[rubygem-activerecord/f15] Fix for CVE-2012-2661.

Tue Jun 5 08:12:13 UTC 2012

commit 70dafa52403ac9ac609d21a93f4f699ebe749d1b
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Tue Jun 5 10:12:07 2012 +0200

    Fix for CVE-2012-2661.

 ...uilder-should-not-recurse-for-determining.patch |   66 +++++++++++
 activerecord-3.0.13-fix-failing-tests.patch        |  124 ++++++++++++++++++++
 rubygem-activerecord.spec                          |   14 ++-
 3 files changed, 203 insertions(+), 1 deletions(-)
---

diff --git a/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch b/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
new file mode 100644
index 0000000..c1076e0
--- /dev/null
+++ b/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
@@ -0,0 +1,66 @@
+From 99f030934eb8341db333cb6783d0f42bfa57358f Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Wed, 30 May 2012 15:06:12 -0700
+Subject: [PATCH] predicate builder should not recurse for determining where
+ columns. Thanks to Ben Murphy for reporting this
+
+CVE-2012-2661
+---
+ .../lib/active_record/relation/predicate_builder.rb |    6 +++---
+ activerecord/test/cases/relation/where_test.rb      |   19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+ create mode 100644 activerecord/test/cases/relation/where_test.rb
+
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index 505c3f4..84e88cf 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -5,17 +5,17 @@ module ActiveRecord
+       @engine = engine
+     end
+ 
+-    def build_from_hash(attributes, default_table)
++    def build_from_hash(attributes, default_table, check_column = true)
+       predicates = attributes.map do |column, value|
+         table = default_table
+ 
+         if value.is_a?(Hash)
+           table = Arel::Table.new(column, :engine => @engine)
+-          build_from_hash(value, table)
++          build_from_hash(value, table, false)
+         else
+           column = column.to_s
+ 
+-          if column.include?('.')
++          if check_column && column.include?('.')
+             table_name, column = column.split('.', 2)
+             table = Arel::Table.new(table_name, :engine => @engine)
+           end
+diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
+new file mode 100644
+index 0000000..90c690e
+--- /dev/null
++++ b/activerecord/test/cases/relation/where_test.rb
+@@ -0,0 +1,19 @@
++require "cases/helper"
++require 'models/post'
++
++module ActiveRecord
++  class WhereTest < ActiveRecord::TestCase
++    fixtures :posts
++
++    def test_where_error
++      assert_raises(ActiveRecord::StatementInvalid) do
++        Post.where(:id => { 'posts.author_id' => 10 }).first
++      end
++    end
++
++    def test_where_with_table_name
++      post = Post.first
++      assert_equal post, Post.where(:posts => { 'id' => post.id }).first
++    end
++  end
++end
+-- 
+1.7.10.2
+
diff --git a/activerecord-3.0.13-fix-failing-tests.patch b/activerecord-3.0.13-fix-failing-tests.patch
new file mode 100644
index 0000000..28ecd11
--- /dev/null
+++ b/activerecord-3.0.13-fix-failing-tests.patch
@@ -0,0 +1,124 @@
+From f748d36b4014418c48553836a56b4bec74e15e49 Mon Sep 17 00:00:00 2001
+From: Carlos Antonio da Silva <carlosantoniodasilva at gmail.com>
+Date: Thu, 22 Mar 2012 23:47:22 -0300
+Subject: [PATCH] Fix more failing tests related to ruby 1.8.7 p358 version
+ change
+
+---
+ activerecord/test/cases/nested_attributes_test.rb |   12 ++++++++----
+ activerecord/test/cases/relations_test.rb         |   18 +++++++++---------
+ 2 files changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/activerecord/test/cases/nested_attributes_test.rb b/activerecord/test/cases/nested_attributes_test.rb
+index 9237dff..ef5a2a5 100644
+--- a/activerecord/test/cases/nested_attributes_test.rb
++++ b/activerecord/test/cases/nested_attributes_test.rb
+@@ -114,7 +114,7 @@ class TestNestedAttributesInGeneral < ActiveRecord::TestCase
+     pirate.ship_attributes = { :name => 'Hello Pearl' }
+     assert_difference('Ship.count') { pirate.save! }
+   end
+-  
++
+   def test_has_many_association_updating_a_single_record
+     Man.accepts_nested_attributes_for(:interests)
+     man = Man.create(:name => 'John')
+@@ -306,7 +306,7 @@ class TestNestedAttributesOnAHasOneAssociation < ActiveRecord::TestCase
+ 
+   def test_should_create_new_model_when_nothing_is_there_and_update_only_is_true
+     @ship.delete
+-    
++
+     @pirate.reload.update_attributes(:update_only_ship_attributes => { :name => 'Mayflower' })
+ 
+     assert_not_nil @pirate.ship
