Debian Bug report logs -
#697895
Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-1802)
Reported by: Joshua Timberman <joshua@opscode.com>
Date: Fri, 11 Jan 2013 00:27:02 UTC
Severity: grave
Tags: patch, security
Found in version libextlib-ruby/0.9.13-2
Fixed in version ruby-extlib/0.9.15-3
Done: Cédric Boutillier <boutil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Bryan McLellan <btm@loftninjas.org>:
Bug#697895; Package libextlib-ruby.
(Fri, 11 Jan 2013 00:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Joshua Timberman <joshua@opscode.com>:
New Bug report received and forwarded. Copy sent to Bryan McLellan <btm@loftninjas.org>.
(Fri, 11 Jan 2013 00:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libextlib-ruby
Version: 0.9.13-2
Severity: grave
Tags: security
Dan Kubb, upstream maintainer of the extlib RubyGem recently updated it to
resolve security issues reported in CVE-2013-0156.
The patches are are available from the extlib Git repository on GitHub to
remove symbol and yaml coercion, respectively:
https://github.com/datamapper/extlib/commit/4540e7102b803624cc2eade4bb8aaaa
934fc31c5
https://github.com/datamapper/extlib/commit/633974b2759d9b924657f3888473d5f
d681538dd
Marked as found in versions libextlib-ruby/0.9.13-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 11 Jan 2013 17:33:06 GMT) (full text, mbox, link).
Severity set to 'grave' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 11 Jan 2013 17:33:07 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 11 Jan 2013 17:33:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bryan McLellan <btm@loftninjas.org>:
Bug#697895; Package libextlib-ruby.
(Fri, 11 Jan 2013 20:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Bryan McLellan <btm@loftninjas.org>.
(Fri, 11 Jan 2013 20:27:03 GMT) (full text, mbox, link).
Message #16 received at 697895@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Attached the upstream commits applied to the unstable version and
generated debdiff. But this creates too some additional files in one
of the binary packages created:
ruby-extlib:
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .deb but not in first
-------------------------------------
-rw-r--r-- root/root /usr/share/rubygems-integration/1.8/specifications/extlib-0.9.15.gemspec
-rw-r--r-- root/root /usr/share/rubygems-integration/1.9.1/specifications/extlib-0.9.15.gemspec
Regards,
Salvatore
[ruby-extlib_0.9.15-2.1.debdiff (text/plain, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 11 Jan 2013 20:30:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Bryan McLellan <btm@loftninjas.org>:
Bug#697895; Package libextlib-ruby.
(Fri, 11 Jan 2013 20:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Bryan McLellan <btm@loftninjas.org>.
(Fri, 11 Jan 2013 20:36:03 GMT) (full text, mbox, link).
Message #23 received at 697895@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
(resending this as I missed the bugreport)
On Fri, Jan 11, 2013 at 12:06:54AM +0000, Joshua Timberman wrote:
> Package: libextlib-ruby
>
> Version: 0.9.13-2
> Severity: grave
> Tags: security
>
> Dan Kubb, upstream maintainer of the extlib RubyGem recently updated it to
> resolve security issues reported in CVE-2013-0156.
>
> The patches are are available from the extlib Git repository on GitHub to
> remove symbol and yaml coercion, respectively:
>
> https://github.com/datamapper/extlib/commit/4540e7102b803624cc2eade4bb8aaaa
> 934fc31c5
> https://github.com/datamapper/extlib/commit/633974b2759d9b924657f3888473d5f
> d681538dd
(Disclaimer: I'm not the maintainer/part of team for ruby-extlib
package, but trying to help on this if needed).
Attached is the first debdiff for the version in Squeeze based on the
above commits. But I noticed when I rebuild the package I get the
following debdiff for libextlib-ruby-doc:
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .deb but not in first
-------------------------------------
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_10.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_11.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_18.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_2.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_22.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_24.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_25.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_28.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_29.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_31.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_10_0.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_10_0.png
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_25_0.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_25_0.png
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_27_0.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_27_0.png
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_28_0.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_28_0.png
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_29_0.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_29_0.png
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_2_0.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_2_0.png
Files in first .deb but not in second
-------------------------------------
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_10.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_11.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_18.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_2.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_22.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_24.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_25.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_28.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_29.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/f_31.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_11_0.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_11_0.png
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_18_0.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_18_0.png
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_22_0.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_22_0.png
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_24_0.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_24_0.png
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_31_0.dot.gz
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_31_0.png
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_7_0.dot
-rw-r--r-- root/root /usr/share/doc/libextlib-ruby-doc/rdoc/dot/m_7_0.png
So it looks the compression is on other files.
