[rubygem-activemodel/f16] Fixing issues introduced by CVE-2013-0155 and CVE-2013-0156.
Vít Ondruch
vondruch at fedoraproject.org
Thu Jan 10 15:44:15 UTC 2013
commit 4e003efc1aa809763157fa02a452a848e7add4e7
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Jan 10 13:59:07 2013 +0100
Fixing issues introduced by CVE-2013-0155 and CVE-2013-0156.
...t-return-nil-should-not-be-considered-YAM.patch | 35 ++++++++++++++++++++
rubygem-activemodel.spec | 23 +++++++++++--
2 files changed, 55 insertions(+), 3 deletions(-)
---
diff --git a/rubygem-activemodel-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch b/rubygem-activemodel-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch
new file mode 100644
index 0000000..a157b34
--- /dev/null
+++ b/rubygem-activemodel-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch
@@ -0,0 +1,35 @@
+From 477f0e798106521865ec7f58026973163a580896 Mon Sep 17 00:00:00 2001
+From: Zach Moazeni <zach.moazeni at gmail.com>
+Date: Wed, 9 Jan 2013 15:02:34 -0500
+Subject: [PATCH] Methods that return nil should not be considered YAML
+
+This is a direct port of @jaw6's pull request
+https://github.com/rails/rails/pull/492. His cleanly applied to Rails
+v3.1 and v3.2, and this cleanly applies to v3.0.
+
+With yesterday's security patches
+http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
+there is now an issue with Rails v3.0 serving XML to any of the latest
+versions of ActiveResource.
+
+Without this, Rails v3.0 can serve XML to ActiveResource consumers that
+will see `Hash::DisallowedType: Disallowed type attribute: "yaml"`
+---
+ activemodel/lib/active_model/serializers/xml.rb | 1 +
+ 1 files changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/activemodel/lib/active_model/serializers/xml.rb b/activemodel/lib/active_model/serializers/xml.rb
+index 6087eed..2697551 100644
+--- a/activemodel/lib/active_model/serializers/xml.rb
++++ b/activemodel/lib/active_model/serializers/xml.rb
+@@ -33,6 +33,7 @@ module ActiveModel
+ protected
+
+ def compute_type
++ return if value.nil?
+ type = ActiveSupport::XmlMini::TYPE_NAMES[value.class.name]
+ type ||= :string if value.respond_to?(:to_str)
+ type ||= :yaml
+--
+1.8.0.1
+
diff --git a/rubygem-activemodel.spec b/rubygem-activemodel.spec
index 1734d67..3fda2b0 100644
--- a/rubygem-activemodel.spec
+++ b/rubygem-activemodel.spec
@@ -8,13 +8,19 @@
Summary: A toolkit for building modeling frameworks
Name: rubygem-%{gemname}
Version: 3.0.10
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
Source0: http://rubygems.org/gems/%{gemname}-%{version}.gem
# git clone https://github.com/rails/rails.git && cd rails/activemodel && git checkout v3.0.10
# tar czvf activemodel-3.0.10-tests.tgz test/
+
+# Fixes 'Disallowed type attribute: "yaml"' issue introduced by CVE-2013-0155
+# and CVE-2013-0156 security fixes.
+# https://github.com/rails/rails/commit/477f0e798106521865ec7f58026973163a580896
+Patch0: rubygem-activemodel-3.0.20-Methods-that-return-nil-should-not-be-considered-YAM.patch
+
Source1: %{gemname}-%{version}-tests.tgz
Requires: ruby(abi) = 1.8
Requires: rubygems
@@ -45,13 +51,21 @@ Requires:%{name} = %{version}-%{release}
Documentation for %{name}
%prep
+%setup -q -c -T
+mkdir -p .%{gemdir}
+gem install --local --install-dir .%{gemdir} \
+ --force %{SOURCE0}
+
+pushd .%{geminstdir}
+%patch0 -p2
+popd
%build
%install
mkdir -p %{buildroot}%{gemdir}
-gem install --local --install-dir %{buildroot}%{gemdir} \
- --force --rdoc %{SOURCE0}
+cp -pa .%{gemdir}/* \
+ %{buildroot}%{gemdir}/
%check
rm -rf %{testdir}
@@ -83,6 +97,9 @@ rm -rf %{testdir}
%changelog
+* Thu Jan 10 2013 Vít Ondruch <vondruch at redhat.com> - 3.0.10-2
+- Fixing issues introduced by CVE-2013-0155 and CVE-2013-0156.
+
* Mon Aug 22 2011 Vít Ondruch <vondruch at redhat.com> - 3.0.10-1
- Update to ActiveModel 3.0.10
More information about the scm-commits
mailing list