[DRE-maint] Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)

Fri Jan 11 20:26:07 UTC 2013

Hi

Attached the upstream commits applied to the unstable version and
generated debdiff. But this creates too some additional files in one
of the binary packages created:

ruby-extlib:
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-------------------------------------
-rw-r--r--  root/root   /usr/share/rubygems-integration/1.8/specifications/extlib-0.9.15.gemspec
-rw-r--r--  root/root   /usr/share/rubygems-integration/1.9.1/specifications/extlib-0.9.15.gemspec

Regards,
Salvatore
-------------- next part --------------
diff -u ruby-extlib-0.9.15/debian/changelog ruby-extlib-0.9.15/debian/changelog

--- ruby-extlib-0.9.15/debian/changelog
+++ ruby-extlib-0.9.15/debian/changelog
@@ -1,3 +1,11 @@
+ruby-extlib (0.9.15-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * [SECURITY] CVE-2013-0156: Remove symbol and yaml coercion from the
+    XML parser. (Closes: #697895) (LP: #1098357)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Fri, 11 Jan 2013 21:14:26 +0100
+
 ruby-extlib (0.9.15-2) unstable; urgency=low
 
   * Add full text of the Ruby licence.
@@ -49 +56,0 @@
-
only in patch2:
unchanged:
--- ruby-extlib-0.9.15.orig/spec/hash_spec.rb
+++ ruby-extlib-0.9.15/spec/hash_spec.rb
@@ -254,7 +254,7 @@
       'approved'   => nil,
       'written_on' => nil,
       'viewed_at'  => nil,
-      'content'    => nil,
+      'content'    => { 'type' => 'yaml' },
       'parent_id'  => nil
     }
     Hash.from_xml(topic_xml)["topic"].should == expected_topic_hash
@@ -292,12 +292,12 @@
       # Changed this line where the key is :message.  The yaml specifies this as a symbol, and who am I to change what you specify
       # The line in ActiveSupport is
       # 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
-      'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+      'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n  should_have_underscores: true\n",
       'author_email_address' => "david at loudthinking.com",
       'parent_id' => nil,
       'ad_revenue' => BigDecimal("1.50"),
       'optimum_viewing_angle' => 135.0,
-      'resident' => :yes
+      'resident' => 'yes'
     }
 
     Hash.from_xml(topic_xml)["topic"].each do |k,v|
only in patch2:
unchanged:
--- ruby-extlib-0.9.15.orig/lib/extlib/hash.rb
+++ ruby-extlib-0.9.15/lib/extlib/hash.rb
@@ -279,9 +279,7 @@
   self.typecasts["decimal"]       = lambda{|v| BigDecimal(v)}
   self.typecasts["double"]        = lambda{|v| v.nil? ? nil : v.to_f}
   self.typecasts["float"]         = lambda{|v| v.nil? ? nil : v.to_f}
-  self.typecasts["symbol"]        = lambda{|v| v.to_sym}
   self.typecasts["string"]        = lambda{|v| v.to_s}
-  self.typecasts["yaml"]          = lambda{|v| v.nil? ? nil : YAML.load(v)}
   self.typecasts["base64Binary"]  = lambda{|v| v.unpack('m').first }
 
   self.available_typecasts = self.typecasts.keys