Regards,
Salvatore
[libextlib-ruby_0.9.13-2+squeeze1.debdiff (text/plain, attachment)]
Reply sent
to Cédric Boutillier <boutil@debian.org>:
You have taken responsibility.
(Fri, 11 Jan 2013 21:36:03 GMT) (full text, mbox, link).
Notification sent
to Joshua Timberman <joshua@opscode.com>:
Bug acknowledged by developer.
(Fri, 11 Jan 2013 21:36:03 GMT) (full text, mbox, link).
Message #28 received at 697895-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-extlib
Source-Version: 0.9.15-3
We believe that the bug you reported is fixed in the latest version of
ruby-extlib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 697895@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cédric Boutillier <boutil@debian.org> (supplier of updated ruby-extlib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 11 Jan 2013 18:15:39 +0100
Source: ruby-extlib
Binary: ruby-extlib libextlib-ruby libextlib-ruby1.8 libextlib-ruby1.9.1 libextlib-ruby-doc
Architecture: source all
Version: 0.9.15-3
Distribution: unstable
Urgency: high
Maintainer: Bryan McLellan <btm@loftninjas.org>
Changed-By: Cédric Boutillier <boutil@debian.org>
Description:
libextlib-ruby - Transitional package for ruby-extlib
libextlib-ruby-doc - Transitional package for ruby-extlib
libextlib-ruby1.8 - Transitional package for ruby-extlib
libextlib-ruby1.9.1 - Transitional package for ruby-extlib
ruby-extlib - general Ruby class extensions for DataMapper and Merb
Closes: 697895
Changes:
ruby-extlib (0.9.15-3) unstable; urgency=high
.
* Team upload.
* Import patches 633974b2759d9b92 and 4540e7102b803624 from uptream
to remove symbol and YAML coercion from the XML parser. [CVE-2013-0156]
(Closes: #697895)
Checksums-Sha1:
bb10dad19c2671801877e5b5fb15b14532462daf 2247 ruby-extlib_0.9.15-3.dsc
4f8571ba3b7aefe7bdce8e8fbe7716fcb45c7ad6 4687 ruby-extlib_0.9.15-3.diff.gz
ff0b3141b7f2df240b8307ceb05d624851c34974 35582 ruby-extlib_0.9.15-3_all.deb
0a77158c8ec33b24c9836c0821661bfd20cec286 4180 libextlib-ruby_0.9.15-3_all.deb
ae9559bbad34b34bced92323424726f3815331ae 4180 libextlib-ruby1.8_0.9.15-3_all.deb
494f0fd4dafaccec7641dfe1f1f033f3dd68b711 4182 libextlib-ruby1.9.1_0.9.15-3_all.deb
516f4bd2e7273e37dd8a9c80430cf9fe0bf7cfd7 4180 libextlib-ruby-doc_0.9.15-3_all.deb
Checksums-Sha256:
6c9063a4daf662391409fa81852b5e6914fbc127c9e0f61ea78526232e941e17 2247 ruby-extlib_0.9.15-3.dsc
95df8ec52d1638083d0e14c339f52f6aa827480208a93355c23614d25b5a6211 4687 ruby-extlib_0.9.15-3.diff.gz
bf2ac87e0e17a46ec5583f4007e9dede358360d17c5a7be716b941a44fdf68fa 35582 ruby-extlib_0.9.15-3_all.deb
b17a332bbf7155e39b6a49f2a1f48d8bc6deafcb55593d63b7ca2bb14fdb274d 4180 libextlib-ruby_0.9.15-3_all.deb
4461dfcf4ef248d25bcb0c4e90514586d412603ba2425e5e25b882ddae8bd522 4180 libextlib-ruby1.8_0.9.15-3_all.deb
a69cfbfd58c237a228b11ad5c3569a76484c08128cf358c5be055c83d0436aa0 4182 libextlib-ruby1.9.1_0.9.15-3_all.deb
