Version in base suite: 6.1.7.10+dfsg-1~deb12u1 Base version: rails_6.1.7.10+dfsg-1~deb12u1 Target version: rails_6.1.7.10+dfsg-1~deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rails/rails_6.1.7.10+dfsg-1~deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rails/rails_6.1.7.10+dfsg-1~deb12u2.dsc changelog | 20 ++++++++++ patches/CVE-2025-24293.patch | 74 +++++++++++++++++++++++++++++++++++++ patches/CVE-2025-55193.patch | 86 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 + salsa-ci.yml | 5 ++ 5 files changed, 187 insertions(+) diff -Nru rails-6.1.7.10+dfsg/debian/changelog rails-6.1.7.10+dfsg/debian/changelog --- rails-6.1.7.10+dfsg/debian/changelog 2025-03-14 14:32:55.000000000 +0000 +++ rails-6.1.7.10+dfsg/debian/changelog 2025-12-01 21:00:18.000000000 +0000 @@ -1,3 +1,23 @@ +rails (2:6.1.7.10+dfsg-1~deb12u2) bookworm-security; urgency=medium + + * Team upload + * Add SalsaCI + * Fix CVE-2025-24293 (Closes: #1111106) + Active Record connects classes to relational database tables. + The ID passed to find or similar methods may be logged without + escaping. If this is directly to the terminal it may include + unescaped ANSI sequences. + * Fix CVE-2025-55193. + Active Storage attempts to prevent the use of potentially unsafe image + transformation methods and parameters by default. + The default allowed list contains three methods allowing + for the circumvention of the safe defaults which enables potential + command injection vulnerabilities in cases where arbitrary + user supplied input is accepted as valid transformation methods + or parameters. + + -- Bastien Roucariès Mon, 01 Dec 2025 22:00:18 +0100 + rails (2:6.1.7.10+dfsg-1~deb12u1) bookworm-security; urgency=medium * New upstream version 6.1.7.10+dfsg. diff -Nru rails-6.1.7.10+dfsg/debian/patches/CVE-2025-24293.patch rails-6.1.7.10+dfsg/debian/patches/CVE-2025-24293.patch --- rails-6.1.7.10+dfsg/debian/patches/CVE-2025-24293.patch 1970-01-01 00:00:00.000000000 +0000 +++ rails-6.1.7.10+dfsg/debian/patches/CVE-2025-24293.patch 2025-12-01 21:00:18.000000000 +0000 @@ -0,0 +1,74 @@ +From: Zack Deveau +Date: Tue, 12 Aug 2025 13:40:00 -0700 +Subject: Active Storage: Remove dangerous transformations + +[CVE-2025-24293] + +A subset of transformation methods included in the default allowed list +still present potential command injection risk to applications accepting +arbitrary user input for transformations or their parameters. + +Doing so is unsupported behavior and should be considered dangerous. + +origin: https://github.com/rails/rails/commit/1b1adf6ee6ca0f3104fcfce79360b2ec1e06a354 +bug: https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3 +--- + activestorage/lib/active_storage.rb | 3 --- + activestorage/test/models/variant_test.rb | 6 +++--- + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/activestorage/lib/active_storage.rb b/activestorage/lib/active_storage.rb +index 415ccc9..5a527c4 100644 +--- a/activestorage/lib/active_storage.rb ++++ b/activestorage/lib/active_storage.rb +@@ -68,7 +68,6 @@ module ActiveStorage + "annotate", + "antialias", + "append", +- "apply", + "attenuate", + "authenticate", + "auto_gamma", +@@ -209,7 +208,6 @@ module ActiveStorage + "linewidth", + "liquid_rescale", + "list", +- "loader", + "log", + "loop", + "lowlight_color", +@@ -272,7 +270,6 @@ module ActiveStorage + "rotate", + "sample", + "sampling_factor", +- "saver", + "scale", + "scene", + "screen", +diff --git a/activestorage/test/models/variant_test.rb b/activestorage/test/models/variant_test.rb +index 1f3d9c5..4205190 100644 +--- a/activestorage/test/models/variant_test.rb ++++ b/activestorage/test/models/variant_test.rb +@@ -246,7 +246,7 @@ class ActiveStorage::VariantTest < ActiveSupport::TestCase + process_variants_with :mini_magick do + blob = create_file_blob(filename: "racecar.jpg") + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do +- blob.variant(saver: { "-write": "/tmp/file.erb" }).processed ++ blob.variant(resize: { "-write": "/tmp/file.erb" }).processed + end + end + end +@@ -255,11 +255,11 @@ class ActiveStorage::VariantTest < ActiveSupport::TestCase + process_variants_with :mini_magick do + blob = create_file_blob(filename: "racecar.jpg") + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do +- blob.variant(saver: { "something": { "-write": "/tmp/file.erb" } }).processed ++ blob.variant(resize: { "something": { "-write": "/tmp/file.erb" } }).processed + end + + assert_raise(ActiveStorage::Transformers::ImageProcessingTransformer::UnsupportedImageProcessingArgument) do +- blob.variant(saver: { "something": ["-write", "/tmp/file.erb"] }).processed ++ blob.variant(resize: { "something": ["-write", "/tmp/file.erb"] }).processed + end + end + end diff -Nru rails-6.1.7.10+dfsg/debian/patches/CVE-2025-55193.patch rails-6.1.7.10+dfsg/debian/patches/CVE-2025-55193.patch --- rails-6.1.7.10+dfsg/debian/patches/CVE-2025-55193.patch 1970-01-01 00:00:00.000000000 +0000 +++ rails-6.1.7.10+dfsg/debian/patches/CVE-2025-55193.patch 2025-12-01 21:00:18.000000000 +0000 @@ -0,0 +1,86 @@ +From: John Hawthorn +Date: Mon, 10 Mar 2025 13:44:44 -0700 +Subject: [PATCH] Call inspect on ids in RecordNotFound error + +[CVE-2025-55193] + +Co-authored-by: Gannon McGibbon +origin: backport, https://github.com/rails/rails/commit/3beef20013736fd52c5dcfdf061f7999ba318290 +bug: https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776 +bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111106 +--- + activerecord/lib/active_record/core.rb | 2 +- + activerecord/lib/active_record/relation/finder_methods.rb | 7 ++++--- + .../test/cases/associations/has_many_through_associations_test.rb | 2 +- + activerecord/test/cases/finder_test.rb | 4 ++-- + 4 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/activerecord/lib/active_record/core.rb b/activerecord/lib/active_record/core.rb +index d3bfd49..15c6d60 100644 +--- a/activerecord/lib/active_record/core.rb ++++ b/activerecord/lib/active_record/core.rb +@@ -350,7 +350,7 @@ def find(*ids) # :nodoc: + } + + statement.execute([id], connection).first || +- raise(RecordNotFound.new("Couldn't find #{name} with '#{key}'=#{id}", name, key, id)) ++ raise(RecordNotFound.new("Couldn't find #{name} with '#{key}'=#{id.inspect}", name, key, id)) + end + + def find_by(*args) # :nodoc: +diff --git a/activerecord/lib/active_record/relation/finder_methods.rb b/activerecord/lib/active_record/relation/finder_methods.rb +index b3b8f89..c6b18c7 100644 +--- a/activerecord/lib/active_record/relation/finder_methods.rb ++++ b/activerecord/lib/active_record/relation/finder_methods.rb +@@ -353,12 +353,13 @@ def raise_record_not_found_exception!(ids = nil, result_size = nil, expected_siz + error << " with#{conditions}" if conditions + raise RecordNotFound.new(error, name, key) + elsif Array.wrap(ids).size == 1 +- error = "Couldn't find #{name} with '#{key}'=#{ids}#{conditions}" ++ id = Array.wrap(ids)[0] ++ error = "Couldn't find #{name} with '#{key}'=#{id.inspect}#{conditions}" + raise RecordNotFound.new(error, name, key, ids) + else + error = +"Couldn't find all #{name.pluralize} with '#{key}': " +- error << "(#{ids.join(", ")})#{conditions} (found #{result_size} results, but was looking for #{expected_size})." +- error << " Couldn't find #{name.pluralize(not_found_ids.size)} with #{key.to_s.pluralize(not_found_ids.size)} #{not_found_ids.join(', ')}." if not_found_ids ++ error << "(#{ids.map(&:inspect).join(", ")})#{conditions} (found #{result_size} results, but was looking for #{expected_size})." ++ error << " Couldn't find #{name.pluralize(not_found_ids.size)} with #{key.to_s.pluralize(not_found_ids.size)} #{not_found_ids.map(&:inspect).join(', ')}." if not_found_ids + raise RecordNotFound.new(error, name, key, ids) + end + end +diff --git a/activerecord/test/cases/associations/has_many_through_associations_test.rb b/activerecord/test/cases/associations/has_many_through_associations_test.rb +index 7768e7a..6e81c0e 100644 +--- a/activerecord/test/cases/associations/has_many_through_associations_test.rb ++++ b/activerecord/test/cases/associations/has_many_through_associations_test.rb +@@ -1019,7 +1019,7 @@ def test_collection_singular_ids_through_setter_raises_exception_when_invalid_id + author = authors(:david) + ids = [categories(:general).name, "Unknown"] + e = assert_raises(ActiveRecord::RecordNotFound) { author.essay_category_ids = ids } +- msg = "Couldn't find all Categories with 'name': (General, Unknown) (found 1 results, but was looking for 2). Couldn't find Category with name Unknown." ++ msg = %{Couldn't find all Categories with 'name': ("General", "Unknown") (found 1 results, but was looking for 2). Couldn't find Category with name "Unknown".} + assert_equal msg, e.message + end + +diff --git a/activerecord/test/cases/finder_test.rb b/activerecord/test/cases/finder_test.rb +index 591878c..53bbee3 100644 +--- a/activerecord/test/cases/finder_test.rb ++++ b/activerecord/test/cases/finder_test.rb +@@ -1537,7 +1537,7 @@ def test_find_one_message_with_custom_primary_key + e = assert_raises(ActiveRecord::RecordNotFound) do + model.find "Hello World!" + end +- assert_equal "Couldn't find MercedesCar with 'name'=Hello World!", e.message ++ assert_equal %{Couldn't find MercedesCar with 'name'="Hello World!"}, e.message + end + end + +@@ -1547,7 +1547,7 @@ def test_find_some_message_with_custom_primary_key + e = assert_raises(ActiveRecord::RecordNotFound) do + model.find "Hello", "World!" + end +- assert_equal "Couldn't find all MercedesCars with 'name': (Hello, World!) (found 0 results, but was looking for 2).", e.message ++ assert_equal %{Couldn't find all MercedesCars with 'name': ("Hello", "World!") (found 0 results, but was looking for 2).}, e.message + end + end + diff -Nru rails-6.1.7.10+dfsg/debian/patches/series rails-6.1.7.10+dfsg/debian/patches/series --- rails-6.1.7.10+dfsg/debian/patches/series 2025-03-14 14:32:55.000000000 +0000 +++ rails-6.1.7.10+dfsg/debian/patches/series 2025-12-01 21:00:18.000000000 +0000 @@ -18,3 +18,5 @@ rollup-3.patch rails-ruby3.1.patch CVE-2024-54133.patch +CVE-2025-24293.patch +CVE-2025-55193.patch diff -Nru rails-6.1.7.10+dfsg/debian/salsa-ci.yml rails-6.1.7.10+dfsg/debian/salsa-ci.yml --- rails-6.1.7.10+dfsg/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000 +++ rails-6.1.7.10+dfsg/debian/salsa-ci.yml 2025-12-01 21:00:18.000000000 +0000 @@ -0,0 +1,5 @@ +--- +include: + - https://salsa.debian.org/ruby-team/meta/raw/master/salsa-ci.yml +variables: + RELEASE: bookworm