[DRE-maint] ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183

Mon Feb 11 04:34:32 UTC 2013

hi,
(CC: pkg-ruby-extras-maintainers)

> > > BTW, I don't know these issues affect stable packages,
> > > librack-ruby{,1.8,1.9.1}, ver. 1.1.0-4.
> >
> > I seem to need 0003-Reimplement-auth-scheme-fix.patch.
> > Please consult about this  to security team.
>
> Ok.

I prepared a patch for stable version (with acknowledgement of the maintainer).
Please audit it, after that I will prepare NMU for this (with #70026).

prepared patch as follows:

--- a/lib/rack.rb       2013-02-11 02:31:24.375449225 +0000
+++ b/lib/rack.rb       2013-02-11 02:33:48.735596653 +0000
@@ -71,6 +71,18 @@ module Rack
       autoload :Params, "rack/auth/digest/params"
       autoload :Request, "rack/auth/digest/request"
     end
+
+    # Not all of the following schemes are "standards", but they are
used often.
+    @schemes = %w[basic digest bearer mac token oauth oauth2]
+
+    def self.add_scheme scheme
+      @schemes << scheme
+      @schemes.uniq!
+    end
+
+    def self.schemes
+      @schemes.dup
+    end
   end

   module Session
--- a/lib/rack/auth/abstract/request.rb 2013-02-11 02:36:39.864688680 +0000
+++ b/lib/rack/auth/abstract/request.rb 2013-02-11 02:39:02.948692080 +0000
@@ -15,7 +15,11 @@
       end

       def scheme
-        @scheme ||= parts.first.downcase.to_sym
+        @scheme ||=
+          begin
+            s = parts.first.downcase
+            Rack::Auth.schemes.include?(s) ? s.to_sym : s
+          end
       end

       def params
--- /dev/null   1970-01-01 00:00:00.000000000 +0000
+++ b/test/spec_auth.rb 2013-02-11 02:28:44.635615432 +0000
@@ -0,0 +1,57 @@
+require 'rack'
+
+describe Rack::Auth do
+  it "should have all common authentication schemes" do
+    Rack::Auth.schemes.should.include? 'basic'
+    Rack::Auth.schemes.should.include? 'digest'
+    Rack::Auth.schemes.should.include? 'bearer'
+    Rack::Auth.schemes.should.include? 'token'
+  end
+
+  it "should allow registration of new auth schemes" do
+    Rack::Auth.schemes.should.not.include "test"
+    Rack::Auth.add_scheme "test"
+    Rack::Auth.schemes.should.include "test"
+  end
+end
+
+describe Rack::Auth::AbstractRequest do
+  it "should symbolize known auth schemes" do
+    env = Rack::MockRequest.env_for('/')
+    env['HTTP_AUTHORIZATION'] = 'Basic aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :basic
+
+
+    env['HTTP_AUTHORIZATION'] = 'Digest aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :digest
+
+    env['HTTP_AUTHORIZATION'] = 'Bearer aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :bearer
+
+    env['HTTP_AUTHORIZATION'] = 'MAC aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :mac
+
+    env['HTTP_AUTHORIZATION'] = 'Token aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :token
+
+    env['HTTP_AUTHORIZATION'] = 'OAuth aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :oauth
+
+    env['HTTP_AUTHORIZATION'] = 'OAuth2 aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == :oauth2
+  end
+
+  it "should not symbolize unknown auth schemes" do
+    env = Rack::MockRequest.env_for('/')
+    env['HTTP_AUTHORIZATION'] = 'magic aXJyZXNwb25zaWJsZQ=='
+    req = Rack::Auth::AbstractRequest.new(env)
+    req.scheme.should == "magic"
+  end
+end

regards,
-- 
KURASHIKI Satoru

