[rubygem-activerecord/f16] Fix for CVE-2012-2661.
Vít Ondruch
vondruch at fedoraproject.org
Mon Jun 4 17:14:10 UTC 2012
commit ba8cffe36f926abaf3566f9ca06c66284583abcb
Author: Vít Ondruch <vondruch at redhat.com>
Date: Mon Jun 4 19:13:58 2012 +0200
Fix for CVE-2012-2661.
...uilder-should-not-recurse-for-determining.patch | 66 ++++++++++++++++++++
rubygem-activerecord.spec | 10 +++-
2 files changed, 75 insertions(+), 1 deletions(-)
---
diff --git a/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch b/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
new file mode 100644
index 0000000..c1076e0
--- /dev/null
+++ b/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
@@ -0,0 +1,66 @@
+From 99f030934eb8341db333cb6783d0f42bfa57358f Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Wed, 30 May 2012 15:06:12 -0700
+Subject: [PATCH] predicate builder should not recurse for determining where
+ columns. Thanks to Ben Murphy for reporting this
+
+CVE-2012-2661
+---
+ .../lib/active_record/relation/predicate_builder.rb | 6 +++---
+ activerecord/test/cases/relation/where_test.rb | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+ create mode 100644 activerecord/test/cases/relation/where_test.rb
+
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index 505c3f4..84e88cf 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -5,17 +5,17 @@ module ActiveRecord
+ @engine = engine
+ end
+
+- def build_from_hash(attributes, default_table)
++ def build_from_hash(attributes, default_table, check_column = true)
+ predicates = attributes.map do |column, value|
+ table = default_table
+
+ if value.is_a?(Hash)
+ table = Arel::Table.new(column, :engine => @engine)
+- build_from_hash(value, table)
++ build_from_hash(value, table, false)
+ else
+ column = column.to_s
+
+- if column.include?('.')
++ if check_column && column.include?('.')
+ table_name, column = column.split('.', 2)
+ table = Arel::Table.new(table_name, :engine => @engine)
+ end
+diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
+new file mode 100644
+index 0000000..90c690e
+--- /dev/null
++++ b/activerecord/test/cases/relation/where_test.rb
+@@ -0,0 +1,19 @@
++require "cases/helper"
++require 'models/post'
++
++module ActiveRecord
++ class WhereTest < ActiveRecord::TestCase
++ fixtures :posts
++
++ def test_where_error
++ assert_raises(ActiveRecord::StatementInvalid) do
++ Post.where(:id => { 'posts.author_id' => 10 }).first
++ end
++ end
++
++ def test_where_with_table_name
++ post = Post.first
++ assert_equal post, Post.where(:posts => { 'id' => post.id }).first
++ end
++ end
++end
+--
+1.7.10.2
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 25461ab..c520583 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -10,7 +10,7 @@ Summary: Implements the ActiveRecord pattern for ORM
Name: rubygem-%{gemname}
Epoch: 1
Version: 3.0.10
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -37,6 +37,10 @@ Patch1: activerecord-tests-fix.patch
Patch2: activerecord-downgrade-dependencies.patch
+# Fixes CVE-2012-2661
+# https://bugzilla.redhat.com/show_bug.cgi?id=827363
+Patch3: activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
+
Requires: ruby(abi) = %{rubyabi}
Requires: rubygems
Requires: rubygem(activesupport) = %{version}
@@ -82,6 +86,7 @@ tar xzvf %{SOURCE2} -C .%{geminstdir}
pushd ./%{geminstdir}
%patch0 -p0
%patch1 -p0
+%patch3 -p2
popd
pushd .%{gemdir}
@@ -144,6 +149,9 @@ rake test_sqlite3 --trace
%{gemdir}/specifications/%{gemname}-%{version}.gemspec
%changelog
+* Mon Jun 04 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-2
+- Fix for CVE-2012-2661.
+
* Mon Aug 22 2011 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-1
- Update to ActiveRecord 3.0.10
More information about the scm-commits
mailing list