[rubygem-activerecord/f17] Fix for CVE-2013-0155.
Vít Ondruch
vondruch at fedoraproject.org
Thu Jan 10 13:00:54 UTC 2013
commit e9624653db531bdc87ffadb524d1f5fade9cf379
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Jan 10 14:00:45 2013 +0100
Fix for CVE-2013-0155.
...ord-3.0.19-CVE-2013-0155-null_array_param.patch | 35 +++++++++++++++++
...t-return-nil-should-not-be-considered-YAM.patch | 40 ++++++++++++++++++++
rubygem-activerecord.spec | 16 +++++++-
3 files changed, 90 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-activerecord-3.0.19-CVE-2013-0155-null_array_param.patch b/rubygem-activerecord-3.0.19-CVE-2013-0155-null_array_param.patch
new file mode 100644
index 0000000..d11d6f8
--- /dev/null
+++ b/rubygem-activerecord-3.0.19-CVE-2013-0155-null_array_param.patch
@@ -0,0 +1,35 @@
+From f943e386039e0f28e777e2cf7ec39a7dbe24c040 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+Conflicts:
+ activerecord/lib/active_record/relation/predicate_builder.rb
+---
+ .../lib/active_record/relation/predicate_builder.rb | 7 ++++++-
+ 1 files changed, 6 insertions(+), 1 deletions(-)
+
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index e74ba73..71eabcb 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -11,7 +11,12 @@ module ActiveRecord
+
+ if allow_table_name && value.is_a?(Hash)
+ table = Arel::Table.new(column, :engine => @engine)
+- build_from_hash(value, table, false)
++
++ if value.empty?
++ '1 = 2'
++ else
++ build_from_hash(value, table, false)
++ end
+ else
+ column = column.to_s
+
+--
+1.7.10.2 (Apple Git-33)
+
+
diff --git a/rubygem-activerecord-test-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch b/rubygem-activerecord-test-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch
new file mode 100644
index 0000000..3b93633
--- /dev/null
+++ b/rubygem-activerecord-test-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch
@@ -0,0 +1,40 @@
+From 477f0e798106521865ec7f58026973163a580896 Mon Sep 17 00:00:00 2001
+From: Zach Moazeni <zach.moazeni at gmail.com>
+Date: Wed, 9 Jan 2013 15:02:34 -0500
+Subject: [PATCH] Methods that return nil should not be considered YAML
+
+This is a direct port of @jaw6's pull request
+https://github.com/rails/rails/pull/492. His cleanly applied to Rails
+v3.1 and v3.2, and this cleanly applies to v3.0.
+
+With yesterday's security patches
+http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
+there is now an issue with Rails v3.0 serving XML to any of the latest
+versions of ActiveResource.
+
+Without this, Rails v3.0 can serve XML to ActiveResource consumers that
+will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
+---
+ activerecord/test/cases/xml_serialization_test.rb | 5 +----
+ 1 files changed, 1 insertions(+), 4 deletions(-)
+
+diff --git a/activerecord/test/cases/xml_serialization_test.rb b/activerecord/test/cases/xml_serialization_test.rb
+index 2003e25..cfbe071 100644
+--- a/activerecord/test/cases/xml_serialization_test.rb
++++ b/activerecord/test/cases/xml_serialization_test.rb
+@@ -143,10 +143,7 @@ class NilXmlSerializationTest < ActiveRecord::TestCase
+ end
+
+ def test_should_serialize_yaml
+- assert %r{<preferences(.*)></preferences>}.match(@xml)
+- attributes = $1
+- assert_match %r{type="yaml"}, attributes
+- assert_match %r{nil="true"}, attributes
++ assert_match %r{<preferences nil=\"true\"></preferences>}, @xml
+ end
+ end
+
+--
+1.8.0.1
+
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 8ebcfc1..f63bec7 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -7,7 +7,7 @@ Summary: Implements the ActiveRecord pattern for ORM
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.0.11
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -46,6 +46,14 @@ Patch4: activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=889649
Patch5: rubygem-activerecord-3.0.18-CVE-2012-6496-dynamic_finder_injection.patch
+# CVE-2013-0155
+# https://bugzilla.redhat.com/show_bug.cgi?id=892866
+Patch6: rubygem-activerecord-3.0.19-CVE-2013-0155-null_array_param.patch
+
+# Fix incompatibilities introduced by CVE-2013-0155 and CVE-2013-0156.
+# https://github.com/rails/rails/commit/477f0e798106521865ec7f58026973163a580896
+Patch7: rubygem-activerecord-test-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch
+
Requires: ruby(abi) = %{rubyabi}
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
@@ -95,6 +103,7 @@ pushd ./%{gem_instdir}
%patch3 -p2
%patch4 -p2
%patch5 -p2
+%patch6 -p2
popd
pushd .%{gem_dir}
@@ -146,6 +155,8 @@ sed -i '700,708 s|^|#|' test/cases/autosave_association_test.rb
mv test/cases/session_store/session_test.rb \
test/cases/session_store/session_test.rb.norun
+cat %{PATCH7} | patch -p2
+
# Only test sqlite3 backend
rake test_sqlite3 --trace
popd
@@ -165,6 +176,9 @@ popd
%{gem_spec}
%changelog
+* Thu Jan 10 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-5
+- Fix for CVE-2013-0155.
+
* Fri Jan 04 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-4
- Fix for CVE-2012-6496.
More information about the scm-commits
mailing list