[rubygem-actionpack/f19] Fix CVE-2014-0081 and CVE-2014-0082
Josef Stribny
jstribny at fedoraproject.org
Wed Feb 26 16:41:25 UTC 2014
commit 49ef5fb9652e5922dbad3cd55bb7e578587fa298
Author: Josef Stribny <jstribny at redhat.com>
Date: Wed Feb 26 17:40:28 2014 +0100
Fix CVE-2014-0081 and CVE-2014-0082
...ck-3.2.17-CVE-2014-0081-XSS-vulnerability.patch | 132 ++++++++++++++++++++
rubygem-actionpack-3.2.17-CVE-2014-0082-dos.patch | 55 ++++++++
rubygem-actionpack.spec | 13 ++-
3 files changed, 199 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-actionpack-3.2.17-CVE-2014-0081-XSS-vulnerability.patch b/rubygem-actionpack-3.2.17-CVE-2014-0081-XSS-vulnerability.patch
new file mode 100644
index 0000000..500a4d0
--- /dev/null
+++ b/rubygem-actionpack-3.2.17-CVE-2014-0081-XSS-vulnerability.patch
@@ -0,0 +1,132 @@
+diff --git a/actionpack/lib/action_view/helpers/number_helper.rb b/actionpack/lib/action_view/helpers/number_helper.rb
+index 2e04ff4..8ebd7e2 100644
+--- a/lib/action_view/helpers/number_helper.rb
++++ b/lib/action_view/helpers/number_helper.rb
+@@ -138,12 +138,18 @@ module ActionView
+
+ options.symbolize_keys!
+
++ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
++ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
++ options[:format] = ERB::Util.html_escape(options[:format]) if options[:format]
++ options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
++
+ defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {})
+ currency = I18n.translate(:'number.currency.format', :locale => options[:locale], :default => {})
+ currency[:negative_format] ||= "-" + currency[:format] if currency[:format]
+
+ defaults = DEFAULT_CURRENCY_VALUES.merge(defaults).merge!(currency)
+ defaults[:negative_format] = "-" + options[:format] if options[:format]
++
+ options = defaults.merge!(options)
+
+ unit = options.delete(:unit)
+@@ -206,6 +212,9 @@ module ActionView
+
+ options.symbolize_keys!
+
++ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
++ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
++
+ defaults = I18n.translate(:'number.format', :locale => options[:locale], :default => {})
+ percentage = I18n.translate(:'number.percentage.format', :locale => options[:locale], :default => {})
+ defaults = defaults.merge(percentage)
+@@ -255,6 +264,9 @@ module ActionView
+ def number_with_delimiter(number, options = {})
+ options.symbolize_keys!
+
++ options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
++ options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
++
+ begin
+ Float(number)
+ rescue ArgumentError, TypeError
+@@ -578,7 +590,7 @@ module ActionView
+ units = options.delete :units
+ unit_exponents = case units
+ when Hash
+- units
++ units = Hash[units.map { |k, v| [k, ERB::Util.html_escape(v)] }]
+ when String, Symbol
+ I18n.translate(:"#{units}", :locale => options[:locale], :raise => true)
+ when nil
+diff --git a/actionpack/test/template/number_helper_test.rb b/actionpack/test/template/number_helper_test.rb
+index 22da7e2..7f78b52 100644
+--- a/test/template/number_helper_test.rb
++++ b/test/template/number_helper_test.rb
+@@ -19,6 +19,27 @@ class NumberHelperTest < ActionView::TestCase
+ gigabytes(number) * 1024
+ end
+
++ def test_number_helpers_escape_delimiter_and_separator
++ assert_equal "111<script></script>111<script></script>1111", number_to_phone(1111111111, :delimiter => "<script></script>")
++
++ assert_equal "$1<script></script>01", number_to_currency(1.01, :separator => "<script></script>")
++ assert_equal "$1<script></script>000.00", number_to_currency(1000, :delimiter => "<script></script>")
++
++ assert_equal "1<script></script>010%", number_to_percentage(1.01, :separator => "<script></script>")
++ assert_equal "1<script></script>000.000%", number_to_percentage(1000, :delimiter => "<script></script>")
++
++ assert_equal "1<script></script>01", number_with_delimiter(1.01, :separator => "<script></script>")
++ assert_equal "1<script></script>000", number_with_delimiter(1000, :delimiter => "<script></script>")
++
++ assert_equal "1<script></script>010", number_with_precision(1.01, :separator => "<script></script>")
++ assert_equal "1<script></script>000.000", number_with_precision(1000, :delimiter => "<script></script>")
++
++ assert_equal "9<script></script>86 KB", number_to_human_size(10100, :separator => "<script></script>")
