From 01c17e888e4e30a469b8a6d9b0d523e46192dff5 Mon Sep 17 00:00:00 2001 From: Mamoru Tasaka Date: Sep 22 2009 18:23:12 +0000 Subject: - Patch for CVE-2009-3009 (bug 520843) --- diff --git a/rubygem-actionpack-2.3.x-CVE-2009-3009.patch b/rubygem-actionpack-2.3.x-CVE-2009-3009.patch new file mode 100644 index 0000000..7ba8012 --- /dev/null +++ b/rubygem-actionpack-2.3.x-CVE-2009-3009.patch @@ -0,0 +1,26 @@ +From b066ffe93fb88af3b1e4795783bb71a7b8095ac5 Mon Sep 17 00:00:00 2001 +From: Michael Koziarski +Date: Mon, 31 Aug 2009 12:07:30 -0700 +Subject: [PATCH] Clean tag attributes before passing through the escape_once logic. + +Addresses CVE-2009-3009 +--- + actionpack/lib/action_view/helpers/tag_helper.rb | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb +index af8c4d5..db99a0e 100644 +--- a/actionpack/lib/action_view/helpers/tag_helper.rb ++++ b/actionpack/lib/action_view/helpers/tag_helper.rb +@@ -103,7 +103,7 @@ module ActionView + # escape_once("<< Accept & Checkout") + # # => "<< Accept & Checkout" + def escape_once(html) +- html.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] } ++ ActiveSupport::Multibyte.clean(html.to_s).gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] } + end + + private +-- +1.6.0.1 + diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index ebd63fe..c216f82 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -7,11 +7,12 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: rubygem-%{gemname} Version: 2.3.3 -Release: 1%{?dist} +Release: 2%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org Source0: http://gems.rubyforge.org/gems/%{gemname}-%{version}.gem +Patch0: rubygem-actionpack-2.3.x-CVE-2009-3009.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: rubygems Requires: rubygem(activesupport) = %{version} @@ -35,6 +36,10 @@ mkdir -p %{buildroot}%{gemdir} gem install --local --install-dir %{buildroot}%{gemdir} \ --force --rdoc %{SOURCE0} +pushd %{buildroot}%{geminstdir} +cat %{PATCH0} | patch -s -p2 +popd + # Remove backup files find %{buildroot}/%{geminstdir} -type f -name "*~" -delete @@ -71,6 +76,9 @@ rm -rf %{buildroot} %changelog +* Wed Sep 23 2009 Mamoru Tasaka - 2.3.3-2 +- Patch for CVE-2009-3009 (bug 520843) + * Tue Jul 28 2009 Jeroen van Meeuwen - 2.3.3-1 - New upstream version