[rubygem-actionpack/f16] Fix for CVE-2012-3424.

Tue Jul 31 08:59:03 UTC 2012

commit 2fd312f0c7788a5b1bb13a6e4c9dc31cfefffd0f
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Tue Jul 31 10:58:38 2012 +0200

    Fix for CVE-2012-3424.

 ...ert-digest-auth-strings-to-symbols.-CVE-2.patch |   29 ++++++++++++++++++++
 rubygem-actionpack.spec                            |   10 ++++++-
 2 files changed, 38 insertions(+), 1 deletions(-)
---

diff --git a/actionpack-3.0.16-Do-not-convert-digest-auth-strings-to-symbols.-CVE-2.patch b/actionpack-3.0.16-Do-not-convert-digest-auth-strings-to-symbols.-CVE-2.patch
new file mode 100644
index 0000000..b9c250f
--- /dev/null
+++ b/actionpack-3.0.16-Do-not-convert-digest-auth-strings-to-symbols.-CVE-2.patch
@@ -0,0 +1,29 @@
+From b88cc8aa31ca1f06668700dd0ebe2b54ece8bba1 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Thu, 26 Jul 2012 13:30:15 -0700
+Subject: [PATCH] * Do not convert digest auth strings to symbols.
+ CVE-2012-3424
+
+---
+ actionpack/lib/action_controller/metal/http_authentication.rb |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
+index 76adde9..f0da2cc 100644
+--- a/actionpack/lib/action_controller/metal/http_authentication.rb
++++ b/actionpack/lib/action_controller/metal/http_authentication.rb
+@@ -217,9 +217,9 @@ module ActionController
+       end
+ 
+       def decode_credentials(header)
+-        Hash[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
++        HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/,'').split(',').map do |pair|
+           key, value = pair.split('=', 2)
+-          [key.strip.to_sym, value.to_s.gsub(/^"|"$/,'').gsub(/'/, '')]
++          [key.strip, value.to_s.gsub(/^"|"$/,'').delete('\'')]
+         end]
+       end
+ 
+-- 
+1.7.10.4
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 742b654..b641386 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -10,7 +10,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 3.0.10
-Release: 7%{?dist}
+Release: 8%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -61,6 +61,10 @@ Patch8: actionpack-3.0.13-CVE-2012-2660-strip-nil-from-parameters-hash.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=831581
 Patch9: atcionpack-3.0.15-CVE-2012-2694-array-parameters-should-not-contain-nil-values.patch
 
+# Fixes CVE-2012-3424
+# https://bugzilla.redhat.com/show_bug.cgi?id=843711
+Patch10: actionpack-3.0.16-Do-not-convert-digest-auth-strings-to-symbols.-CVE-2.patch
+
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = %{version}
 Requires: rubygem(activemodel) = %{version}
@@ -124,6 +128,7 @@ pushd .%{geminstdir}
 %patch7 -p2
 %patch8 -p2
 %patch9 -p2
+%patch10 -p2
 
 # create missing symlink
 pushd test/fixtures/layout_tests/layouts/
@@ -195,6 +200,9 @@ rake test --trace
 
 
 %changelog
+* Tue Jul 31 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-8
+- Fix for CVE-2012-3424.
+
 * Mon Jun 18 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-7
 - Fix for CVE-2012-2694.
 
