Version in base suite: 5.2.2.1+dfsg-1

Base version: rails_5.2.2.1+dfsg-1
Target version: rails_5.2.2.1+dfsg-1+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rails/rails_5.2.2.1+dfsg-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rails/rails_5.2.2.1+dfsg-1+deb10u1.dsc

 changelog                   |    8 +++++++
 patches/CVE-2020-5267.patch |   48 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 57 insertions(+)

gpgv: Signature made Tue Mar 19 06:59:58 2019 UTC
gpgv:                using RSA key B1C94F67189FFAC02648FBF3D4DEB22FC0B96E15
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on /srv/release.debian.org/tmp/tmp3twslmhm/rails_5.2.2.1+dfsg-1.dsc
diff -Nru rails-5.2.2.1+dfsg/debian/changelog rails-5.2.2.1+dfsg/debian/changelog
--- rails-5.2.2.1+dfsg/debian/changelog	2019-03-17 12:14:07.000000000 +0000
+++ rails-5.2.2.1+dfsg/debian/changelog	2020-03-22 13:17:31.000000000 +0000
@@ -1,3 +1,11 @@
+rails (2:5.2.2.1+dfsg-1+deb10u1) buster; urgency=high
+
+  * Team upload.
+  * Add patch to fix possible XSS vector in JS escape helper.
+    (Fixes: CVE-2020-5267) (Closes: #954304)
+
+ -- Utkarsh Gupta <utkarsh@debian.org>  Sun, 22 Mar 2020 18:47:31 +0530
+
 rails (2:5.2.2.1+dfsg-1) unstable; urgency=medium
 
   * Team upload
diff -Nru rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
--- rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch	1970-01-01 00:00:00.000000000 +0000
+++ rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch	2020-03-22 13:17:04.000000000 +0000
@@ -0,0 +1,48 @@
+Description: Fix possible XSS vector in JS escape helper
+ This commit escapes dollar signs and backticks to prevent
+ JS XSS issues when using the `j` or `javascript_escape` helper
+Author: Aaron Patterson <aaron.patterson@gmail.com>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1
+Bug-Debian: https://bugs.debian.org/954304
+Last-Update: 2020-03-19
+
+--- a/actionview/lib/action_view/helpers/javascript_helper.rb
++++ b/actionview/lib/action_view/helpers/javascript_helper.rb
+@@ -12,7 +12,9 @@
+         "\n"    => '\n',
+         "\r"    => '\n',
+         '"'     => '\\"',
+-        "'"     => "\\'"
++        "'"     => "\\'",
++        "`"     => "\\`",
++        "$"     => "\\$"
+       }
+ 
+       JS_ESCAPE_MAP["\342\200\250".dup.force_encoding(Encoding::UTF_8).encode!] = "&#x2028;"
+@@ -26,7 +28,7 @@
+       #   $('some_element').replaceWith('<%= j render 'some/element_template' %>');
+       def escape_javascript(javascript)
+         if javascript
+-          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] }
++          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
+           javascript.html_safe? ? result.html_safe : result
+         else
+           ""
+--- a/actionview/test/template/javascript_helper_test.rb
++++ b/actionview/test/template/javascript_helper_test.rb
+@@ -32,6 +32,14 @@
+     assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
+   end
+ 
++  def test_escape_backtick
++    assert_equal "\\`", escape_javascript("`")
++  end
++
++  def test_escape_dollar_sign
++    assert_equal "\\$", escape_javascript("$")
++  end
++
+   def test_escape_javascript_with_safebuffer
+     given = %('quoted' "double-quoted" new-line:\n </closed>)
+     expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
diff -Nru rails-5.2.2.1+dfsg/debian/patches/series rails-5.2.2.1+dfsg/debian/patches/series
--- rails-5.2.2.1+dfsg/debian/patches/series	2019-03-17 12:14:07.000000000 +0000
+++ rails-5.2.2.1+dfsg/debian/patches/series	2020-03-22 13:16:39.000000000 +0000
@@ -1,2 +1,3 @@
 0001-Be-careful-with-that-bundler.patch
 0002-disable-uglify-in-activestorage-rollup-config-js.patch
+CVE-2020-5267.patch