CVE-2013-1812: DoS

Debian Bug report logs - #702217
CVE-2013-1812: DoS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2013-1812: DoS

Date: Mon, 04 Mar 2013 09:24:29 +0100

Package: ruby-openid
Severity: grave
Tags: security
Justification: user security hole

This was assigned CVE-2013-1812:
https://github.com/openid/ruby-openid/pull/43

Patch:
https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed

Cheers,
        Moritz

Message #10 received at 702217-close@bugs.debian.org (full text, mbox, reply):

From: Cédric Boutillier <cedric.boutillier@gmail.com>

To: 702217-close@bugs.debian.org

Subject: Bug#702217: fixed in ruby-openid 2.1.8debian-6

Date: Wed, 06 Mar 2013 12:47:41 +0000

Source: ruby-openid
Source-Version: 2.1.8debian-6

We believe that the bug you reported is fixed in the latest version of
ruby-openid, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702217@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Cédric Boutillier <cedric.boutillier@gmail.com> (supplier of updated ruby-openid package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 06 Mar 2013 11:56:30 +0100
Source: ruby-openid
Binary: ruby-openid libopenid-ruby libopenid-ruby1.8
Architecture: source all
Version: 2.1.8debian-6
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Cédric Boutillier <cedric.boutillier@gmail.com>
Description: 
 libopenid-ruby - Transitional package for ruby-openid
 libopenid-ruby1.8 - Transitional package for ruby-openid
 ruby-openid - Ruby library for verifying and serving OpenID identities
Closes: 702217
Changes: 
 ruby-openid (2.1.8debian-6) unstable; urgency=high
 .
   * Urgency set to high as a security bug is fixed.
   * debian/patches:
     - add 02_fix_CVE-2013-1812.patch from upstream: limit fetching file size
       and disable XML entity expansion. [CVE-2013-1812] (Closes: #702217).
Checksums-Sha1: 
 de62516374d5f6af241eed9b5c70343f06db4843 2241 ruby-openid_2.1.8debian-6.dsc
 a9a34df579092425e846997dfcd504f604b3f24b 8729 ruby-openid_2.1.8debian-6.debian.tar.gz
 28830866de141156cdcc3a44829e9a4db0d02e93 137198 ruby-openid_2.1.8debian-6_all.deb
 af43257d7d090b81d2627aefbbaf6259902da3de 8100 libopenid-ruby_2.1.8debian-6_all.deb
 7eafbe5d4886810fca5ae4639d8c2aa5f0e40945 8100 libopenid-ruby1.8_2.1.8debian-6_all.deb
Checksums-Sha256: 
 023f74f8f792c517a6e058f7da57b1067f746f51b34d8e876ee02b62d6348867 2241 ruby-openid_2.1.8debian-6.dsc
 0ce0d7c63a2543b1116342bf0b73757ddfb0206ae1a4e0a054a3419f90e7d2cb 8729 ruby-openid_2.1.8debian-6.debian.tar.gz
 5b70cf83581862e5e8cae9d3e17d1b5f8d616019af6d0264f984f8976c061518 137198 ruby-openid_2.1.8debian-6_all.deb
 640e188f78cffcf9f4e0129e46b3b654c4511de0b596a958b47b656c0a5b159a 8100 libopenid-ruby_2.1.8debian-6_all.deb
 4ac2033dec71d0370dfe167ed9047c9df8b597217a12e61e368daa765b3763c4 8100 libopenid-ruby1.8_2.1.8debian-6_all.deb
Files: 
 eb9633c5ce618e73424c8a7443faf72b 2241 ruby optional ruby-openid_2.1.8debian-6.dsc
 d4d79f66c8daefe93b56f62cbe395272 8729 ruby optional ruby-openid_2.1.8debian-6.debian.tar.gz
 4c83e17ec3a4b383d19cb9087869f74f 137198 ruby optional ruby-openid_2.1.8debian-6_all.deb
 25e6fb86d632ef5fb28440cc44091592 8100 oldlibs extra libopenid-ruby_2.1.8debian-6_all.deb
 6eb98fecaf5189ab30bdb0e38b42da57 8100 oldlibs extra libopenid-ruby1.8_2.1.8debian-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRNzlSAAoJENpJWPYR4UnpPLYP/0ZIRf1b95YHvnkGCEKHIuCO
pxsD4tozVehKfAq4u/2UAuNQUuIGXABcstKJ+D14IlKLbZpyJQvH25GG6bP9wD/K
/0+ceoyU81HCBIOjs5e3HL/jSPPkDfSPWngUhzOGKDu+P/J4QZ1FM+7lLHiDGkck
yEuGTCYeCscfUyeE+bKjt8uqtcJWmFlzzKR/eYSG/NDKPgngWaTGXlQEg082DVg9
7HrczJU8JB5qF7RNe5+CtzLKiFCkJsuOe9Sh04g381bPcLEiL3GEQeg/PuBFh70N
dPIbPltD16sisspgJdybL54GiOnYnb7G+T7180YU6B9DKCuvuIBUVWvDkk3ge95J
6YdfTQm6RWk/c7+db2X8uSYWNrW0UcR77O5yIK8xoPFUg4jpX3MzCPigHN3I/Yqd
irS7p2ELrum0vewiH/8SMP20SOtyWiLZrcfqCLU30f+iBqW78A5Vp3fEYS57Qvqc
DoXz8qCmOK0TlMwJz9e6wGkNKtP985btP6BKg3dBS9lZq/5hvf+mq3BcM8/Lyg8B
Mu5AnhahWvkfjHsBm3jh4dkU2r+7Iq60sa32NVD16G0rk2acytFr3Fjk5UzgiR9n
i01nYazGqO7k74KNNwrmiYckkoUWHLttTkWQHYvbMyOi75+1MT/qB66FWPSJavWY
fgzdSCJaKdxEkXRaUVgQ
=Zjgj
-----END PGP SIGNATURE-----

