ++++ b/ext/boost/src/pthread/thread.cpp +@@ -365,7 +365,7 @@ + cond.timed_wait(lock, xt); + # endif + xtime cur; +- xtime_get(&cur, TIME_UTC); ++ xtime_get(&cur, TIME_UTC_); + if (xtime_cmp(xt, cur) <= 0) + return; + } +@@ -380,7 +380,7 @@ + BOOST_VERIFY(!pthread_yield()); + # else + xtime xt; +- xtime_get(&xt, TIME_UTC); ++ xtime_get(&xt, TIME_UTC_); + sleep(xt); + # endif + } +diff --git a/ext/boost/src/pthread/timeconv.inl b/ext/boost/src/pthread/timeconv.inl +index b75a135..7c07802 100644 +--- a/ext/boost/src/pthread/timeconv.inl ++++ b/ext/boost/src/pthread/timeconv.inl +@@ -20,8 +20,8 @@ const int NANOSECONDS_PER_MICROSECOND = 1000; + inline void to_time(int milliseconds, boost::xtime& xt) + { + int res = 0; +- res = boost::xtime_get(&xt, boost::TIME_UTC); +- BOOST_ASSERT(res == boost::TIME_UTC); ++ res = boost::xtime_get(&xt, boost::TIME_UTC_); ++ BOOST_ASSERT(res == boost::TIME_UTC_); + + xt.sec += (milliseconds / MILLISECONDS_PER_SECOND); + xt.nsec += ((milliseconds % MILLISECONDS_PER_SECOND) * +@@ -57,8 +57,8 @@ inline void to_timespec_duration(const boost::xtime& xt, timespec& ts) + { + boost::xtime cur; + int res = 0; +- res = boost::xtime_get(&cur, boost::TIME_UTC); +- BOOST_ASSERT(res == boost::TIME_UTC); ++ res = boost::xtime_get(&cur, boost::TIME_UTC_); ++ BOOST_ASSERT(res == boost::TIME_UTC_); + + if (boost::xtime_cmp(xt, cur) <= 0) + { +@@ -88,8 +88,8 @@ inline void to_duration(boost::xtime xt, int& milliseconds) + { + boost::xtime cur; + int res = 0; +- res = boost::xtime_get(&cur, boost::TIME_UTC); +- BOOST_ASSERT(res == boost::TIME_UTC); ++ res = boost::xtime_get(&cur, boost::TIME_UTC_); ++ BOOST_ASSERT(res == boost::TIME_UTC_); + + if (boost::xtime_cmp(xt, cur) <= 0) + milliseconds = 0; +@@ -110,8 +110,8 @@ inline void to_microduration(boost::xtime xt, int& microseconds) + { + boost::xtime cur; + int res = 0; +- res = boost::xtime_get(&cur, boost::TIME_UTC); +- BOOST_ASSERT(res == boost::TIME_UTC); ++ res = boost::xtime_get(&cur, boost::TIME_UTC_); ++ BOOST_ASSERT(res == boost::TIME_UTC_); + + if (boost::xtime_cmp(xt, cur) <= 0) + microseconds = 0; +diff --git a/ext/boost/thread/locks.hpp b/ext/boost/thread/locks.hpp +index dd66a67..d77b145 100644 +--- a/ext/boost/thread/locks.hpp ++++ b/ext/boost/thread/locks.hpp +@@ -164,9 +164,9 @@ + struct adopt_lock_t + {}; + +- const defer_lock_t defer_lock={}; +- const try_to_lock_t try_to_lock={}; +- const adopt_lock_t adopt_lock={}; ++ BOOST_CONSTEXPR_OR_CONST defer_lock_t defer_lock={}; ++ BOOST_CONSTEXPR_OR_CONST try_to_lock_t try_to_lock={}; ++ BOOST_CONSTEXPR_OR_CONST adopt_lock_t adopt_lock={}; + + template<typename Mutex> + class shared_lock; +diff --git a/ext/boost/thread/xtime.hpp b/ext/boost/thread/xtime.hpp +index 7cc6272..f908298 100644 +--- a/ext/boost/thread/xtime.hpp ++++ b/ext/boost/thread/xtime.hpp +@@ -20,7 +20,7 @@ + + enum xtime_clock_types + { +- TIME_UTC=1 ++ TIME_UTC_=1 + // TIME_TAI, + // TIME_MONOTONIC, + // TIME_PROCESS, +@@ -68,7 +68,7 @@ inline xtime get_xtime(boost::system_time const& abs_time) + + inline int xtime_get(struct xtime* xtp, int clock_type) + { +- if (clock_type == TIME_UTC) ++ if (clock_type == TIME_UTC_) + { + *xtp=get_xtime(get_system_time()); + return clock_type; +diff --git a/ext/common/ApplicationPool/Pool.h b/ext/common/ApplicationPool/Pool.h +index 8c87ad5..d26529d 100644 +--- a/ext/common/ApplicationPool/Pool.h ++++ b/ext/common/ApplicationPool/Pool.h +@@ -718,7 +718,7 @@ class Pool: public ApplicationPool::Interface { + } + } else { + xtime xt; +- xtime_get(&xt, TIME_UTC); ++ xtime_get(&xt, TIME_UTC_); + xt.sec += maxIdleTime + 1; + if (cleanerThreadSleeper.timed_wait(l, xt)) { + // Condition was woken up. +-- +1.8.1.6 + diff -Nru ruby-passenger-3.0.13debian/debian/patches/series ruby-passenger-3.0.13debian/debian/patches/series --- ruby-passenger-3.0.13debian/debian/patches/series 2012-06-28 17:00:51.000000000 +0200 +++ ruby-passenger-3.0.13debian/debian/patches/series 2013-05-30 09:48:17.000000000 +0200 @@ -1 +1,3 @@ fix_install_path.patch +fix_ftbfs_glibc217.patch +CVE-2013-2119.patch diff -Nru ruby-passenger-3.0.13debian/debian/rules ruby-passenger-3.0.13debian/debian/rules --- ruby-passenger-3.0.13debian/debian/rules 2012-06-28 17:00:51.000000000 +0200 +++ ruby-passenger-3.0.13debian/debian/rules 2013-05-30 09:23:28.000000000 +0200 @@ -4,7 +4,7 @@ export USE_VENDORED_LIBEV=false %: - dh $@ --buildsystem=ruby --with ruby + dh $@ --buildsystem=ruby --with ruby,apache2 override_dh_auto_build: /usr/bin/ruby1.8 /usr/bin/rake fakeroot
_______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
