[rubygem-actionpack/f19] Avoid potential format string vulnerabilities where user-provided data is interpolated into the log

Vít Ondruch vondruch at fedoraproject.org
Wed Jan 15 15:33:43 UTC 2014 

commit 1969abc5fe3783aa6aa1918eac0ec47b1571a034
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Wed Jan 15 16:33:30 2014 +0100

    Avoid potential format string vulnerabilities where user-provided data is interpolated into the log message before String#% is called.
    
    (CVE-2013-4389).

 ...013-4389-Remove-the-use-of-String-percent.patch |   58 ++++++++++++++++++++
 rubygem-actionpack.spec                            |   13 ++++-
 2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-actionpack-3.2.15-CVE-2013-4389-Remove-the-use-of-String-percent.patch b/rubygem-actionpack-3.2.15-CVE-2013-4389-Remove-the-use-of-String-percent.patch
new file mode 100644
index 0000000..c0e2bd1
--- /dev/null
+++ b/rubygem-actionpack-3.2.15-CVE-2013-4389-Remove-the-use-of-String-percent.patch
@@ -0,0 +1,58 @@
+From 5aee516b5edb49d7206cd9815c13a78b6b16c5d9 Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael at koziarski.com>
+Date: Mon, 23 Sep 2013 10:17:58 +1200
+Subject: [PATCH] Remove the use of String#% when formatting durations in log
+ messages
+
+This avoids potential format string vulnerabilities where user-provided
+data is interpolated into the log message before String#% is called.
+---
+ actionpack/lib/action_controller/log_subscriber.rb | 11 +++++------
+ 1 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/actionpack/lib/action_controller/log_subscriber.rb b/actionpack/lib/action_controller/log_subscriber.rb
+index 194f26a..f2545ef 100644
+--- a/actionpack/lib/action_controller/log_subscriber.rb
++++ b/actionpack/lib/action_controller/log_subscriber.rb
+@@ -23,7 +23,7 @@ module ActionController
+         exception_class_name = payload[:exception].first
+         status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
+       end
+-      message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in %.0fms" % event.duration
++      message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{format_duration(event.duration)}"
+       message << " (#{additions.join(" | ")})" unless additions.blank?
+ 
+       info(message)
+@@ -34,9 +34,7 @@ module ActionController
+     end
+ 
+     def send_file(event)
+-      message = "Sent file %s"
+-      message << " (%.1fms)"
+-      info(message % [event.payload[:path], event.duration])
++      info("Sent file #{event.payload[:path]} (#{format_duration(event.duration)})")
+     end
+ 
+     def redirect_to(event)
+@@ -44,7 +42,7 @@ module ActionController
+     end
+ 
+     def send_data(event)
+-      info("Sent data %s (%.1fms)" % [event.payload[:filename], event.duration])
++      info("Sent data #{event.payload[:filename]}  (#{format_duration(event.duration)})")
+     end
+ 
+     %w(write_fragment read_fragment exist_fragment?
+@@ -53,7 +51,8 @@ module ActionController
+         def #{method}(event)
+           key_or_path = event.payload[:key] || event.payload[:path]
+           human_name  = #{method.to_s.humanize.inspect}
+-          info("\#{human_name} \#{key_or_path} \#{"(%.1fms)" % event.duration}")
++          duration = format_duration(event.duration)
++          info("\#{human_name} \#{key_or_path} \#{duration}")
+         end
+       METHOD
+     end
+-- 
+1.8.3.2
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 3afa81d..a1a265c 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -6,7 +6,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 3.2.13
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -30,6 +30,11 @@ Patch2: rubygem-actionpack-3.2.8-relax-builder-dependency.patch
 # CVE-2013-6414 - Denial of Service Vulnerability in Action View
 Patch3: rubygem-actionpack-3.2.16-multiple-CVEs.patch
 
+# Avoid potential format string vulnerabilities where user-provided
+# data is interpolated into the log message before String#% is called.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1013913
+Patch4: rubygem-actionpack-3.2.15-CVE-2013-4389-Remove-the-use-of-String-percent.patch
+
 # Let's keep Requires and BuildRequires sorted alphabeticaly
 Requires: ruby(rubygems)
 Requires: rubygem(activemodel) = %{version}
@@ -95,6 +100,7 @@ tar xzvf %{SOURCE2} -C .%{gem_instdir}
 
 pushd .%{gem_instdir}
 %patch0 -p0
+%patch4 -p2
 popd
 
 pushd .%{gem_dir}
@@ -161,6 +167,11 @@ popd
 %{gem_instdir}/test/
 
 %changelog
+* Wed Jan 15 2014 Vít Ondruch <vondruch at redhat.com> - 1:3.2.13-4
+- Avoid potential format string vulnerabilities where user-provided
+  data is interpolated into the log message before String#% is called.
+  (CVE-2013-4389).
+
 * Mon Dec 16 2013 Josef Stribny <jstribny at redhat.com> - 1:3.2.13-3
 - Fixes for CVE-2013-6417, CVE-2013-4491, CVE-2013-6415, CVE-2013-6414

More information about the scm-commits mailing list