[DRE-maint] Bug#702217: proposition for libopenid-ruby/2.1.8debian-1+squeeze1 [CVE-2013-1812]
Cédric Boutillier
cedric.boutillier at upmc.fr
Wed Mar 6 15:32:20 UTC 2013
Hi!
I adapted the patch from upstream and applied it to the version of
libopenid-ruby currently in squeeze.
Attached is the debdiff with a possible 2.1.8debian/1+squeeze1
targetting squeeze if accepted by the security team.
The debdiff on the .deb packages shows nothing except the change of the
version number:
$ debdiff libopenid-ruby_2.1.8debian*.deb
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-4312-] {+4308+}
Version: [-2.1.8debian-1-] {+2.1.8debian-1+squeeze1+}
$ debdiff libopenid-ruby1.8_2.1.8debian*.deb
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-2.1.8debian-1-] {+2.1.8debian-1+squeeze1+}
Cheers,
Cédric
-------------- next part --------------
diff -Nru libopenid-ruby-2.1.8debian/debian/changelog libopenid-ruby-2.1.8debian/debian/changelog
--- libopenid-ruby-2.1.8debian/debian/changelog 2010-04-12 03:29:36.000000000 +0200
+++ libopenid-ruby-2.1.8debian/debian/changelog 2013-03-06 15:10:19.000000000 +0100
@@ -1,3 +1,13 @@
+libopenid-ruby (2.1.8debian-1+squeeze1) stable-security; urgency=high
+
+ * Team upload
+ * Urgency set to high as a security bug is fixed.
+ * debian/patches: add fix_CVE-2013-1812 from upstream to limit fetching file
+ size and disable XML entity expansion, preventing possible XML denial of
+ service attacks [CVE-2013-1812] (Closes: #702217).
+
+ -- Cédric Boutillier <boutil at debian.org> Wed, 06 Mar 2013 15:02:31 +0100
+
libopenid-ruby (2.1.8debian-1) unstable; urgency=low
[ Lucas Nussbaum ]
diff -Nru libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812
--- libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 1970-01-01 01:00:00.000000000 +0100
+++ libopenid-ruby-2.1.8debian/debian/patches/fix_CVE-2013-1812 2013-03-06 15:01:55.000000000 +0100
@@ -0,0 +1,115 @@
+Description: limit fetching file size & disable XML entity expansion
+ This prevents possible XML denial of service attacks [CVE-2013-1812]
+Author: nov matake <nov at matake.jp>
+Origin: https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed
+Bug: https://github.com/openid/ruby-openid/pull/43
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702217
+Reviewed-by: Cédric Boutillier <boutil at debian.org>
+Last-Update: 2012-10-23
+
+---
+ lib/openid/fetchers.rb | 17 ++++++++++++++---
+ lib/openid/yadis/xrds.rb | 34 ++++++++++++++++++++++------------
+ 2 files changed, 36 insertions(+), 15 deletions(-)
+
+--- a/lib/openid/fetchers.rb
++++ b/lib/openid/fetchers.rb
+@@ -10,7 +10,7 @@
+ require 'net/http'
+ end
+
+-MAX_RESPONSE_KB = 1024
++MAX_RESPONSE_KB = 10485760 # 10 MB (can be smaller, I guess)
+
+ module Net
+ class HTTP
+@@ -192,6 +192,16 @@
+ conn = make_connection(url)
+ response = nil
+
++ whole_body = ''
++ body_size_limitter = lambda do |r|
++ r.read_body do |partial| # read body now
++ whole_body << partial
++ if whole_body.length > MAX_RESPONSE_KB
++ raise FetchingError.new("Response Too Large")
++ end
++ end
++ whole_body
++ end
+ response = conn.start {
+ # Check the certificate against the URL's hostname
+ if supports_ssl?(conn) and conn.use_ssl?
+@@ -199,10 +209,10 @@
+ end
+
+ if body.nil?
+- conn.request_get(url.request_uri, headers)
++ conn.request_get(url.request_uri, headers, &body_size_limitter)
+ else
+ headers["Content-type"] ||= "application/x-www-form-urlencoded"
+- conn.request_post(url.request_uri, body, headers)
++ conn.request_post(url.request_uri, body, headers, &body_size_limitter)
+ end
+ }
+ rescue RuntimeError => why
+@@ -231,7 +241,10 @@
+ raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
+ end
+ else
+- return HTTPResponse._from_net_response(response, unparsed_url)
++ response = HTTPResponse._from_net_response(response, unparsed_url)
++ response.body = whole_body
++ setup_encoding(response)
++ return response
+ end
+ end
+ end
+--- a/lib/openid/yadis/xrds.rb
++++ b/lib/openid/yadis/xrds.rb
+@@ -88,23 +88,33 @@
+ end
+
+ def Yadis::parseXRDS(text)
+- if text.nil?
+- raise XRDSError.new("Not an XRDS document.")
+- end
++ disable_entity_expansion do
++ if text.nil?
++ raise XRDSError.new("Not an XRDS document.")
++ end
+
+- begin
+- d = REXML::Document.new(text)
+- rescue RuntimeError => why
+- raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
+- end
++ begin
++ d = REXML::Document.new(text)
++ rescue RuntimeError => why
++ raise XRDSError.new("Not an XRDS document. Failed to parse XML.")
++ end
+
+- if is_xrds?(d)
+- return d
+- else
+- raise XRDSError.new("Not an XRDS document.")
++ if is_xrds?(d)
++ return d
++ else
++ raise XRDSError.new("Not an XRDS document.")
++ end
+ end
+ end
+
++ def Yadis::disable_entity_expansion
++ _previous_ = REXML::Document::entity_expansion_limit
++ REXML::Document::entity_expansion_limit = 0
++ yield
++ ensure
++ REXML::Document::entity_expansion_limit = _previous_
++ end
++
+ def Yadis::is_xrds?(xrds_tree)
+ xrds_root = xrds_tree.root
+ return (!xrds_root.nil? and
diff -Nru libopenid-ruby-2.1.8debian/debian/patches/series libopenid-ruby-2.1.8debian/debian/patches/series
--- libopenid-ruby-2.1.8debian/debian/patches/series 2010-04-12 03:22:44.000000000 +0200
+++ libopenid-ruby-2.1.8debian/debian/patches/series 2013-03-06 15:02:07.000000000 +0100
@@ -1 +1,2 @@
use-system-installed-hmac
+fix_CVE-2013-1812
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20130306/a44a4977/attachment-0001.pgp>
More information about the Pkg-ruby-extras-maintainers
mailing list