++
++ assert_equal "1<script></script>01", number_to_human(1.01, :separator => "<script></script>")
++ assert_equal "100<script></script>000 Quadrillion", number_to_human(10**20, :delimiter => "<script></script>")
++ end
++
+ def test_number_to_phone
+ assert_equal("555-1234", number_to_phone(5551234))
+ assert_equal("800-555-1212", number_to_phone(8005551212))
+@@ -33,6 +54,8 @@ class NumberHelperTest < ActionView::TestCase
+ assert_equal("+18005551212", number_to_phone(8005551212, :country_code => 1, :delimiter => ''))
+ assert_equal("22-555-1212", number_to_phone(225551212))
+ assert_equal("+45-22-555-1212", number_to_phone(225551212, :country_code => 45))
++ assert_equal "+<script></script>8005551212", number_to_phone(8005551212, :country_code => "<script></script>", :delimiter => "")
++ assert_equal "8005551212 x <script></script>", number_to_phone(8005551212, :extension => "<script></script>", :delimiter => "")
+ end
+
+ def test_number_to_currency
+@@ -48,6 +71,9 @@ class NumberHelperTest < ActionView::TestCase
+ assert_equal("$1,234,567,890.50", number_to_currency("1234567890.50"))
+ assert_equal("1,234,567,890.50 Kč", number_to_currency("1234567890.50", {:unit => "Kč", :format => "%n %u"}))
+ assert_equal("1,234,567,890.50 - Kč", number_to_currency("-1234567890.50", {:unit => "Kč", :format => "%n %u", :negative_format => "%n - %u"}))
++ assert_equal "<b>1,234,567,890.50</b> $", number_to_currency("1234567890.50", :format => "<b>%n</b> %u")
++ assert_equal "<b>1,234,567,890.50</b> $", number_to_currency("-1234567890.50", :negative_format => "<b>%n</b> %u")
++ assert_equal "<b>1,234,567,890.50</b> $", number_to_currency("-1234567890.50", 'negative_format' => "<b>%n</b> %u")
+ end
+
+ def test_number_to_percentage
+@@ -252,0 +277,25 @@ class NumberHelperTest < ActionView::TestCase
++ def test_number_to_human_escape_units
++ volume = { :unit => "<b>ml</b>", :thousand => "<b>lt</b>", :million => "<b>m3</b>", :trillion => "<b>km3</b>", :quadrillion => "<b>Pl</b>" }
++ assert_equal '123 <b>lt</b>', number_to_human(123456, :units => volume)
++ assert_equal '12 <b>ml</b>', number_to_human(12, :units => volume)
++ assert_equal '1.23 <b>m3</b>', number_to_human(1234567, :units => volume)
++ assert_equal '1.23 <b>km3</b>', number_to_human(1_234_567_000_000, :units => volume)
++ assert_equal '1.23 <b>Pl</b>', number_to_human(1_234_567_000_000_000, :units => volume)
++
++ #Including fractionals
++ distance = { :mili => "<b>mm</b>", :centi => "<b>cm</b>", :deci => "<b>dm</b>", :unit => "<b>m</b>",
++ :ten => "<b>dam</b>", :hundred => "<b>hm</b>", :thousand => "<b>km</b>",
++ :micro => "<b>um</b>", :nano => "<b>nm</b>", :pico => "<b>pm</b>", :femto => "<b>fm</b>"}
++ assert_equal '1.23 <b>mm</b>', number_to_human(0.00123, :units => distance)
++ assert_equal '1.23 <b>cm</b>', number_to_human(0.0123, :units => distance)
++ assert_equal '1.23 <b>dm</b>', number_to_human(0.123, :units => distance)
++ assert_equal '1.23 <b>m</b>', number_to_human(1.23, :units => distance)
++ assert_equal '1.23 <b>dam</b>', number_to_human(12.3, :units => distance)
++ assert_equal '1.23 <b>hm</b>', number_to_human(123, :units => distance)
++ assert_equal '1.23 <b>km</b>', number_to_human(1230, :units => distance)
++ assert_equal '1.23 <b>um</b>', number_to_human(0.00000123, :units => distance)
++ assert_equal '1.23 <b>nm</b>', number_to_human(0.00000000123, :units => distance)
++ assert_equal '1.23 <b>pm</b>', number_to_human(0.00000000000123, :units => distance)
++ assert_equal '1.23 <b>fm</b>', number_to_human(0.00000000000000123, :units => distance)
++ end
++
+--
+1.8.4.3
+
diff --git a/rubygem-actionpack-3.2.17-CVE-2014-0082-dos.patch b/rubygem-actionpack-3.2.17-CVE-2014-0082-dos.patch
new file mode 100644
index 0000000..53950c4
--- /dev/null
+++ b/rubygem-actionpack-3.2.17-CVE-2014-0082-dos.patch
@@ -0,0 +1,55 @@
+From f103fe6031a1e36000d4dc430a3b130d381b2c0e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafaelmfranca at gmail.com>
+Date: Tue, 11 Feb 2014 22:56:50 -0200
+Subject: [PATCH] Use the reference for the mime type to get the format
+
+Before we were calling to_sym in the mime type, even when it is unknown
+what can cause denial of service since symbols are not removed by the
+garbage collector.
