[DRE-maint] Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)

Fri Jan 11 20:12:01 UTC 2013

Hi

On Fri, Jan 11, 2013 at 12:06:54AM +0000, Joshua Timberman wrote:
> Package: libextlib-ruby
> 
> Version: 0.9.13-2
> Severity: grave
> Tags: security
> 
> Dan Kubb, upstream maintainer of the extlib RubyGem recently updated it to
> resolve security issues reported in CVE-2013-0156.
> 
> The patches are are available from the extlib Git repository on GitHub to
> remove symbol and yaml coercion, respectively:
> 
> https://github.com/datamapper/extlib/commit/4540e7102b803624cc2eade4bb8aaaa
> 934fc31c5
> https://github.com/datamapper/extlib/commit/633974b2759d9b924657f3888473d5f
> d681538dd

(Disclaimer: I'm not the maintainer/part of team for ruby-extlib
package, but trying to help on this if needed).

Attached is the first debdiff for the version in Squeeze based on the
above commits. But I noticed when I rebuild the package I get the
following debdiff for libextlib-ruby-doc:

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-------------------------------------
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_10.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_11.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_18.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_2.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_22.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_24.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_25.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_28.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_29.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_31.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_10_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_10_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_25_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_25_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_27_0.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_27_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_28_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_28_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_29_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_29_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_2_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_2_0.png

Files in first .deb but not in second
-------------------------------------
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_10.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_11.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_18.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_2.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_22.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_24.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_25.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_28.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_29.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_31.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_11_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_11_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_18_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_18_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_22_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_22_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_24_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_24_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_31_0.dot.gz
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_31_0.png
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_7_0.dot
-rw-r--r--  root/root   /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_7_0.png

So it looks the compression is on other files.

Regards,
Salvatore
-------------- next part --------------
diff -u libextlib-ruby-0.9.13/debian/changelog libextlib-ruby-0.9.13/debian/changelog

--- libextlib-ruby-0.9.13/debian/changelog
+++ libextlib-ruby-0.9.13/debian/changelog
@@ -1,3 +1,11 @@
+libextlib-ruby (0.9.13-2+squeeze1) stable-security; urgency=high
+
+  * Non-maintainer upload.
+  * [SECURITY] CVE-2013-0156: Remove symbol and yaml coercion from the XML parser
+    (Closes: #697895) (LP: #1098357)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Fri, 11 Jan 2013 20:52:05 +0100
+
 libextlib-ruby (0.9.13-2) unstable; urgency=low
 
   * std-ver -> 3.8.4. No changes needed.
only in patch2:
unchanged:
--- libextlib-ruby-0.9.13.orig/spec/hash_spec.rb
+++ libextlib-ruby-0.9.13/spec/hash_spec.rb
@@ -255,7 +255,7 @@
       'approved'   => nil,
       'written_on' => nil,
       'viewed_at'  => nil,
-      'content'    => nil,
+      'content'    => { 'type' => 'yaml' },
       'parent_id'  => nil
     }
     Hash.from_xml(topic_xml)["topic"].should == expected_topic_hash
@@ -293,12 +293,12 @@
       # Changed this line where the key is :message.  The yaml specifies this as a symbol, and who am I to change what you specify
       # The line in ActiveSupport is
       # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
-      'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+      'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n",
       'author_email_address' => "david at loudthinking.com",
       'parent_id' => nil,
       'ad_revenue' => BigDecimal("1.50"),
       'optimum_viewing_angle' => 135.0,
-      'resident' => :yes
+      'resident' => 'yes'
     }
 
     Hash.from_xml(topic_xml)["topic"].each do |k,v|
only in patch2:
unchanged:
--- libextlib-ruby-0.9.13.orig/lib/extlib/hash.rb
+++ libextlib-ruby-0.9.13/lib/extlib/hash.rb
@@ -271,9 +271,7 @@
   self.typecasts["decimal"]       = lambda{|v| BigDecimal(v)}
   self.typecasts["double"]        = lambda{|v| v.nil? ? nil : v.to_f}
   self.typecasts["float"]         = lambda{|v| v.nil? ? nil : v.to_f}
-  self.typecasts["symbol"]        = lambda{|v| v.to_sym}
   self.typecasts["string"]        = lambda{|v| v.to_s}
-  self.typecasts["yaml"]          = lambda{|v| v.nil? ? nil : YAML.load(v)}
   self.typecasts["base64Binary"]  = lambda{|v| v.unpack('m').first }
 
   self.available_typecasts = self.typecasts.keys
