[rubygem-activerecord/f16] Fix for CVE-2012-2661.

Vít Ondruch vondruch at fedoraproject.org
Mon Jun 4 17:14:10 UTC 2012 

commit ba8cffe36f926abaf3566f9ca06c66284583abcb
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Mon Jun 4 19:13:58 2012 +0200

    Fix for CVE-2012-2661.

 ...uilder-should-not-recurse-for-determining.patch |   66 ++++++++++++++++++++
 rubygem-activerecord.spec                          |   10 +++-
 2 files changed, 75 insertions(+), 1 deletions(-)
---
diff --git a/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch b/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
new file mode 100644
index 0000000..c1076e0
--- /dev/null
+++ b/activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
@@ -0,0 +1,66 @@
+From 99f030934eb8341db333cb6783d0f42bfa57358f Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Wed, 30 May 2012 15:06:12 -0700
+Subject: [PATCH] predicate builder should not recurse for determining where
+ columns. Thanks to Ben Murphy for reporting this
+
+CVE-2012-2661
+---
+ .../lib/active_record/relation/predicate_builder.rb |    6 +++---
+ activerecord/test/cases/relation/where_test.rb      |   19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+ create mode 100644 activerecord/test/cases/relation/where_test.rb
+
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index 505c3f4..84e88cf 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -5,17 +5,17 @@ module ActiveRecord
+       @engine = engine
+     end
+ 
+-    def build_from_hash(attributes, default_table)
++    def build_from_hash(attributes, default_table, check_column = true)
+       predicates = attributes.map do |column, value|
+         table = default_table
+ 
+         if value.is_a?(Hash)
+           table = Arel::Table.new(column, :engine => @engine)
+-          build_from_hash(value, table)
++          build_from_hash(value, table, false)
+         else
+           column = column.to_s
+ 
+-          if column.include?('.')
++          if check_column && column.include?('.')
+             table_name, column = column.split('.', 2)
+             table = Arel::Table.new(table_name, :engine => @engine)
+           end
+diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
+new file mode 100644
+index 0000000..90c690e
+--- /dev/null
++++ b/activerecord/test/cases/relation/where_test.rb
+@@ -0,0 +1,19 @@
++require "cases/helper"
++require 'models/post'
++
++module ActiveRecord
++  class WhereTest < ActiveRecord::TestCase
++    fixtures :posts
++
++    def test_where_error
++      assert_raises(ActiveRecord::StatementInvalid) do
++        Post.where(:id => { 'posts.author_id' => 10 }).first
++      end
++    end
++
++    def test_where_with_table_name
++      post = Post.first
++      assert_equal post, Post.where(:posts => { 'id' => post.id }).first
++    end
++  end
++end
+-- 
+1.7.10.2
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 25461ab..c520583 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -10,7 +10,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 3.0.10
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -37,6 +37,10 @@ Patch1: activerecord-tests-fix.patch
 
 Patch2: activerecord-downgrade-dependencies.patch
 
+# Fixes CVE-2012-2661
+# https://bugzilla.redhat.com/show_bug.cgi?id=827363
+Patch3: activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
+
 Requires: ruby(abi) = %{rubyabi}
 Requires: rubygems
 Requires: rubygem(activesupport) = %{version}
@@ -82,6 +86,7 @@ tar xzvf %{SOURCE2} -C .%{geminstdir}
 pushd ./%{geminstdir}
 %patch0 -p0
 %patch1 -p0
+%patch3 -p2
 popd
 
 pushd .%{gemdir}
@@ -144,6 +149,9 @@ rake test_sqlite3 --trace
 %{gemdir}/specifications/%{gemname}-%{version}.gemspec
 
 %changelog
+* Mon Jun 04 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-2
+- Fix for CVE-2012-2661.
+
 * Mon Aug 22 2011 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-1
 - Update to ActiveRecord 3.0.10

More information about the scm-commits mailing list