[DRE-maint] Bug#789311: Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()
Salvatore Bonaccorso
carnil at debian.org
Wed Jul 29 19:49:12 UTC 2015
Hi,
Thanks for working on this issue!
On Wed, Jul 29, 2015 at 05:30:34PM +0900, Youhei SASAKI wrote:
> Dear Debian Security Team
>
> I'v created patche in order to fix CVE-2015-3225 for wheezy, jessie.
>
> #789311 (CVE-2015-3225)
>
> Please consider to update stable version of ruby-rack with attached
> debdiff to close those CVE issues.
>
> # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we
> # can't build package without "DH_RUBY_IGNORE_TESTS=all"...
It builds for me here in pbuilder. Were exactly is the problem
located?
"patchwise" both looks okay but I have some small comments, first the
one for wheezy-security:
> diff -Nru ruby-rack-1.4.1/debian/changelog ruby-rack-1.4.1/debian/changelog
> --- ruby-rack-1.4.1/debian/changelog 2013-02-22 08:55:14.000000000 +0900
> +++ ruby-rack-1.4.1/debian/changelog 2015-07-29 16:48:43.000000000 +0900
> @@ -1,3 +1,10 @@
> +ruby-rack (1.4.1-3) unstable; urgency=medium
Use 1.4.1-2.1+deb7u1 as version, wheezy-security as distribution and
urgency=high. See
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security
for some hints.
The one for jessie-security:
> diff -Nru ruby-rack-1.5.2/debian/changelog ruby-rack-1.5.2/debian/changelog
> --- ruby-rack-1.5.2/debian/changelog 2014-10-17 21:44:22.000000000 +0900
> +++ ruby-rack-1.5.2/debian/changelog 2015-07-29 17:12:45.000000000 +0900
> @@ -1,3 +1,10 @@
> +ruby-rack (1.5.2-4) unstable; urgency=medium
Same here. use 1.5.2-3+deb8u1 as version, target jessie-security and
use urgency=high.
> + * Create cherry-picked patch for Security Fix (Closes: #789311)
> + - CVE-2015-3225: 1-4-deep_params.patch
[...]
> diff -Nru ruby-rack-1.5.2/debian/patches/series ruby-rack-1.5.2/debian/patches/series
> --- ruby-rack-1.5.2/debian/patches/series 1970-01-01 09:00:00.000000000 +0900
> +++ ruby-rack-1.5.2/debian/patches/series 2015-07-29 17:16:29.000000000 +0900
> @@ -0,0 +1 @@
> +1-5-deep_params.patch
The actual patch is named 1-5-deep_params.patch so the changelog
should reflect that. For both entries it would be great to have
additionally a short description what CVE-2015-3225 is about in the
debian/changelog entry.
Could you make the above changes? Have the resulting packages been
tested in wheezy and jessie in some environment using ruby-rack?
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list