[DRE-maint] Bug#882724: stretch-pu: package ruby-ox/2.1.1-2+b6

[Cédric Boutillier]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu

Hi,

this update fixes bug #881445 [CVE-2017-15928]
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
by cherrypicking a patch from upstream, to crash of the ruby interpreter
on a parse error.

Debdiff attached.

As jessie and stretch have the same version of this package, I am
willing to upload the same fix to jessie (same diff except the version
number with deb8 instead of deb9). Should I submit an independent bug
report for the jessie proposed update ?

Thanks in advance.

Cédric

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
diff -Nru ruby-ox-2.1.1/debian/changelog ruby-ox-2.1.1/debian/changelog
--- ruby-ox-2.1.1/debian/changelog	2014-04-04 12:58:15.000000000 +0200
+++ ruby-ox-2.1.1/debian/changelog	2017-11-26 01:08:40.000000000 +0100
@@ -1,3 +1,12 @@
+ruby-ox (2.1.1-2+deb9u1) stretch; urgency=medium
+
+  * Team upload
+  * Add fix_parse_obj_segfault.patch picked from upstream
+    + fix CVE-2017-15928: segmentation fault in parse_obj
+    (Closes: #881445)
+
+ -- Cédric Boutillier <boutil at debian.org>  Sun, 26 Nov 2017 01:08:40 +0100
+
 ruby-ox (2.1.1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru ruby-ox-2.1.1/debian/gbp.conf ruby-ox-2.1.1/debian/gbp.conf
--- ruby-ox-2.1.1/debian/gbp.conf	1970-01-01 01:00:00.000000000 +0100
+++ ruby-ox-2.1.1/debian/gbp.conf	2017-11-26 00:52:18.000000000 +0100
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch=stretch/master
+upstream-branch=stretch/upstream
diff -Nru ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch
--- ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby-ox-2.1.1/debian/patches/fix_parse_obj_segfault.patch	2017-11-26 01:08:40.000000000 +0100
@@ -0,0 +1,51 @@
+Description: Avoid crash with invalid XML passed to Oj.parse_obj()
+ this fixes CVE-2017-15928
+Author: Peter Ohler <peter at ohler.com>
+Origin: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8.patch
+Bug: https://github.com/ohler55/ox/issues/194
+Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881445
+Last-Update: 2017-11-25
+
+--- a/ext/ox/obj_load.c
++++ b/ext/ox/obj_load.c
+@@ -791,8 +791,10 @@
+ 		    Helper	gh;
+ 
+ 		    helper_stack_pop(&pi->helpers);
+-		    gh = helper_stack_peek(&pi->helpers);
+-
++		    if (NULL == (gh = helper_stack_peek(&pi->helpers))) {
++			set_error(&pi->err, "Corrupt parse stack, container is wrong type", pi->str, pi->s);
++			return;
++		    }
+ 		    rb_hash_aset(gh->obj, ph->obj, h->obj);
+ 		}
+ 		break;
+--- a/ext/ox/err.c
++++ b/ext/ox/err.c
+@@ -42,7 +42,11 @@
+     va_end(ap);
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ ox_err_raise(Err e) {
+     rb_raise(e->clas, "%s", e->msg);
+ }
+--- a/ext/ox/ox.c
++++ b/ext/ox/ox.c
+@@ -990,7 +990,11 @@
+ #endif
+ }
+ 
++#if __GNUC__ > 4
++_Noreturn void
++#else
+ void
++#endif
+ _ox_raise_error(const char *msg, const char *xml, const char *current, const char* file, int line) {
+     int	xline = 1;
+     int	col = 1;
diff -Nru ruby-ox-2.1.1/debian/patches/series ruby-ox-2.1.1/debian/patches/series
--- ruby-ox-2.1.1/debian/patches/series	2014-03-22 13:16:52.000000000 +0100
+++ ruby-ox-2.1.1/debian/patches/series	2017-11-26 01:08:40.000000000 +0100
@@ -1 +1,2 @@
+fix_parse_obj_segfault.patch
 000-fix-so-load-path.patch