Debian Bug report logs -
#700173
ruby-rack: CVE-2013-0262: Path sanitization information disclosure
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 9 Feb 2013 13:18:02 UTC
Severity: grave
Tags: security
Fixed in version ruby-rack/1.4.1-2.1
Done: KURASHIKI Satoru <lurdan@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700173; Package src:ruby-rack.
(Sat, 09 Feb 2013 13:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 09 Feb 2013 13:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-rack
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for ruby-rack.
CVE-2013-0262[0]:
Path sanitization information disclosure
CVE-2013-0263[1]:
Timing attack in cookie sessions
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
Patches/upstream commits are referenced in the security tracker.
For further information see:
[0] http://security-tracker.debian.org/tracker/CVE-2013-0262
[1] http://security-tracker.debian.org/tracker/CVE-2013-0263
Please adjust the affected versions in the BTS as needed.
Note: According to the red hat bugtracker for CVE-2013-0262 only
versions after 1.4.x are affected, for CVE-2013-0263 all previous
versions. Could you please double check this, and mark
accordingly?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700173; Package src:ruby-rack.
(Sun, 10 Feb 2013 02:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Satoru KURASHIKI <lurdan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sun, 10 Feb 2013 02:18:03 GMT) (full text, mbox, link).
Message #10 received at 700173@bugs.debian.org (full text, mbox, reply):
hi,
> For further information see:
> [0] http://security-tracker.debian.org/tracker/CVE-2013-0262
> [1] http://security-tracker.debian.org/tracker/CVE-2013-0263
> Please adjust the affected versions in the BTS as needed.
> Note: According to the red hat bugtracker for CVE-2013-0262 only
> versions after 1.4.x are affected, for CVE-2013-0263 all previous
> versions. Could you please double check this, and mark
> accordingly?
With a quick look:
the code which raises CVE-2013-0262 (calculate path depth sequentially)
was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not
affected.
the code which raises CVE-2013-0263 (needs time string comparison)
also affects stable version:
https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49
This bts would have better to be split?
regards,
--
KURASHIKI Satoru
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#700173; Package src:ruby-rack.
(Sun, 10 Feb 2013 07:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sun, 10 Feb 2013 07:51:04 GMT) (full text, mbox, link).
Message #15 received at 700173@bugs.debian.org (full text, mbox, reply):
Control: clone -1 -2
Control: retitle -1 ruby-rack: CVE-2013-0262: Path sanitization information disclosure
Control: retitle -2 ruby-rack: CVE-2013-0263: Timing attack in cookie sessions
Hi
On Sun, Feb 10, 2013 at 11:14:50AM +0900, Satoru KURASHIKI wrote:
> hi,
>
> > For further information see:
>
> > [0] http://security-tracker.debian.org/tracker/CVE-2013-0262
> > [1] http://security-tracker.debian.org/tracker/CVE-2013-0263
>
> > Please adjust the affected versions in the BTS as needed.
>
> > Note: According to the red hat bugtracker for CVE-2013-0262 only
> > versions after 1.4.x are affected, for CVE-2013-0263 all previous
> > versions. Could you please double check this, and mark
> > accordingly?
>
> With a quick look:
>
> the code which raises CVE-2013-0262 (calculate path depth sequentially)
> was introduced in rack-1.4.0. So stable version (librack-ruby 1.1.0-4) is not
> affected.
>
> the code which raises CVE-2013-0263 (needs time string comparison)
> also affects stable version:
> https://github.com/rack/rack/blob/1.1/lib/rack/session/cookie.rb#L49
>
> This bts would have better to be split?
thanks for the analysis! I'm cloning the bug and retitling both
accordingly so that both CVE's can be tracked in separate bugs.
Regards,
Salvatore
Bug 700173 cloned as bug 700226
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 700173-submit@bugs.debian.org.
(Sun, 10 Feb 2013 07:51:04 GMT) (full text, mbox, link).
Changed Bug title to 'ruby-rack: CVE-2013-0262: Path sanitization information disclosure' from 'ruby-rack: CVE-2013-0262 and CVE-2013-0263'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 700173-submit@bugs.debian.org.
(Sun, 10 Feb 2013 07:51:04 GMT) (full text, mbox, link).
Reply sent
to KURASHIKI Satoru <lurdan@gmail.com>:
You have taken responsibility.
(Wed, 27 Feb 2013 08:51:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 27 Feb 2013 08:51:14 GMT) (full text, mbox, link).
Message #24 received at 700173-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-rack
Source-Version: 1.4.1-2.1
We believe that the bug you reported is fixed in the latest version of
ruby-rack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 700173@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
KURASHIKI Satoru <lurdan@gmail.com> (supplier of updated ruby-rack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 20 Feb 2013 20:56:31 +0900
Source: ruby-rack
Binary: ruby-rack librack-ruby1.9.1 librack-ruby1.8 librack-ruby
Architecture: source all
Version: 1.4.1-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: KURASHIKI Satoru <lurdan@gmail.com>
Description:
librack-ruby - Transitional package for ruby-rack
librack-ruby1.8 - Transitional package for ruby-rack
librack-ruby1.9.1 - Transitional package for ruby-rack
ruby-rack - Modular Ruby webserver interface
Closes: 698440 700173
Changes:
ruby-rack (1.4.1-2.1) unstable; urgency=high
.
