[rubygem-activemodel/f17] Fixing issues introduced by CVE-2013-0155 and CVE-2013-0156.

Thu Jan 10 12:59:17 UTC 2013

commit 25a99d0a1372fe12ead1704cd34ff8af86ecbf1a
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Thu Jan 10 13:59:07 2013 +0100

    Fixing issues introduced by CVE-2013-0155 and CVE-2013-0156.

 ...t-return-nil-should-not-be-considered-YAM.patch |   35 ++++++++++++++++++++
 rubygem-activemodel.spec                           |   23 +++++++++++--
 2 files changed, 55 insertions(+), 3 deletions(-)
---

diff --git a/rubygem-activemodel-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch b/rubygem-activemodel-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch
new file mode 100644
index 0000000..a157b34
--- /dev/null
+++ b/rubygem-activemodel-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch
@@ -0,0 +1,35 @@
+From 477f0e798106521865ec7f58026973163a580896 Mon Sep 17 00:00:00 2001
+From: Zach Moazeni <zach.moazeni at gmail.com>
+Date: Wed, 9 Jan 2013 15:02:34 -0500
+Subject: [PATCH] Methods that return nil should not be considered YAML
+
+This is a direct port of @jaw6's pull request
+https://github.com/rails/rails/pull/492. His cleanly applied to Rails
+v3.1 and v3.2, and this cleanly applies to v3.0.
+
+With yesterday's security patches
+http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
+there is now an issue with Rails v3.0 serving XML to any of the latest
+versions of ActiveResource.
+
+Without this, Rails v3.0 can serve XML to ActiveResource consumers that
+will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
+---
+ activemodel/lib/active_model/serializers/xml.rb                  | 1 +
+ 1 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/activemodel/lib/active_model/serializers/xml.rb b/activemodel/lib/active_model/serializers/xml.rb
+index 6087eed..2697551 100644
+--- a/activemodel/lib/active_model/serializers/xml.rb
++++ b/activemodel/lib/active_model/serializers/xml.rb
+@@ -33,6 +33,7 @@ module ActiveModel
+         protected
+ 
+           def compute_type
++            return if value.nil?
+             type = ActiveSupport::XmlMini::TYPE_NAMES[value.class.name]
+             type ||= :string if value.respond_to?(:to_str)
+             type ||= :yaml
+-- 
+1.8.0.1
+
diff --git a/rubygem-activemodel.spec b/rubygem-activemodel.spec
index 7d8dff2..888ca63 100644
--- a/rubygem-activemodel.spec
+++ b/rubygem-activemodel.spec
@@ -6,7 +6,7 @@
 Summary: A toolkit for building modeling frameworks
 Name: rubygem-%{gem_name}
 Version: 3.0.11
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -14,6 +14,12 @@ Source0: http://rubygems.org/gems/%{gem_name}-%{version}.gem
 # git clone https://github.com/rails/rails.git && cd rails/activemodel && git checkout v3.0.11
 # tar czvf activemodel-3.0.11-tests.tgz test/
 Source1: %{gem_name}-%{version}-tests.tgz
+
+# Fixes 'Disallowed type attribute: "yaml"' issue introduced by CVE-2013-0155
+# and CVE-2013-0156 security fixes.
+# https://github.com/rails/rails/commit/477f0e798106521865ec7f58026973163a580896
+Patch0: rubygem-activemodel-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch
+
 Requires: ruby(abi) = 1.9.1
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = %{version}
@@ -44,13 +50,21 @@ Requires:%{name} = %{version}-%{release}
 Documentation for %{name}
 
 %prep
+%setup -q -c -T
+mkdir -p .%{gem_dir}
+gem install --local --install-dir .%{gem_dir} \
+            --force %{SOURCE0}
+
+pushd .%{gem_instdir}
+%patch0 -p2
+popd
 
 %build
 
 %install
 mkdir -p %{buildroot}%{gem_dir}
-gem install --local --install-dir %{buildroot}%{gem_dir} \
-            --force --rdoc %{SOURCE0}
+cp -pa .%{gem_dir}/* \
+        %{buildroot}%{gem_dir}/
 
 %check
 rm -rf %{testdir}
@@ -82,6 +96,9 @@ rm -rf %{testdir}
 
 
 %changelog
+* Thu Jan 10 2013 Vít Ondruch <vondruch at redhat.com> - 3.0.11-2
+- Fixing issues introduced by CVE-2013-0155 and CVE-2013-0156.
+
 * Tue Jan 24 2012 Bohuslav Kabrda <bkabrda at redhat.com> - 3.0.11-1
 - Rebuilt for Ruby 1.9.3.
 - Update to ActiveModel 3.0.11.