+@@ -459,7 +459,7 @@ class TestNestedAttributesOnABelongsToAssociation < ActiveRecord::TestCase
+ 
+   def test_should_not_destroy_the_associated_model_until_the_parent_is_saved
+     pirate = @ship.pirate
+-    
++
+     @ship.attributes = { :pirate_attributes => { :id => pirate.id, '_destroy' => true } }
+     assert_nothing_raised(ActiveRecord::RecordNotFound) { Pirate.find(pirate.id) }
+     @ship.save
+@@ -607,9 +607,13 @@ module NestedAttributesOnACollectionAssociationTests
+   end
+ 
+   def test_should_automatically_build_new_associated_models_for_each_entry_in_a_hash_where_the_id_is_missing
++    attributes = ActiveSupport::OrderedHash.new
++    attributes['foo'] = { :name => 'Grace OMalley' }
++    attributes['bar'] = { :name => 'Privateers Greed' }
++
+     @pirate.send(@association_name).destroy_all
+     @pirate.reload.attributes = {
+-      association_getter => { 'foo' => { :name => 'Grace OMalley' }, 'bar' => { :name => 'Privateers Greed' }}
++      association_getter => attributes
+     }
+ 
+     assert @pirate.send(@association_name).first.new_record?
+diff --git a/activerecord/test/cases/relations_test.rb b/activerecord/test/cases/relations_test.rb
+index cf49864..ea2de12 100644
+--- a/activerecord/test/cases/relations_test.rb
++++ b/activerecord/test/cases/relations_test.rb
+@@ -270,27 +270,27 @@ class RelationTest < ActiveRecord::TestCase
+ 
+   def test_find_with_preloaded_associations
+     assert_queries(2) do
+-      posts = Post.preload(:comments)
++      posts = Post.preload(:comments).order('posts.id')
+       assert posts.first.comments.first
+     end
+ 
+     assert_queries(2) do
+-      posts = Post.preload(:comments).to_a
++      posts = Post.preload(:comments).order('posts.id').to_a
+       assert posts.first.comments.first
+     end
+ 
+     assert_queries(2) do
+-      posts = Post.preload(:author)
++      posts = Post.preload(:author).order('posts.id')
+       assert posts.first.author
+     end
+ 
+     assert_queries(2) do
+-      posts = Post.preload(:author).to_a
++      posts = Post.preload(:author).order('posts.id').to_a
+       assert posts.first.author
+     end
+ 
+     assert_queries(3) do
+-      posts = Post.preload(:author, :comments).to_a
++      posts = Post.preload(:author, :comments).order('posts.id').to_a
+       assert posts.first.author
+       assert posts.first.comments.first
+     end
+@@ -298,22 +298,22 @@ class RelationTest < ActiveRecord::TestCase
+ 
+   def test_find_with_included_associations
+     assert_queries(2) do
+-      posts = Post.includes(:comments)
++      posts = Post.includes(:comments).order('posts.id')
+       assert posts.first.comments.first
+     end
+ 
+     assert_queries(2) do
+-      posts = Post.scoped.includes(:comments)
++      posts = Post.scoped.includes(:comments).order('posts.id')
+       assert posts.first.comments.first
+     end
+ 
+     assert_queries(2) do
+-      posts = Post.includes(:author)
++      posts = Post.includes(:author).order('posts.id')
+       assert posts.first.author
+     end
+ 
+     assert_queries(3) do
+-      posts = Post.includes(:author, :comments).to_a
++      posts = Post.includes(:author, :comments).order('posts.id').to_a
+       assert posts.first.author
+       assert posts.first.comments.first
+     end
+-- 
+1.7.10.2
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 3c9b283..7fe0e09 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -9,7 +9,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 3.0.5
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -43,6 +43,13 @@ Patch4: activerecord-disabled-failing-timestamp-test.patch
 # FIX for https://bugzilla.redhat.com/show_bug.cgi?id=731438
 Patch5: activerecord-bz-731438-fix.patch
 
+# https://gist.github.com/rails/rails/issues/4292
+Patch6: activerecord-3.0.13-fix-failing-tests.patch
+
+# Fixes CVE-2012-2661
+# https://bugzilla.redhat.com/show_bug.cgi?id=827363
+Patch7: activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
+
 Requires: ruby(abi) = %{rubyabi}
 Requires: rubygems
 Requires: rubygem(activesupport) = %{version}
@@ -90,6 +97,8 @@ pushd ./%{geminstdir}
 %patch3 -p0
 %patch4 -p2
 %patch5 -p2
+%patch6 -p2
+%patch7 -p2
 popd
 
 # Remove backup files
@@ -149,6 +158,9 @@ rake test_sqlite3 --trace
 %{gemdir}/specifications/%{gemname}-%{version}.gemspec
 
 %changelog
+* Tue Jun 05 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.5-3
+- Fix for CVE-2012-2661.
+
 * Tue Aug 23 2011 Mo Morsi <mmorsi at redhat.com> - 1:3.0.5-2
 - Fix for BZ #731438
 
