Ubuntu
couchdb package

Merge lp:~logan/ubuntu/raring/couchdb/1.2.0-5 into lp:ubuntu/raring/couchdb

  1. Raring (13.04)
  2. 1.2.0-5
  3. Merge into raring
Proposed by Logan Rosen
Status: Merged
Merge reported by: Jamie Strandboge
Merged at revision: not available
Proposed branch: lp:~logan/ubuntu/raring/couchdb/1.2.0-5
Merge into: lp:ubuntu/raring/couchdb
Diff against target: 219 lines (+130/-8)
9 files modified
.pc/applied-patches (+3/-0)
debian/changelog (+25/-0)
debian/patches/improve_parsing_of_mochiweb_relative_paths.patch (+40/-0)
debian/patches/improve_script_url_validation.patch (+26/-0)
debian/patches/include_a_comment_before_jsonp_output.patch (+20/-0)
debian/patches/series (+3/-0)
share/www/script/couch_test_runner.js (+3/-5)
src/couchdb/couch_httpd.erl (+1/-1)
src/mochiweb/mochiweb_util.erl (+9/-2)
To merge this branch: bzr merge lp:~logan/ubuntu/raring/couchdb/1.2.0-5
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Ubuntu branches Pending
Review via email: mp+144195@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for your merge! ACK, though in the future you might also file a security bug and subscribe ubuntu-security-sponsors so a member of the security team could review it. Thanks again.

review: Approve
Revision history for this message
Logan Rosen (logan) wrote :

