[DRE-maint] Bug#1089568: bookworm-pu: package ruby-doorkeeper/5.5.0-2+deb12u1

Adrian Bunk bunk at debian.org
Mon Dec 9 03:06:08 GMT 2024 

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: security at debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers at lists.alioth.debian.org>

  * CVE-2023-34246: Improper Authentication (Closes: #1038950)
-------------- next part --------------
diffstat for ruby-doorkeeper-5.5.0 ruby-doorkeeper-5.5.0

 changelog                                                            |    7 ++
 patches/0001-Block-public-clients-automatic-authorization-skip.patch |   31 ++++++++++
 patches/series                                                       |    1 
 3 files changed, 39 insertions(+)

diff -Nru ruby-doorkeeper-5.5.0/debian/changelog ruby-doorkeeper-5.5.0/debian/changelog
--- ruby-doorkeeper-5.5.0/debian/changelog	2021-08-27 14:15:52.000000000 +0300
+++ ruby-doorkeeper-5.5.0/debian/changelog	2024-12-08 23:42:11.000000000 +0200
@@ -1,3 +1,10 @@
+ruby-doorkeeper (5.5.0-2+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2023-34246: Improper Authentication (Closes: #1038950)
+
+ -- Adrian Bunk <bunk at debian.org>  Sun, 08 Dec 2024 23:42:11 +0200
+
 ruby-doorkeeper (5.5.0-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch
--- ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch	1970-01-01 02:00:00.000000000 +0200
+++ ruby-doorkeeper-5.5.0/debian/patches/0001-Block-public-clients-automatic-authorization-skip.patch	2024-12-08 23:41:54.000000000 +0200
@@ -0,0 +1,31 @@
+From 992ead90a17e368129bed6750da2f90e9e720e80 Mon Sep 17 00:00:00 2001
+From: Adam Heath <adam at polleverywhere.com>
+Date: Fri, 17 Mar 2023 16:41:30 +0800
+Subject: Block public clients automatic authorization skip
+
+Non-confidential applications should not be able to skip the authorization stop, even if they have an existing matching_token.
+
+From the [issue](https://github.com/doorkeeper-gem/doorkeeper/issues/1589):
+> According to RFC 8252 section 8.6, the authentication server should re-prompt for user consent, since the client's identity cannot be assured simply from the client_id parameter
+
+Fixes https://github.com/doorkeeper-gem/doorkeeper/issues/1589
+---
+ app/controllers/doorkeeper/authorizations_controller.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/app/controllers/doorkeeper/authorizations_controller.rb b/app/controllers/doorkeeper/authorizations_controller.rb
+index 71dce31c..81445875 100644
+--- a/app/controllers/doorkeeper/authorizations_controller.rb
++++ b/app/controllers/doorkeeper/authorizations_controller.rb
+@@ -23,7 +23,7 @@ module Doorkeeper
+     private
+ 
+     def render_success
+-      if skip_authorization? || matching_token?
++      if skip_authorization? || (matching_token? && pre_auth.client.application.confidential?)
+         redirect_or_render authorize_response
+       elsif Doorkeeper.configuration.api_only
+         render json: pre_auth
+-- 
+2.30.2
+
diff -Nru ruby-doorkeeper-5.5.0/debian/patches/series ruby-doorkeeper-5.5.0/debian/patches/series
--- ruby-doorkeeper-5.5.0/debian/patches/series	1970-01-01 02:00:00.000000000 +0200
+++ ruby-doorkeeper-5.5.0/debian/patches/series	2024-12-08 23:42:10.000000000 +0200
@@ -0,0 +1 @@
+0001-Block-public-clients-automatic-authorization-skip.patch

More information about the Pkg-ruby-extras-maintainers mailing list