Bug#805260: jessie-pu: package ruby-bson/1.10.0-1+deb8u1

[Prach Pongpanich]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

Please accept the fixes for CVE-2015-4410 in ruby-bson. I already discussed
with the security team (tagged as no-dsa).

Source debdiff attached.

 https://security-tracker.debian.org/CVE-2015-4410

Regards,
Prach


diff -Nru ruby-bson-1.10.0/debian/changelog ruby-bson-1.10.0/debian/changelog
--- ruby-bson-1.10.0/debian/changelog	2014-05-15 12:00:35.000000000 +0700
+++ ruby-bson-1.10.0/debian/changelog	2015-11-16 08:59:15.000000000 +0700
@@ -1,3 +1,9 @@
+ruby-bson (1.10.0-1+deb8u1) jessie; urgency=medium
+
+  * Fix CVE-2015-4410: DoS and possible injection (Closes: #787951)
+
+ -- Prach Pongpanich <pr...@debian.org>  Mon, 16 Nov 2015 08:55:51 +0700
+
 ruby-bson (1.10.0-1) unstable; urgency=medium
 
   [ Cédric Boutillier ]
diff -Nru ruby-bson-1.10.0/debian/gbp.conf ruby-bson-1.10.0/debian/gbp.conf
--- ruby-bson-1.10.0/debian/gbp.conf	1970-01-01 07:00:00.000000000 +0700
+++ ruby-bson-1.10.0/debian/gbp.conf	2015-11-16 08:59:15.000000000 +0700
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/jessie
diff -Nru ruby-bson-1.10.0/debian/patches/series ruby-bson-1.10.0/debian/patches/series
--- ruby-bson-1.10.0/debian/patches/series	2014-05-15 12:00:35.000000000 +0700
+++ ruby-bson-1.10.0/debian/patches/series	2015-11-15 00:59:01.000000000 +0700
@@ -4,3 +4,4 @@
 #change_require_activesupport.patch
 #add_to_bson_code.patch
 remove_rubygems_from_bins.patch
+Update_BSON_ObjectId_validation.patch
diff -Nru ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch
--- ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch	1970-01-01 07:00:00.000000000 +0700
+++ ruby-bson-1.10.0/debian/patches/Update_BSON_ObjectId_validation.patch	2015-11-15 00:59:01.000000000 +0700
@@ -0,0 +1,18 @@
+From bb544c2f6fd62940f04ddc1abeeaa3f23c1a9ade Mon Sep 17 00:00:00 2001
+From: Emily Stolfo <em...@10gen.com>
+Date: Thu, 4 Jun 2015 11:19:36 -0400
+Subject: [PATCH] RUBY-941 Update BSON ObjectId validation
+
+diff --git a/lib/bson/types/object_id.rb b/lib/bson/types/object_id.rb
+index 5de7f66..6e44efa 100644
+--- a/lib/bson/types/object_id.rb
++++ b/lib/bson/types/object_id.rb
+@@ -51,7 +51,7 @@ def initialize(data=nil, time=nil)
+     #
+     # @return [Boolean]
+     def self.legal?(str)
+-      str =~ /^[0-9a-f]{24}$/i ? true : false
++      str =~ /\A[0-9a-f]{24}\z/i ? true : false
+     end
+ 
+     # Create an object id from the given time. This is useful for doing range

signature.asc
Description: Digital signature