[DRE-maint] Bug#697895: Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)
Salvatore Bonaccorso
carnil at debian.org
Fri Jan 11 20:26:07 UTC 2013
Hi
Attached the upstream commits applied to the unstable version and
generated debdiff. But this creates too some additional files in one
of the binary packages created:
ruby-extlib:
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .deb but not in first
-------------------------------------
-rw-r--r-- root/root /usr/share/rubygems-integration/1.8/specifications/extlib-0.9.15.gemspec
-rw-r--r-- root/root /usr/share/rubygems-integration/1.9.1/specifications/extlib-0.9.15.gemspec
Regards,
Salvatore
-------------- next part --------------
diff -u ruby-extlib-0.9.15/debian/changelog ruby-extlib-0.9.15/debian/changelog
--- ruby-extlib-0.9.15/debian/changelog
+++ ruby-extlib-0.9.15/debian/changelog
@@ -1,3 +1,11 @@
+ruby-extlib (0.9.15-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * [SECURITY] CVE-2013-0156: Remove symbol and yaml coercion from the
+ XML parser. (Closes: #697895) (LP: #1098357)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Fri, 11 Jan 2013 21:14:26 +0100
+
ruby-extlib (0.9.15-2) unstable; urgency=low
* Add full text of the Ruby licence.
@@ -49 +56,0 @@
-
only in patch2:
unchanged:
--- ruby-extlib-0.9.15.orig/spec/hash_spec.rb
+++ ruby-extlib-0.9.15/spec/hash_spec.rb
@@ -254,7 +254,7 @@
'approved' => nil,
'written_on' => nil,
'viewed_at' => nil,
- 'content' => nil,
+ 'content' => { 'type' => 'yaml' },
'parent_id' => nil
}
Hash.from_xml(topic_xml)["topic"].should == expected_topic_hash
@@ -292,12 +292,12 @@
# Changed this line where the key is :message. The yaml specifies this as a symbol, and who am I to change what you specify
# The line in ActiveSupport is
# 'content' => { 'message' => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
- 'content' => { :message => "Have a nice day", 1 => "should be an integer", "array" => [{ "should-have-dashes" => true, "should_have_underscores" => true }] },
+ 'content' => "--- \n1: should be an integer\n:message: Have a nice day\narray: \n- should-have-dashes: true\n should_have_underscores: true\n",
'author_email_address' => "david at loudthinking.com",
'parent_id' => nil,
'ad_revenue' => BigDecimal("1.50"),
'optimum_viewing_angle' => 135.0,
- 'resident' => :yes
+ 'resident' => 'yes'
}
Hash.from_xml(topic_xml)["topic"].each do |k,v|
only in patch2:
unchanged:
--- ruby-extlib-0.9.15.orig/lib/extlib/hash.rb
+++ ruby-extlib-0.9.15/lib/extlib/hash.rb
@@ -279,9 +279,7 @@
self.typecasts["decimal"] = lambda{|v| BigDecimal(v)}
self.typecasts["double"] = lambda{|v| v.nil? ? nil : v.to_f}
self.typecasts["float"] = lambda{|v| v.nil? ? nil : v.to_f}
- self.typecasts["symbol"] = lambda{|v| v.to_sym}
self.typecasts["string"] = lambda{|v| v.to_s}
- self.typecasts["yaml"] = lambda{|v| v.nil? ? nil : YAML.load(v)}
self.typecasts["base64Binary"] = lambda{|v| v.unpack('m').first }
self.available_typecasts = self.typecasts.keys
More information about the Pkg-ruby-extras-maintainers
mailing list