Noted. Thanks!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file '.pc/applied-patches'
2--- .pc/applied-patches 2012-11-18 12:24:24 +0000
3+++ .pc/applied-patches 2013-01-21 22:49:21 +0000
4@@ -3,3 +3,6 @@
5 logrotate_as_couchdb.patch
6 couchdb_sighup.patch
7 wait_for_couchdb_stop.patch
8+improve_parsing_of_mochiweb_relative_paths.patch
9+improve_script_url_validation.patch
10+include_a_comment_before_jsonp_output.patch
11
12=== modified file 'debian/changelog'
13--- debian/changelog 2012-12-25 03:35:04 +0000
14+++ debian/changelog 2013-01-21 22:49:21 +0000
15@@ -1,3 +1,28 @@
16+couchdb (1.2.0-5ubuntu1) raring; urgency=low
17+
18+ * Merge from Debian unstable. Remaining changes:
19+ - debian/rules, debian/control: Split couchdb and couchdb-bin.
20+ - debian/postinst: Rename to couchdb-bin.postinst.
21+ - debian/couchdb-bin.postrm: Don't try to delete couchdb system
22+ user/group.
23+
24+ -- Logan Rosen <logatronico@gmail.com> Mon, 21 Jan 2013 17:26:25 -0500
25+
26+couchdb (1.2.0-5) unstable; urgency=high
27+
28+ * Fix debian/patches/series for CVE-2012-5649 and CVE-2012-5650 fixes.
29+
30+ -- Laszlo Boszormenyi (GCS) <gcs@debian.hu> Fri, 18 Jan 2013 22:04:32 +0100
31+
32+couchdb (1.2.0-4) unstable; urgency=high
33+
34+ * Fix CVE-2012-5649 and CVE-2012-5650 with adding upstream fixes as patches:
35+ improve_parsing_of_mochiweb_relative_paths.patch ,
36+ improve_script_url_validation.patch and
37+ include_a_comment_before_jsonp_output.patch (closes: #698439).
38+
39+ -- Laszlo Boszormenyi (GCS) <gcs@debian.hu> Fri, 18 Jan 2013 20:04:01 +0100
40+
41 couchdb (1.2.0-3ubuntu1) raring; urgency=low
42
43 * Merge from Debian unstable. Remaining changes:
44
45=== added file 'debian/patches/improve_parsing_of_mochiweb_relative_paths.patch'
46--- debian/patches/improve_parsing_of_mochiweb_relative_paths.patch 1970-01-01 00:00:00 +0000
47+++ debian/patches/improve_parsing_of_mochiweb_relative_paths.patch 2013-01-21 22:49:21 +0000
48@@ -0,0 +1,40 @@
49+Description: improve parsing of mochiweb relative paths
50+ Patch adapted from http://www.couchbase.com/issues/browse/MB-7390
51+Author: Sriram Melkote <siri@couchbase.com>
52+Bug-Debian: http://bugs.debian.org/698439
53+Last-Update: 2012-12-15
54+
55+---
56+
57+diff --git a/src/mochiweb/mochiweb_util.erl b/src/mochiweb/mochiweb_util.erl
58+index 3b50fe7..6b88818 100644
59+--- a/src/mochiweb/mochiweb_util.erl
60++++ b/src/mochiweb/mochiweb_util.erl
61+@@ -68,11 +68,17 @@ partition2(_S, _Sep) ->
62+ %% @spec safe_relative_path(string()) -> string() | undefined
63+ %% @doc Return the reduced version of a relative path or undefined if it
64+ %% is not safe. safe relative paths can be joined with an absolute path
65+-%% and will result in a subdirectory of the absolute path.
66++%% and will result in a subdirectory of the absolute path. Safe paths
67++%% never contain a backslash character.
68+ safe_relative_path("/" ++ _) ->
69+ undefined;
70+ safe_relative_path(P) ->
71+- safe_relative_path(P, []).
72++ case string:chr(P, $\\) of
73++ 0 ->
74++ safe_relative_path(P, []);
75++ _ ->
76++ undefined
77++ end.
78+
79+ safe_relative_path("", Acc) ->
80+ case Acc of
81+@@ -809,6 +815,7 @@ safe_relative_path_test() ->
82+ undefined = safe_relative_path("../foo"),
83+ undefined = safe_relative_path("foo/../.."),
84+ undefined = safe_relative_path("foo//"),
85++ undefined = safe_relative_path("foo\\bar"),
86+ ok.
87+
88+ parse_qvalues_test() ->
89
90=== added file 'debian/patches/improve_script_url_validation.patch'
91--- debian/patches/improve_script_url_validation.patch 1970-01-01 00:00:00 +0000
92+++ debian/patches/improve_script_url_validation.patch 2013-01-21 22:49:21 +0000
93@@ -0,0 +1,26 @@
94+Description: Improve script url validation
95+Author: Robert Newson <rnewson@apache.org>
96+Bug-Debian: http://bugs.debian.org/698439
97+Last-Update: 2012-12-18
98+
99+---
100+
101+diff --git a/share/www/script/couch_test_runner.js b/share/www/script/couch_test_runner.js
102+index c1e7a72..60ba11c 100644
103+--- a/share/www/script/couch_test_runner.js
104++++ b/share/www/script/couch_test_runner.js
105+@@ -15,11 +15,9 @@
106+
