[DRE-commits] [ruby-rest-client] 03/03: Apply upstream patch for CVE-2015-1820 (Closes: #781238)
Sebastien Badia
sbadia-guest at moszumanska.debian.org
Wed Apr 8 10:05:24 UTC 2015
This is an automated email from the git hooks/post-receive script.
sbadia-guest pushed a commit to branch master
in repository ruby-rest-client.
commit 59813733e069d82ffb11b0e1c439c2f5f011f44a
Author: Sebastien Badia <seb at sebian.fr>
Date: Wed Apr 8 12:01:31 2015 +0200
Apply upstream patch for CVE-2015-1820 (Closes: #781238)
---
debian/changelog | 6 +-
debian/control | 11 +-
.../0001_fix-set-cookie-CVE-2015-1820.patch | 173 +++++++++++++++++++++
debian/patches/series | 1 +
4 files changed, 187 insertions(+), 4 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index ffc4202..992951e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,13 @@
-ruby-rest-client (1.6.7-6) UNRELEASED; urgency=medium
+ruby-rest-client (1.6.7-6) unstable; urgency=medium
* Team upload.
* d/control:
- Bump Standards-Version (no changes)
- Use https and cgit URL for VCS-Browser
+ - Wrap and sort control file
+ - Apply upstream patch for CVE-2015-1820 (Closes: #781238)
- -- Sebastien Badia <seb at sebian.fr> Wed, 08 Apr 2015 10:57:11 +0200
+ -- Sebastien Badia <seb at sebian.fr> Wed, 08 Apr 2015 12:01:20 +0200
ruby-rest-client (1.6.7-5) unstable; urgency=medium
diff --git a/debian/control b/debian/control
index 1e82306..e6aaf7a 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,10 @@ Section: ruby
Priority: optional
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers at lists.alioth.debian.org>
Uploaders: Lucas Nussbaum <lucas at debian.org>
-Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.3.0~), ruby-mime-types
+Build-Depends: debhelper (>= 7.0.50~),
+ gem2deb (>= 0.3.0~),
+ ruby-http-cookie,
+ ruby-mime-types
Standards-Version: 3.9.6
Vcs-Git: git://anonscm.debian.org/pkg-ruby-extras/ruby-rest-client.git
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-ruby-extras/ruby-rest-client.git
@@ -13,7 +16,11 @@ XS-Ruby-Versions: all
Package: ruby-rest-client
Architecture: all
XB-Ruby-Versions: ${ruby:Versions}
-Depends: ${shlibs:Depends}, ${misc:Depends}, ruby | ruby-interpreter, ruby-mime-types
+Depends: ruby | ruby-interpreter,
+ ruby-http-cookie,
+ ruby-mime-types,
+ ${misc:Depends},
+ ${shlibs:Depends}
Description: simple REST client for Ruby
A simple HTTP and REST client for Ruby, inspired by the Sinatra microframework
style of specifying actions: get, put, post, delete.
diff --git a/debian/patches/0001_fix-set-cookie-CVE-2015-1820.patch b/debian/patches/0001_fix-set-cookie-CVE-2015-1820.patch
new file mode 100644
index 0000000..4e7c116
--- /dev/null
+++ b/debian/patches/0001_fix-set-cookie-CVE-2015-1820.patch
@@ -0,0 +1,173 @@
+Description: CVE-2015-1820: rest-client passes values from Set-Cookie headers to arbitrary redirection target
+ When Ruby rest-client processes an HTTP redirection response, it blindly passes
+ along the values from any Set-Cookie headers to the redirection target,
+ regardless of domain, path, or expiration.
+ .
+ This is very similar to CVE-2015-2296, which affected python-requests.
+ http://www.openwall.com/lists/oss-security/2015/03/14/4
+ .
+ The issue could be similarly exploited in the following ways:
+ .
+ * If you are the redirection source (i.e. you can make rest-client hit your
+ URL), you can make rest-client perform a request to any third-party domain with
+ cookies of your choosing. This may be useful in performing a session fixation
+ attack.
+ * If you are the redirection target (i.e. you can make a third-party
+ site redirect to your URL), you can steal any cookies set by the third-party
+ redirection.
+ .