Message #15 received at 702217@bugs.debian.org (full text, mbox, reply):

From: Cédric Boutillier <cedric.boutillier@upmc.fr>

To: 702217@bugs.debian.org, security@debian.org, Moritz Muehlenhoff <jmm@inutil.org>

Subject: proposition for libopenid-ruby/2.1.8debian-1+squeeze1 [CVE-2013-1812]

Date: Wed, 6 Mar 2013 16:32:20 +0100

[Message part 1 (text/plain, inline)]

Hi!

I adapted the patch from upstream and applied it to the version of
libopenid-ruby currently in squeeze.

Attached is the debdiff with a possible 2.1.8debian/1+squeeze1
targetting squeeze if accepted by the security team.

The debdiff on the .deb packages shows nothing except the change of the
version number:

$ debdiff libopenid-ruby_2.1.8debian*.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-4312-] {+4308+}
Version: [-2.1.8debian-1-] {+2.1.8debian-1+squeeze1+}

$ debdiff libopenid-ruby1.8_2.1.8debian*.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-2.1.8debian-1-] {+2.1.8debian-1+squeeze1+}

Cheers,

Cédric

[libopenid-ruby_2.1.8debian-1_to_1+squeeze1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 702217@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: Cédric Boutillier <cedric.boutillier@upmc.fr>

Cc: 702217@bugs.debian.org, security@debian.org, Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: proposition for libopenid-ruby/2.1.8debian-1+squeeze1 [CVE-2013-1812]

Date: Sat, 9 Mar 2013 17:34:31 +0100

On Wednesday 06 March 2013, Cédric Boutillier wrote:
> I adapted the patch from upstream and applied it to the version of
> libopenid-ruby currently in squeeze.
> Attached is the debdiff with a possible 2.1.8debian/1+squeeze1
> targetting squeeze if accepted by the security team.

Thanks for your patch! In my opinion, this can be handle via s-p-u.

Cheers, luciano

Message #25 received at 702217@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Luciano Bello <luciano@debian.org>

Cc: Cédric Boutillier <cedric.boutillier@upmc.fr>, 702217@bugs.debian.org, security@debian.org

Subject: Re: proposition for libopenid-ruby/2.1.8debian-1+squeeze1 [CVE-2013-1812]

Date: Sun, 10 Mar 2013 18:44:08 +0100

On Sat, Mar 09, 2013 at 05:34:31PM +0100, Luciano Bello wrote:
> On Wednesday 06 March 2013, Cédric Boutillier wrote:
> > I adapted the patch from upstream and applied it to the version of
> > libopenid-ruby currently in squeeze.
> > Attached is the debdiff with a possible 2.1.8debian/1+squeeze1
> > targetting squeeze if accepted by the security team.
> 
> Thanks for your patch! In my opinion, this can be handle via s-p-u.

Agreed, see here for the procedure:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Cheers,
        Moritz

Send a report that this bug log contains spam.