Control: tags 931932 + patch Control: tags 931932 + pending Dear maintainer,
I've prepared an NMU for ruby-mini-magick (versioned as 4.9.2-1.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru ruby-mini-magick-4.9.2/debian/changelog ruby-mini-magick-4.9.2/debian/changelog --- ruby-mini-magick-4.9.2/debian/changelog 2018-12-27 12:36:03.000000000 +0100 +++ ruby-mini-magick-4.9.2/debian/changelog 2019-07-13 21:51:59.000000000 +0200 @@ -1,3 +1,10 @@ +ruby-mini-magick (4.9.2-1.1) unstable; urgency=high + + * Non-maintainer upload. + * Don't allow remote shell execution (CVE-2019-13574) (Closes: #931932) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 13 Jul 2019 21:51:59 +0200 + ruby-mini-magick (4.9.2-1) unstable; urgency=medium * Team upload diff -Nru ruby-mini-magick-4.9.2/debian/patches/Don-t-allow-remote-shell-execution.patch ruby-mini-magick-4.9.2/debian/patches/Don-t-allow-remote-shell-execution.patch --- ruby-mini-magick-4.9.2/debian/patches/Don-t-allow-remote-shell-execution.patch 1970-01-01 01:00:00.000000000 +0100 +++ ruby-mini-magick-4.9.2/debian/patches/Don-t-allow-remote-shell-execution.patch 2019-07-12 17:30:44.000000000 +0200 @@ -0,0 +1,71 @@ +From: =?UTF-8?q?Janko=20Marohni=C4=87?= <janko.maroh...@gmail.com> +Date: Sun, 26 May 2019 17:30:14 +0200 +Subject: Don't allow remote shell execution +Origin: https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13574 +Bug-Debian: https://bugs.debian.org/931932 + +Kernel#open accepts a string of format "| <shell command>" which +executes the specified shell command and otherwise presumably acts as +IO.popen. The open-uri standard library overrides Kernel#open to also +accept URLs. + +However, the overridden Kernel#open just delegates to URI#open, so we +switch to using that directly and avoid the remote shell execution +vulnerability. For files we just use File.open, which should have the +same behaviour as Kernel#open. +--- + lib/mini_magick/image.rb | 14 ++++++-------- + spec/lib/mini_magick/image_spec.rb | 8 ++++++++ + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/lib/mini_magick/image.rb b/lib/mini_magick/image.rb +index a1f47c6dd67f..0ac478026dda 100644 +--- a/lib/mini_magick/image.rb ++++ b/lib/mini_magick/image.rb +@@ -82,17 +82,15 @@ module MiniMagick + def self.open(path_or_url, ext = nil, options = {}) + options, ext = ext, nil if ext.is_a?(Hash) + +- ext ||= +- if File.exist?(path_or_url) +- File.extname(path_or_url) +- else +- File.extname(URI(path_or_url).path) +- end ++ uri = URI(path_or_url.to_s) + ++ ext ||= File.extname(uri.path) + ext.sub!(/:.*/, '') # hack for filenames or URLs that include a colon + +- Kernel.open(path_or_url, "rb", options) do |file| +- read(file, ext) ++ if uri.is_a?(URI::HTTP) || uri.is_a?(URI::FTP) ++ uri.open(options) { |file| read(file, ext) } ++ else ++ File.open(uri.to_s, "rb", options) { |file| read(file, ext) } + end + end + +diff --git a/spec/lib/mini_magick/image_spec.rb b/spec/lib/mini_magick/image_spec.rb +index 192d834082dc..00f9cb060a40 100644 +--- a/spec/lib/mini_magick/image_spec.rb ++++ b/spec/lib/mini_magick/image_spec.rb +@@ -76,6 +76,14 @@ require "webmock/rspec" + expect(File.extname(image.path)).to eq ".jpg" + end + ++ it "doesn't allow remote shell execution" do ++ expect { ++ described_class.open("| touch file.txt") # Kernel#open accepts this ++ }.to raise_error(URI::InvalidURIError) ++ ++ expect(File.exist?("file.txt")).to eq(false) ++ end ++ + it "accepts open-uri options" do + stub_request(:get, "http://example.com/image.jpg";) + .with(headers: {"Foo" => "Bar"}) +-- +2.22.0 + diff -Nru ruby-mini-magick-4.9.2/debian/patches/series ruby-mini-magick-4.9.2/debian/patches/series --- ruby-mini-magick-4.9.2/debian/patches/series 2018-12-27 12:36:03.000000000 +0100 +++ ruby-mini-magick-4.9.2/debian/patches/series 2019-07-12 17:30:49.000000000 +0200 @@ -2,3 +2,4 @@ remove-rubygems remove-deprecated-test.patch imagemagick-json-change.patch +Don-t-allow-remote-shell-execution.patch
![http://example.com/image.jpg"](http://example.com/image.jpg"){kind=link}