[DRE-maint] Fwd: [rt.debian.org #4251] ruby-rack security bug

Satoru KURASHIKI lurdan at gmail.com
Thu Oct 3 11:33:40 UTC 2013 

hi,

I'm trying to update oldstable's librack-ruby to fix security issues.

I've cherry-picked upstream changes, but I'm not confident about my changes.
Would you review attached debdiff?

Notes:

CVE-2013-0183:
The squeeze version's code is different from which I assumed when writing
forwarded mail.
So I try to hand port original code and spec.
I've confirmed that at least the spec I added doesn't report error.
(specrb -I ./lib test/rack_spec_utils.rb)

regards,
-- 
KURASHIKI Satoru


---------- Forwarded message ----------
From: Satoru KURASHIKI <lurdan at gmail.com>
Date: Thu, Aug 29, 2013 at 8:59 PM
Subject: Re: [rt.debian.org #4251] ruby-rack security bug
To: rt at rt.debian.org
Cc: Nobuhiro Iwamatsu <iwamatsu at nigauri.org>, Hideki Yamane <
henrich at debian.or.jp>


hi,

On Thu, Aug 29, 2013 at 8:50 AM, Satoru KURASHIKI <lurdan at gmail.com> wrote:
>
>  CVE-2013-0183: As far I was gone, I saw that commit ... but similar code
>> affected seems present,
>
>
The point (similar code) is:

         loop do
           read_buffer = input.gets
           break if read_buffer == boundary + EOL
         end

So, I think that it may be changed to as:

       loop do
        content = input.read(bufsize)
        raise EOFError, "bad content body" unless content
        @buf << content

        while @buf.gsub!(/\A([^\n]*\n)/, '')
          read_buffer = $1
          return if read_buffer == boundary + EOL
        end

        raise EOFError, "bad content body" if Utils.bytesize(@buf) >=
bufsize
      end

But unfortunately I'm neither a rubyist nor coding expert, so I can't write
test code for this change.
I will ask for reviewing this code to some of my friends...


>  CVE-2012-6109:
>
>
This should be fixed IF we backport the "refactor of multipart module.
So, it should be considerd as "not affected".

 CVE-2011-5036:
>
>
We can pick this commit:
https://github.com/rack/rack/commit/09c5e53f11a491c25bef873ed146842f3cd03228

regards,
-- 
KURASHIKI Satoru
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20131003/b1d4eed8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: librack-ruby-oldstable.debdiff
Type: application/octet-stream
Size: 12077 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20131003/b1d4eed8/attachment-0001.obj>

More information about the Pkg-ruby-extras-maintainers mailing list