From 4d8ed683a510345a3e4e94f4191704cbf3dec651 Mon Sep 17 00:00:00 2001 From: Jeroen van Meeuwen Date: Apr 30 2010 09:32:33 +0000 Subject: 2.1.1-6 --- diff --git a/import.log b/import.log index 51178c5..5167db9 100644 --- a/import.log +++ b/import.log @@ -1 +1,2 @@ rubygem-actionpack-2_1_1-2_fc10:EL-5:rubygem-actionpack-2.1.1-2.fc10.src.rpm:1235750305 +rubygem-actionpack-2_1_1-6_el5:EL-5:rubygem-actionpack-2.1.1-6.el5.src.rpm:1272619780 diff --git a/rubygem-actionpack-2.2.x-CVE-2009-3086.patch b/rubygem-actionpack-2.2.x-CVE-2009-3086.patch new file mode 100644 index 0000000..6913e05 --- /dev/null +++ b/rubygem-actionpack-2.2.x-CVE-2009-3086.patch @@ -0,0 +1,44 @@ +From 674f780d59a5a7ec0301755d43a7b277a3ad2978 Mon Sep 17 00:00:00 2001 +From: Michael Koziarski +Date: Sun, 23 Aug 2009 17:26:46 +1200 +Subject: [PATCH] Fix timing attack vulnerability in the Cookie Store + +Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC +--- + .../lib/action_controller/session/cookie_store.rb | 15 ++++++++++++++- + 1 files changed, 14 insertions(+), 1 deletions(-) + +diff --git a/actionpack/lib/action_controller/session/cookie_store.rb b/actionpack/lib/action_controller/session/cookie_store.rb +index f2fb200..0254747 100644 +--- a/actionpack/lib/action_controller/session/cookie_store.rb ++++ b/actionpack/lib/action_controller/session/cookie_store.rb +@@ -140,7 +140,7 @@ class CGI::Session::CookieStore + data, digest = cookie.split('--') + + # Do two checks to transparently support old double-escaped data. +- unless digest == generate_digest(data) || digest == generate_digest(data = CGI.unescape(data)) ++ unless secure_compare(digest, generate_digest(data)) || secure_compare(digest, generate_digest(data = CGI.unescape(data))) + delete + raise TamperedWithCookie + end +@@ -164,4 +164,17 @@ class CGI::Session::CookieStore + def clear_old_cookie_value + @session.cgi.cookies[@cookie_options['name']].clear + end ++ ++ # constant-time comparison algorithm to prevent timing attacks ++ def secure_compare(a, b) ++ if a.length == b.length ++ result = 0 ++ for i in 0..(a.length - 1) ++ result |= a[i] ^ b[i] ++ end ++ result == 0 ++ else ++ false ++ end ++ end + end +-- +1.6.0.1 + diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec index f03061b..25cac76 100644 --- a/rubygem-actionpack.spec +++ b/rubygem-actionpack.spec @@ -7,7 +7,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC Name: rubygem-%{gemname} Version: 2.1.1 -Release: 5%{?dist} +Release: 6%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -19,6 +19,8 @@ Patch2: rubygem-actionpack-2.1.x-CVE-2009-3009.patch Patch3: rubygem-actionpack-2.1.x-verify-also-text.patch # bug 542786 Patch4: rubygem-actionpack-2.2.x-strip_tag-for-nonprintable.patch +# bug 522162 +Patch5: rubygem-actionpack-2.2.x-CVE-2009-3086.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: rubygems Requires: rubygem(activesupport) = %{version} @@ -39,6 +41,7 @@ unit/integration testing that doesn't require a browser. %patch2 -p2 %patch3 -p2 %patch4 -p2 +%patch5 -p2 %build rake gem @@ -71,6 +74,9 @@ rm -rf %{buildroot} %changelog +* Fri Apr 30 2010 Jeroen van Meeuwen -2.1.1-6 +- Apply fix for CVE-2009-3086 (bz #522162) + * Mon Dec 7 2009 Mamoru Tasaka - 2.1.1-5 - Fix for potential CSRF protection circumvention (bug 544329) - Fix for XSS weakness in strip_tags (bug 542786)