Bug#789311: [DRE-maint] Bug#789311: ruby-rack: CVE-2015-3225: Potential Denial of Service Vulnerability in Rack normalize_params()

Wed, 29 Jul 2015 12:51:51 -0700 

Hi,

Thanks for working on this issue!

On Wed, Jul 29, 2015 at 05:30:34PM +0900, Youhei SASAKI wrote:
> Dear Debian Security Team
> 
> I'v created patche in order to fix CVE-2015-3225 for wheezy, jessie.
> 
>  #789311 (CVE-2015-3225)
> 
> Please consider to update stable version of ruby-rack with attached
> debdiff to close those CVE issues.
> 
> # BTW, due to the unreported FTBFS issue about ruby-rack in jessie, we
> # can't build package without "DH_RUBY_IGNORE_TESTS=all"...

It builds for me here in pbuilder. Were exactly is the problem
located?

"patchwise" both looks okay but I have some small comments, first the
one for wheezy-security:

> diff -Nru ruby-rack-1.4.1/debian/changelog ruby-rack-1.4.1/debian/changelog
> --- ruby-rack-1.4.1/debian/changelog  2013-02-22 08:55:14.000000000 +0900
> +++ ruby-rack-1.4.1/debian/changelog  2015-07-29 16:48:43.000000000 +0900
> @@ -1,3 +1,10 @@
> +ruby-rack (1.4.1-3) unstable; urgency=medium

Use 1.4.1-2.1+deb7u1 as version, wheezy-security as distribution and
urgency=high. See
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#bug-security
for some hints.

The one for jessie-security:

> diff -Nru ruby-rack-1.5.2/debian/changelog ruby-rack-1.5.2/debian/changelog
> --- ruby-rack-1.5.2/debian/changelog  2014-10-17 21:44:22.000000000 +0900
> +++ ruby-rack-1.5.2/debian/changelog  2015-07-29 17:12:45.000000000 +0900
> @@ -1,3 +1,10 @@
> +ruby-rack (1.5.2-4) unstable; urgency=medium

Same here. use 1.5.2-3+deb8u1 as version, target jessie-security and
use urgency=high.

> +  * Create cherry-picked patch for Security Fix (Closes: #789311)
> +    - CVE-2015-3225: 1-4-deep_params.patch
[...]
> diff -Nru ruby-rack-1.5.2/debian/patches/series 
> ruby-rack-1.5.2/debian/patches/series
> --- ruby-rack-1.5.2/debian/patches/series     1970-01-01 09:00:00.000000000 
> +0900
> +++ ruby-rack-1.5.2/debian/patches/series     2015-07-29 17:16:29.000000000 
> +0900
> @@ -0,0 +1 @@
> +1-5-deep_params.patch

The actual patch is named 1-5-deep_params.patch so the changelog
should reflect that. For both entries it would be great to have
additionally a short description what CVE-2015-3225 is about in the
debian/changelog entry.

Could you make the above changes? Have the resulting packages been
tested in wheezy and jessie in some environment using ruby-rack?

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to