+---
+ actionpack/lib/action_view/template/text.rb | 2 +-
+ actionpack/test/template/text_test.rb | 17 +++++++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+ create mode 100644 actionpack/test/template/text_test.rb
+
+diff --git a/lib/action_view/template/text.rb b/lib/action_view/template/text.rb
+index 4261c3b..d90e43b 100644
+--- a/lib/action_view/template/text.rb
++++ b/lib/action_view/template/text.rb
+@@ -23,7 +23,7 @@ module ActionView #:nodoc:
+ end
+
+ def formats
+- [@mime_type.to_sym]
++ [@mime_type.respond_to?(:ref) ? @mime_type.ref : @mime_type.to_s]
+ end
+ end
+ end
+diff --git a/test/template/text_test.rb b/test/template/text_test.rb
+new file mode 100644
+index 0000000..d899d54
+--- /dev/null
++++ b/test/template/text_test.rb
+@@ -0,0 +1,17 @@
++require 'abstract_unit'
++
++class TextTest < ActiveSupport::TestCase
++ test 'formats returns symbol for recognized MIME type' do
++ assert_equal [:text], ActionView::Template::Text.new('', :text).formats
++ end
++
++ test 'formats returns string for recognized MIME type when MIME does not have symbol' do
++ foo = Mime::Type.lookup("foo")
++ assert_nil foo.to_sym
++ assert_equal ['foo'], ActionView::Template::Text.new('', foo).formats
++ end
++
++ test 'formats returns string for unknown MIME type' do
++ assert_equal ['foo'], ActionView::Template::Text.new('', 'foo').formats
++ end
++end
+--
+1.8.4.3
+
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index a1a265c..9cf5d5d 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -6,7 +6,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.2.13
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -35,6 +35,12 @@ Patch3: rubygem-actionpack-3.2.16-multiple-CVEs.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1013913
Patch4: rubygem-actionpack-3.2.15-CVE-2013-4389-Remove-the-use-of-String-percent.patch
+# Fix for CVE-2014-0081
+Patch5: rubygem-actionpack-3.2.17-CVE-2014-0081-XSS-vulnerability.patch
+
+# Fix for CVE-2014-0082
+Patch6: rubygem-actionpack-3.2.17-CVE-2014-0082-dos.patch
+
# Let's keep Requires and BuildRequires sorted alphabeticaly
Requires: ruby(rubygems)
Requires: rubygem(activemodel) = %{version}
@@ -101,6 +107,8 @@ tar xzvf %{SOURCE2} -C .%{gem_instdir}
pushd .%{gem_instdir}
%patch0 -p0
%patch4 -p2
+%patch5 -p1
+%patch6 -p1
popd
pushd .%{gem_dir}
@@ -167,6 +175,9 @@ popd
%{gem_instdir}/test/
%changelog
+* Wed Feb 26 2014 Josef Stribny <jstribny at redhat.com> - 1:3.2.13-5
+- Fix CVE-2014-0081 and CVE-2014-0082
+
* Wed Jan 15 2014 Vít Ondruch <vondruch at redhat.com> - 1:3.2.13-4
- Avoid potential format string vulnerabilities where user-provided
data is interpolated into the log message before String#% is called.
More information about the scm-commits
mailing list