[ KURASHIKI Satoru ]
* Non-maintainer upload.
* Create cherry-picked patches for Security Fix (Closes: #700173 #700226).
- CVE-2013-0262: 0004-Prevent-symlink-path-traversals.patch
- CVE-2013-0263: 0005-Use-secure_compare-for-hmac-comparison.patch
.
[ Youhei SASAKI ]
* Create cherry-picked patches for Security Fix (Closes: #698440).
- CVE-2012-6109: 0001-Fix-parsing-performance-for-unquoted-filenames.patch
- CVE-2013-0183: 0002-multipart-parser-avoid-unbounded-gets-method.patch
- CVE-2013-0184: 0003-Reimplement-auth-scheme-fix.patch
Checksums-Sha1:
9a3d309ba4a5e28c4704bdfe4b9ef3f0c59683ac 2296 ruby-rack_1.4.1-2.1.dsc
6af3e111e057eb2bce94f84c0a1ba178f2554a46 10188 ruby-rack_1.4.1-2.1.debian.tar.gz
792c22ac4c9749809bd6ef9898ae067c50e78081 82104 ruby-rack_1.4.1-2.1_all.deb
0dd02e0fff3e0272c99fc54d9e71f6a7289e08f5 4062 librack-ruby1.9.1_1.4.1-2.1_all.deb
e4db038dfa727071b9164bde1683271a2af9d685 4062 librack-ruby1.8_1.4.1-2.1_all.deb
4551ba38658cd22f2ea6477e6ebe48c19445a9c8 4054 librack-ruby_1.4.1-2.1_all.deb
Checksums-Sha256:
5a862fc25cd10be8e1a6a995e9b3026b8b4c179f96f71fb0d82685adc0fd1d27 2296 ruby-rack_1.4.1-2.1.dsc
bde86e2666452bab7366eb9795975d51c559bc53791fefedbcfd53c55777d4cd 10188 ruby-rack_1.4.1-2.1.debian.tar.gz
cea57d69381165645821e448805bab849116debc7ebd4d311dcb29ca8218995c 82104 ruby-rack_1.4.1-2.1_all.deb
93c466d51d6a045a178e7a943ee7a1a2911b315bb9a152e3d64cdf0a4a738521 4062 librack-ruby1.9.1_1.4.1-2.1_all.deb
68634886631f95701cac203a844d66778504dbf487fba894b44132dc09e395e4 4062 librack-ruby1.8_1.4.1-2.1_all.deb
8ba9cbc2c956f13cd0ddb990bc730d674fa6c011415e081601c91e046c06d6a9 4054 librack-ruby_1.4.1-2.1_all.deb
Files:
5a8aec59ccabd8a6c1a46e48dc809a95 2296 ruby optional ruby-rack_1.4.1-2.1.dsc
0504150d496de77471904eb97f398dec 10188 ruby optional ruby-rack_1.4.1-2.1.debian.tar.gz
e51a35b0965eefc77a76a99e757cafab 82104 ruby optional ruby-rack_1.4.1-2.1_all.deb
c1ed80cb81d4860df8f25ef4ef5fbcbd 4062 oldlibs extra librack-ruby1.9.1_1.4.1-2.1_all.deb
5c2f366fb42573ecd4c5da8aede17c02 4062 oldlibs extra librack-ruby1.8_1.4.1-2.1_all.deb
e926fa8545dad99397b6a90ac96d4f60 4054 oldlibs extra librack-ruby_1.4.1-2.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRLb3wAAoJEDIkf7tArR+mlmQP/35GAzLhoWXOzzxIL5qO/XRq
vUSLSq2Qm9+OBED3hpzxTLsGRwjwsSPov9Scefn5g/qy6c9xEAbfXqBSwo7zzvfv
sH6DeCPcBuRNxO7Ynx+zrnGDmOmWmIJBKWvsPsAIp6KF7eWfgxKmiWhjce0OETgw
YNbgfDrskargQIwWq8u4TPv0A2oS7dE3sQbxKP6Ecp3PP+mQOl9oziu99b8iaU1a
4LlTohjMaB8MjgXKm6exuBpb+GDUvt8q/W9S3d9a9qQf0DyDX3yZwPuZhjirdw2a
yhFtr+h73HTGybhGmslFjGoAdKdu0Sj+6XaFM3/bEjPvIIa/H3VGzU61D2msrFnN
YuVq2Ta2HTVIjuD8h/AGMKUXB3Q9qz0O8sYOx1T9HgkehewlVGc4h7CJjaooc609
7iN7B6grHf5U6MAXL5708jqNQNSa1uTL9WJM7SPvAxBPmtPnnrdnofigNqCx3niG
k5Gze8H2QrHGle3Ri25nQcA4PNPJug5d+Q/P5ZnT1KWFgDY6AKYr0cyWYCavQrUL
vRdPZnMi3w8fGL2ILEwy/kQmqo7gEoHtIwMg7SQDrgA0+2uoShxkvLL1FUVuujWA
n1A0SLi0eDaTI0M+gQ7iwcJXWfHsY64xFEGUHcvMGfPft/atBbblyEDrvkUopM2C
Nc6RYYRb8+Qrn/lJO4yE
=gjB6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 30 Mar 2013 07:28:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:18:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon