Version in base suite: 1.10.3-1

Base version: ruby-image-processing_1.10.3-1
Target version: ruby-image-processing_1.10.3-1+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/ruby-image-processing/ruby-image-processing_1.10.3-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/ruby-image-processing/ruby-image-processing_1.10.3-1+deb11u1.dsc

 changelog                                             |    8 ++
 patches/Prevent-remote-shell-execution-in-apply.patch |   71 ++++++++++++++++++
 patches/series                                        |    1 
 3 files changed, 80 insertions(+)

diff -Nru ruby-image-processing-1.10.3/debian/changelog ruby-image-processing-1.10.3/debian/changelog
--- ruby-image-processing-1.10.3/debian/changelog	2020-03-31 18:43:13.000000000 +0000
+++ ruby-image-processing-1.10.3/debian/changelog	2022-12-30 22:16:44.000000000 +0000
@@ -1,3 +1,11 @@
+ruby-image-processing (1.10.3-1+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Prevent remote shell execution in `#apply` (CVE-2022-24720)
+    (Closes: #1007225)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Fri, 30 Dec 2022 23:16:44 +0100
+
 ruby-image-processing (1.10.3-1) unstable; urgency=medium
 
   * Team upload
diff -Nru ruby-image-processing-1.10.3/debian/patches/Prevent-remote-shell-execution-in-apply.patch ruby-image-processing-1.10.3/debian/patches/Prevent-remote-shell-execution-in-apply.patch
--- ruby-image-processing-1.10.3/debian/patches/Prevent-remote-shell-execution-in-apply.patch	1970-01-01 00:00:00.000000000 +0000
+++ ruby-image-processing-1.10.3/debian/patches/Prevent-remote-shell-execution-in-apply.patch	2022-12-30 22:16:26.000000000 +0000
@@ -0,0 +1,71 @@
+From: =?UTF-8?q?Janko=20Marohni=C4=87?= <janko.marohnic@gmail.com>
+Date: Tue, 1 Mar 2022 22:09:02 +0100
+Subject: Prevent remote shell execution in `#apply`
+Origin: https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada
+Bug-Debian: https://bugs.debian.org/1007225
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-24720
+
+If the operations are coming from user input, this could allow the user
+to execute arbitrary shell commands via `Kernel#system` and
+`Kernel#spawn`:
+
+  ImageProcessing::Vips.apply({ system: "echo something" })
+
+We prevent this by using `#public_send` instead of `#send`, which goes
+to method missing instead of calling private methods, which include
+`Kernel#system` and `Kernel#spawn`.
+---
+ CHANGELOG.md                      |  4 ++++
+ lib/image_processing/chainable.rb |  8 ++++----
+ test/pipeline_test.rb             | 15 +++++++++++++++
+ 3 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/lib/image_processing/chainable.rb b/lib/image_processing/chainable.rb
+index 53040dc44324..06311de23c53 100644
+--- a/lib/image_processing/chainable.rb
++++ b/lib/image_processing/chainable.rb
+@@ -34,13 +34,13 @@ module ImageProcessing
+     def apply(operations)
+       operations.inject(self) do |builder, (name, argument)|
+         if argument == true || argument == nil
+-          builder.send(name)
++          builder.public_send(name)
+         elsif argument.is_a?(Array)
+-          builder.send(name, *argument)
++          builder.public_send(name, *argument)
+         elsif argument.is_a?(Hash)
+-          builder.send(name, **argument)
++          builder.public_send(name, **argument)
+         else
+-          builder.send(name, argument)
++          builder.public_send(name, argument)
+         end
+       end
+     end
+diff --git a/test/pipeline_test.rb b/test/pipeline_test.rb
+index 9c21a4526aea..d3d7162d7f57 100644
+--- a/test/pipeline_test.rb
++++ b/test/pipeline_test.rb
+@@ -258,4 +258,19 @@ describe "ImageProcessing::Pipeline" do
+       ImageProcessing::Vips.valid?(@portrait)
+     end
+   end
++
++  it "doesn't allow making system calls" do
++    ImageProcessing::Vips.source(@portrait).apply(system: "touch foo.txt")
++    refute File.exist?("foo.txt")
++
++    assert_raises Vips::Error do
++      ImageProcessing::Vips.source(@portrait).spawn("touch foo.txt").call
++    end
++    refute File.exist?("foo.txt")
++
++    assert_raises MiniMagick::Error do
++      ImageProcessing::MiniMagick.source(@portrait).spawn("touch foo.txt").call
++    end
++    refute File.exist?("foo.txt")
++  end
+ end
+-- 
+2.39.0
+
diff -Nru ruby-image-processing-1.10.3/debian/patches/series ruby-image-processing-1.10.3/debian/patches/series
--- ruby-image-processing-1.10.3/debian/patches/series	2020-03-29 13:50:58.000000000 +0000
+++ ruby-image-processing-1.10.3/debian/patches/series	2022-12-30 22:15:45.000000000 +0000
@@ -1,2 +1,3 @@
 remove-bundler.patch
 exclude-phashion.patch
+Prevent-remote-shell-execution-in-apply.patch