[rubygem-activerecord/f17] Fix for CVE-2012-2695.
Vít Ondruch
vondruch at fedoraproject.org
Mon Jun 18 09:45:55 UTC 2012
commit 77e9ac72e32525b8320405788a468598c6b84fa8
Author: Vít Ondruch <vondruch at redhat.com>
Date: Mon Jun 18 11:45:38 2012 +0200
Fix for CVE-2012-2695.
...012-2695-additional-fix-for-CVE-2012-2661.patch | 60 ++++++++++++++++++++
rubygem-activerecord.spec | 10 +++-
2 files changed, 69 insertions(+), 1 deletions(-)
---
diff --git a/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch b/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch
new file mode 100644
index 0000000..11ed5fb
--- /dev/null
+++ b/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch
@@ -0,0 +1,60 @@
+From 176af7eff2e33b331c92febbeda98123da1151f3 Mon Sep 17 00:00:00 2001
+From: Ernie Miller <ernie at erniemiller.org>
+Date: Fri, 8 Jun 2012 16:42:01 -0400
+Subject: [PATCH] Additional fix for CVE-2012-2661
+
+While the patched PredicateBuilder in 3.0.13 prevents a user
+from specifying a table name using the `table.column` format,
+it doesn't protect against the nesting of hashes changing the
+table context in the next call to build_from_hash. This fix
+covers this case as well.
+---
+ .../active_record/relation/predicate_builder.rb | 6 +++---
+ activerecord/test/cases/relation/where_test.rb | 6 ++++++
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index 84e88cf..e74ba73 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -5,17 +5,17 @@ module ActiveRecord
+ @engine = engine
+ end
+
+- def build_from_hash(attributes, default_table, check_column = true)
++ def build_from_hash(attributes, default_table, allow_table_name = true)
+ predicates = attributes.map do |column, value|
+ table = default_table
+
+- if value.is_a?(Hash)
++ if allow_table_name && value.is_a?(Hash)
+ table = Arel::Table.new(column, :engine => @engine)
+ build_from_hash(value, table, false)
+ else
+ column = column.to_s
+
+- if check_column && column.include?('.')
++ if allow_table_name && column.include?('.')
+ table_name, column = column.split('.', 2)
+ table = Arel::Table.new(table_name, :engine => @engine)
+ end
+diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
+index 90c690e..b9eef1d 100644
+--- a/activerecord/test/cases/relation/where_test.rb
++++ b/activerecord/test/cases/relation/where_test.rb
+@@ -11,6 +11,12 @@ module ActiveRecord
+ end
+ end
+
++ def test_where_error_with_hash
++ assert_raises(ActiveRecord::StatementInvalid) do
++ Post.where(:id => { :posts => {:author_id => 10} }).first
++ end
++ end
++
+ def test_where_with_table_name
+ post = Post.first
+ assert_equal post, Post.where(:posts => { 'id' => post.id }).first
+--
+1.7.5.4
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 8e75344..51f32d9 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -7,7 +7,7 @@ Summary: Implements the ActiveRecord pattern for ORM
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.0.11
-Release: 2%{?dist}
+Release: 3%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -38,6 +38,10 @@ Patch2: activerecord-downgrade-dependencies.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=827363
Patch3: activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
+# Fixes CVE-2012-2695
+# https://bugzilla.redhat.com/show_bug.cgi?id=831573
+Patch4: activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch
+
Requires: ruby(abi) = %{rubyabi}
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
@@ -85,6 +89,7 @@ pushd ./%{gem_instdir}
%patch0 -p0
%patch1 -p0
%patch3 -p2
+%patch4 -p2
popd
pushd .%{gem_dir}
@@ -155,6 +160,9 @@ popd
%{gem_spec}
%changelog
+* Mon Jun 18 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-3
+- Fix for CVE-2012-2695.
+
* Mon Jun 04 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-2
- Fix for CVE-2012-2661.
More information about the scm-commits
mailing list