107+ function loadScript(url) {
108+ // disallow loading remote URLs
109+- if((url.substr(0, 7) == "http://")
110+- || (url.substr(0, 2) == "//")
111+- || (url.substr(0, 5) == "data:")
112+- || (url.substr(0, 11) == "javascript:")) {
113+- throw "Not loading remote test scripts";
114++ var re = /^[a-z0-9_]+(\/[a-z0-9_]+)*\.js#?$/;
115++ if (!re.test(url)) {
116++ throw "Not loading remote test scripts";
117+ }
118+ if (typeof document != "undefined") document.write('<script src="'+url+'"></script>');
119+ };
120
121=== added file 'debian/patches/include_a_comment_before_jsonp_output.patch'
122--- debian/patches/include_a_comment_before_jsonp_output.patch 1970-01-01 00:00:00 +0000
123+++ debian/patches/include_a_comment_before_jsonp_output.patch 2013-01-21 22:49:21 +0000
124@@ -0,0 +1,20 @@
125+Description: Include a comment before jsonp output
126+Author: Robert Newson <rnewson@apache.org>
127+Bug-Debian: http://bugs.debian.org/698439
128+Last-Update: 2012-12-19
129+
130+---
131+
132+diff --git a/src/couchdb/couch_httpd.erl b/src/couchdb/couch_httpd.erl
133+index 0be7126..58f5ec6 100644
134+--- a/src/couchdb/couch_httpd.erl
135++++ b/src/couchdb/couch_httpd.erl
136+@@ -746,7 +746,7 @@ start_jsonp() ->
137+ case get(jsonp) of
138+ no_jsonp -> [];
139+ [] -> [];
140+- CallBack -> CallBack ++ "("
141++ CallBack -> ["/* CouchDB */", CallBack, "("]
142+ end.
143+
144+ end_jsonp() ->
145
146=== modified file 'debian/patches/series'
147--- debian/patches/series 2012-11-18 12:24:24 +0000
148+++ debian/patches/series 2013-01-21 22:49:21 +0000
149@@ -3,3 +3,6 @@
150 logrotate_as_couchdb.patch
151 couchdb_sighup.patch
152 wait_for_couchdb_stop.patch
153+improve_parsing_of_mochiweb_relative_paths.patch
154+improve_script_url_validation.patch
155+include_a_comment_before_jsonp_output.patch
156
157=== modified file 'share/www/script/couch_test_runner.js'
158--- share/www/script/couch_test_runner.js 2012-07-30 22:49:59 +0000
159+++ share/www/script/couch_test_runner.js 2013-01-21 22:49:21 +0000
160@@ -15,11 +15,9 @@
161
162 function loadScript(url) {
163 // disallow loading remote URLs
164- if((url.substr(0, 7) == "http://")
165- || (url.substr(0, 2) == "//")
166- || (url.substr(0, 5) == "data:")
167- || (url.substr(0, 11) == "javascript:")) {
168- throw "Not loading remote test scripts";
169+ var re = /^[a-z0-9_]+(\/[a-z0-9_]+)*\.js#?$/;
170+ if (!re.test(url)) {
171+ throw "Not loading remote test scripts";
172 }
173 if (typeof document != "undefined") document.write('<script src="'+url+'"></script>');
174 };
175
176=== modified file 'src/couchdb/couch_httpd.erl'
177--- src/couchdb/couch_httpd.erl 2012-07-30 22:49:59 +0000
178+++ src/couchdb/couch_httpd.erl 2013-01-21 22:49:21 +0000
179@@ -746,7 +746,7 @@
180 case get(jsonp) of
181 no_jsonp -> [];
182 [] -> [];
183- CallBack -> CallBack ++ "("
184+ CallBack -> ["/* CouchDB */", CallBack, "("]
185 end.
186
187 end_jsonp() ->
188
189=== modified file 'src/mochiweb/mochiweb_util.erl'
190--- src/mochiweb/mochiweb_util.erl 2012-07-30 22:49:54 +0000
191+++ src/mochiweb/mochiweb_util.erl 2013-01-21 22:49:21 +0000
192@@ -68,11 +68,17 @@
193 %% @spec safe_relative_path(string()) -> string() | undefined
194 %% @doc Return the reduced version of a relative path or undefined if it
195 %% is not safe. safe relative paths can be joined with an absolute path
196-%% and will result in a subdirectory of the absolute path.
197+%% and will result in a subdirectory of the absolute path. Safe paths
198+%% never contain a backslash character.
199 safe_relative_path("/" ++ _) ->
200 undefined;
201 safe_relative_path(P) ->
202- safe_relative_path(P, []).
203+ case string:chr(P, $\\) of
204+ 0 ->
205+ safe_relative_path(P, []);
206+ _ ->
207+ undefined
208+ end.
209
210 safe_relative_path("", Acc) ->
211 case Acc of
212@@ -809,6 +815,7 @@
213 undefined = safe_relative_path("../foo"),
214 undefined = safe_relative_path("foo/../.."),
215 undefined = safe_relative_path("foo//"),
216+ undefined = safe_relative_path("foo\\bar"),
217 ok.
218
219 parse_qvalues_test() ->

Subscribers

People subscribed via source and target branches

to all changes: