[DRE-commits] [ruby-actionpack-3.2] 01/02: [CVE-2013-4389] Fix Possible DoS Vulnerability in Action Mailer

Sun Dec 15 15:37:29 UTC 2013

This is an automated email from the git hooks/post-receive script.

ondrej pushed a commit to branch master-wheezy
in repository ruby-actionpack-3.2.

commit ac50a1ec4561a9a5809ac928fe0f771c6460c3ef
Author: Ondřej Surý <ondrej at sury.org>
Date:   Thu Dec 5 12:01:43 2013 +0100

    [CVE-2013-4389] Fix Possible DoS Vulnerability in Action Mailer
---
 debian/patches/CVE-2013-4389.patch | 50 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 51 insertions(+)

diff --git a/debian/patches/CVE-2013-4389.patch b/debian/patches/CVE-2013-4389.patch
new file mode 100644
index 0000000..6d4ccf3
--- /dev/null
+++ b/debian/patches/CVE-2013-4389.patch
@@ -0,0 +1,50 @@
+From 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Mon, 23 Sep 2013 10:17:58 +1200
+Subject: [PATCH] Remove the use of String#% when formatting durations in log
+ messages
+
+This avoids potential format string vulnerabilities where user-provided
+data is interpolated into the log message before String#% is called.
+
+--- ruby-actionpack-3.2.orig/lib/action_controller/log_subscriber.rb
++++ ruby-actionpack-3.2/lib/action_controller/log_subscriber.rb
+@@ -22,7 +22,7 @@ module ActionController
+       if status.nil? && payload[:exception].present?
+         status = Rack::Utils.status_code(ActionDispatch::ExceptionWrapper.new({}, payload[:exception]).status_code)
+       end
+-      message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in %.0fms" % event.duration
++      message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{format_duration(event.duration)}"
+       message << " (#{additions.join(" | ")})" unless additions.blank?
+ 
+       info(message)
+@@ -33,9 +33,7 @@ module ActionController
+     end
+ 
+     def send_file(event)
+-      message = "Sent file %s"
+-      message << " (%.1fms)"
+-      info(message % [event.payload[:path], event.duration])
++      info("Sent file #{event.payload[:path]} (#{format_duration(event.duration)})")
+     end
+ 
+     def redirect_to(event)
+@@ -43,7 +41,7 @@ module ActionController
+     end
+ 
+     def send_data(event)
+-      info("Sent data %s (%.1fms)" % [event.payload[:filename], event.duration])
++      info("Sent data #{event.payload[:filename]}  (#{format_duration(event.duration)})")
+     end
+ 
+     %w(write_fragment read_fragment exist_fragment?
+@@ -52,7 +50,8 @@ module ActionController
+         def #{method}(event)
+           key_or_path = event.payload[:key] || event.payload[:path]
+           human_name  = #{method.to_s.humanize.inspect}
+-          info("\#{human_name} \#{key_or_path} \#{"(%.1fms)" % event.duration}")
++          duration = format_duration(event.duration)
++          info("\#{human_name} \#{key_or_path} \#{duration}")
+         end
+       METHOD
+     end
diff --git a/debian/patches/series b/debian/patches/series
index 0713e4d..d37b949 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ CVE-2013-4491.patch
 CVE-2013-6414.patch
 CVE-2013-6415.patch
 CVE-2013-6417.patch
+CVE-2013-4389.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-actionpack-3.2.git