+Author: Andy Brody <git at abrody.com>
+Origin: upstream, https://patch-diff.githubusercontent.com/raw/rest-client/rest-client/pull/365.patch
+Bug: https://github.com/rest-client/rest-client/issues/369
+Bug-Debian: https://bugs.debian.org/781238
+Reviewed-By: Sebastien Badia <seb at sebian.fr>
+Last-Update: 2015-04-08
+
+--- ruby-rest-client-1.6.7.orig/lib/restclient/abstract_response.rb
++++ ruby-rest-client-1.6.7/lib/restclient/abstract_response.rb
+@@ -1,10 +1,11 @@
+ require 'cgi'
++require 'http-cookie'
+
+ module RestClient
+
+ module AbstractResponse
+
+- attr_reader :net_http_res, :args
++ attr_reader :net_http_res, :args, :request
+
+ # HTTP status code
+ def code
+@@ -22,11 +23,36 @@ module RestClient
+ @raw_headers ||= @net_http_res.to_hash
+ end
+
++ def response_set_vars(net_http_res, args, request)
++ @net_http_res = net_http_res
++ @args = args
++ @request = request
++ end
++
+ # Hash of cookies extracted from response headers
+ def cookies
+- @cookies ||= (self.headers[:set_cookie] || {}).inject({}) do |out, cookie_content|
+- out.merge parse_cookie(cookie_content)
++ hash = {}
++
++ cookie_jar.cookies.each do |cookie|
++ hash[cookie.name] = cookie.value
+ end
++
++ hash
++ end
++
++ # Cookie jar extracted from response headers.
++ #
++ # @return [HTTP::CookieJar]
++ #
++ def cookie_jar
++ return @cookie_jar if @cookie_jar
++
++ jar = HTTP::CookieJar.new
++ headers.fetch(:set_cookie, []).each do |cookie|
++ jar.parse(cookie, @request.url)
++ end
++
++ @cookie_jar = jar
+ end
+
+ # Return the default behavior corresponding to the response code:
+@@ -61,25 +87,28 @@ module RestClient
+
+ # Follow a redirection
+ def follow_redirection request = nil, result = nil, & block
++ new_args = @args.dup
++
+ url = headers[:location]
+ if url !~ /^http/
+- url = URI.parse(args[:url]).merge(url).to_s
++ url = URI.parse(request.url).merge(url).to_s
+ end
+- args[:url] = url
++ new_args[:url] = url
+ if request
+ if request.max_redirects == 0
+ raise MaxRedirectsReached
+ end
+- args[:password] = request.password
+- args[:user] = request.user
+- args[:headers] = request.headers
+- args[:max_redirects] = request.max_redirects - 1
+- # pass any cookie set in the result
+- if result && result['set-cookie']
+- args[:headers][:cookies] = (args[:headers][:cookies] || {}).merge(parse_cookie(result['set-cookie']))
+- end
++ new_args[:password] = request.password
++ new_args[:user] = request.user
++ new_args[:headers] = request.headers
++ new_args[:max_redirects] = request.max_redirects - 1
++
++ # TODO: figure out what to do with original :cookie, :cookies values
++ new_args[:headers]['Cookie'] = HTTP::Cookie.cookie_value(
++ cookie_jar.cookies(new_args.fetch(:url)))
+ end
+- Request.execute args, &block
++
++ Request.execute(new_args, &block)
+ end
+
+ def AbstractResponse.beautify_headers(headers)
+--- ruby-rest-client-1.6.7.orig/lib/restclient/raw_response.rb
++++ ruby-rest-client-1.6.7/lib/restclient/raw_response.rb
+@@ -13,12 +13,13 @@ module RestClient
+
+ include AbstractResponse
+
+- attr_reader :file
++ attr_reader :file, :request
+
+- def initialize tempfile, net_http_res, args
++ def initialize(tempfile, net_http_res, args, request)
+ @net_http_res = net_http_res
+ @args = args
+ @file = tempfile
++ @request = request
+ end
+
+ def to_s
+--- ruby-rest-client-1.6.7.orig/lib/restclient/request.rb
++++ ruby-rest-client-1.6.7/lib/restclient/request.rb
+@@ -219,9 +219,9 @@ module RestClient
+ def process_result res, & block
+ if @raw_response
+ # We don't decode raw requests
+- response = RawResponse.new(@tf, res, args)
++ response = RawResponse.new(@tf, res, args, self)
+ else
+- response = Response.create(Request.decode(res['content-encoding'], res.body), res, args)
++ response = Response.create(Request.decode(res['content-encoding'], res.body), res, args, self)
+ end
+
+ if block_given?
+--- ruby-rest-client-1.6.7.orig/lib/restclient/response.rb
++++ ruby-rest-client-1.6.7/lib/restclient/response.rb
+@@ -6,17 +6,14 @@ module RestClient
+
+ include AbstractResponse
+
+- attr_accessor :args, :body, :net_http_res
+-
+ def body
+ self
+ end
+
+- def Response.create body, net_http_res, args
++ def self.create body, net_http_res, args, request
+ result = body || ''
+ result.extend Response
+- result.net_http_res = net_http_res
+- result.args = args
++ result.response_set_vars(net_http_res, args, request)
+ result
+ end
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..31efc66
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+0001_fix-set-cookie-CVE-2015-1820.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-rest-client.git
More information about the Pkg-ruby-extras-commits
mailing list