a320b93c04731473d46d257fe35f8c861472bb8115b9ddbc31610ccd45e5642c 4180 libextlib-ruby-doc_0.9.15-3_all.deb
Files:
3be760292b64478fc60cc2a42613c52e 2247 ruby extra ruby-extlib_0.9.15-3.dsc
96a039c95e8affe0cfacecf4e34e1720 4687 ruby extra ruby-extlib_0.9.15-3.diff.gz
c9a0ee978f40a2e45d5f811d048dc958 35582 ruby extra ruby-extlib_0.9.15-3_all.deb
db26187f88999befae8996172108ed98 4180 oldlibs extra libextlib-ruby_0.9.15-3_all.deb
0b792d88f11cec7f8182b4f3b09b5feb 4180 oldlibs extra libextlib-ruby1.8_0.9.15-3_all.deb
29a5db040f8330c612b172ab627abcbb 4182 oldlibs extra libextlib-ruby1.9.1_0.9.15-3_all.deb
3113c77e9276e30ac51e1283b8ea6eb7 4180 oldlibs extra libextlib-ruby-doc_0.9.15-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQ8IJBAAoJENpJWPYR4UnpQrAQAL0U1fbkjWeSYG/8KZNewNWt
lURV6RCLIyjfkFSV8A+CdVL8HF1MxNmPMMSIc/fMJc6q/GOyQOrxHfY+gLIPnQsX
VhkYV0JIYfv4cyBnDnROqsbp6WbdlrbmuXrSUpPLK9qCRoOiDPNnXkqyY8FJkvRV
kMZB5hIG8vVxQEnH0z+r70X5/1HXZ3Hm4amYaOOMdNG6fYkoaXmcj6ri79Ow8Smm
ZRJONzag+D9nBMOdXCrCjTJUIMwFYU9YVbbe4qhZpZrMRjdUG6oBnmAcCcwrhThf
zct23xi1J0Sgbpp/m/E/IUq2EFjiLd8nSyVs/nryY8/KG5we4BeFlFmrEmzv7gYm
4eRvexFuyqq8T0mVV+Mrt8/SjiT0Lsa7kUFunHn6DXu04mOMPb3zJZdsMP0FkdBw
ZqDHXnRfXQnWIR5N98Z2jv0D3F/X5sp4vNKBxuchO7PZ409BuTtP0Ld+6yeDuk0D
zIGE79UmQ1IcyLzfH20gXj5Dpzf1x6AKnD8mO4UCx35jdSlEC39YQJN6As9G9mxQ
zyJVLPyzNvSHMcLGKA1P0Z1aRUrz8vrV9KEdJnKoSNYL3mHp4ZwYaJ8j93llSnSJ
tYRZb31ehoUQXPCG5OmHOIdtABPei1tjSkdmf1g7UCUOBjuDzgew5DLGM/k7CtNy
frY9EXMcwo3ChNZvb1SM
=tneb
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Bryan McLellan <btm@loftninjas.org>:
Bug#697895; Package libextlib-ruby.
(Mon, 14 Jan 2013 05:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Joshua Timberman <joshua@opscode.com>:
Extra info received and forwarded to list. Copy sent to Bryan McLellan <btm@loftninjas.org>.
(Mon, 14 Jan 2013 05:45:05 GMT) (full text, mbox, link).
Message #33 received at 697895@bugs.debian.org (full text, mbox, reply):
Thank you, Salvatore and Cédric, for your help and quick turnaround with
this!
Information forwarded
to debian-bugs-dist@lists.debian.org, Bryan McLellan <btm@loftninjas.org>:
Bug#697895; Package libextlib-ruby.
(Sun, 03 Mar 2013 16:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Bryan McLellan <btm@loftninjas.org>.
(Sun, 03 Mar 2013 16:45:03 GMT) (full text, mbox, link).
Message #38 received at 697895@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-1802)
Hi
A separate CVE was assigned to this vulerability: CVE-2013-1802
Regards,
Salvatore
Changed Bug title to 'Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-1802)' from 'Update libextlib-ruby / ruby-extlib for vulnerabilities (Re: CVE-2013-0156)'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 697895-submit@bugs.debian.org.
(Sun, 03 Mar 2013 16:45:03 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 02 Jun 2013 08:30:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:20:32 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon
