diff options
| author | minskim <minskim@pkgsrc.org> | 2009-07-16 11:00:25 +0000 |
|---|---|---|
| committer | minskim <minskim@pkgsrc.org> | 2009-07-16 11:00:25 +0000 |
| commit | 0d4fd984869d5065027719c052997089bebdcd08 (patch) | |
| tree | 732d50bc46cd09cbc4b1b200debfdab141a35501 | |
| parent | aeae32aaccb166b8ff642f6a6a91c45a0061b132 (diff) | |
| download | pkgsrc-0d4fd984869d5065027719c052997089bebdcd08.tar.gz | |
Security fix for:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422
From rails git commit 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489.
| -rw-r--r-- | www/ruby-actionpack/Makefile | 7 | ||||
| -rw-r--r-- | www/ruby-actionpack/distinfo | 3 | ||||
| -rw-r--r-- | www/ruby-actionpack/patches/patch-aa | 24 |
3 files changed, 32 insertions, 2 deletions
diff --git a/www/ruby-actionpack/Makefile b/www/ruby-actionpack/Makefile index bb86c628cb9..dc86d0ccaf5 100644 --- a/www/ruby-actionpack/Makefile +++ b/www/ruby-actionpack/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.15 2009/04/07 17:13:27 minskim Exp $ +# $NetBSD: Makefile,v 1.16 2009/07/16 11:00:25 minskim Exp $ DISTNAME= actionpack-2.3.2 PKGNAME= ${RUBY_PKGPREFIX}-${DISTNAME} +PKGREVISION= 1 CATEGORIES= www MAINTAINER= minskim@NetBSD.org @@ -11,4 +12,8 @@ COMMENT= Two-step approach to web response generation DEPENDS+= ${RUBY_PKGPREFIX}-activesupport>=2.3.2:../../devel/ruby-activesupport .include "../../misc/rubygems/rubygem.mk" + +pre-configure: + ${RM} ${WRKSRC}/lib/action_controller/http_authentication.rb.orig + .include "../../mk/bsd.pkg.mk" diff --git a/www/ruby-actionpack/distinfo b/www/ruby-actionpack/distinfo index 1619c8de209..83974f4e080 100644 --- a/www/ruby-actionpack/distinfo +++ b/www/ruby-actionpack/distinfo @@ -1,6 +1,7 @@ -$NetBSD: distinfo,v 1.16 2009/04/07 17:13:27 minskim Exp $ +$NetBSD: distinfo,v 1.17 2009/07/16 11:00:25 minskim Exp $ SHA1 (actionpack-2.3.2.gem) = 31e9815ed5d901b6b7f618bb7140f16d1a79ebfc RMD160 (actionpack-2.3.2.gem) = 800602f5c03b08ca8ca292cc7f82ef009c0e2160 Size (actionpack-2.3.2.gem) = 767488 bytes +SHA1 (patch-aa) = 85d3a5a5766a6ac220e230436f53f6cd4078a259 SHA1 (patch-ab) = bfba841b0af9d503a71745cc8d992e9d09d94191 diff --git a/www/ruby-actionpack/patches/patch-aa b/www/ruby-actionpack/patches/patch-aa new file mode 100644 index 00000000000..e6037d72efb --- /dev/null +++ b/www/ruby-actionpack/patches/patch-aa @@ -0,0 +1,24 @@ +$NetBSD: patch-aa,v 1.3 2009/07/16 11:00:25 minskim Exp $ + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422 +rails git commit 056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489 + +--- lib/action_controller/http_authentication.rb.orig 2009-07-16 03:45:19.000000000 -0700 ++++ lib/action_controller/http_authentication.rb +@@ -183,7 +183,7 @@ module ActionController + request.env['REDIRECT_X_HTTP_AUTHORIZATION'] + end + +- # Raises error unless the request credentials response value matches the expected value. ++ # Returns false unless the request credentials response value matches the expected value. + # First try the password as a ha1 digest password. If this fails, then try it as a plain + # text password. + def validate_digest_response(request, realm, &password_procedure) +@@ -192,6 +192,7 @@ module ActionController + + if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque] + password = password_procedure.call(credentials[:username]) ++ return false unless password + + [true, false].any? do |password_is_ha1| + expected = expected_response(request.env['REQUEST_METHOD'], request.env['REQUEST_URI'], credentials, password, password_is_ha1) |