[rubygem-activerecord/f17] Fix for CVE-2012-2695.

Vít Ondruch vondruch at fedoraproject.org
Mon Jun 18 09:45:55 UTC 2012 

commit 77e9ac72e32525b8320405788a468598c6b84fa8
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Mon Jun 18 11:45:38 2012 +0200

    Fix for CVE-2012-2695.

 ...012-2695-additional-fix-for-CVE-2012-2661.patch |   60 ++++++++++++++++++++
 rubygem-activerecord.spec                          |   10 +++-
 2 files changed, 69 insertions(+), 1 deletions(-)
---
diff --git a/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch b/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch
new file mode 100644
index 0000000..11ed5fb
--- /dev/null
+++ b/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch
@@ -0,0 +1,60 @@
+From 176af7eff2e33b331c92febbeda98123da1151f3 Mon Sep 17 00:00:00 2001
+From: Ernie Miller <ernie at erniemiller.org>
+Date: Fri, 8 Jun 2012 16:42:01 -0400
+Subject: [PATCH] Additional fix for CVE-2012-2661
+
+While the patched PredicateBuilder in 3.0.13 prevents a user
+from specifying a table name using the `table.column` format,
+it doesn't protect against the nesting of hashes changing the
+table context in the next call to build_from_hash. This fix
+covers this case as well.
+---
+ .../active_record/relation/predicate_builder.rb    |    6 +++---
+ activerecord/test/cases/relation/where_test.rb     |    6 ++++++
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index 84e88cf..e74ba73 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -5,17 +5,17 @@ module ActiveRecord
+       @engine = engine
+     end
+ 
+-    def build_from_hash(attributes, default_table, check_column = true)
++    def build_from_hash(attributes, default_table, allow_table_name = true)
+       predicates = attributes.map do |column, value|
+         table = default_table
+ 
+-        if value.is_a?(Hash)
++        if allow_table_name && value.is_a?(Hash)
+           table = Arel::Table.new(column, :engine => @engine)
+           build_from_hash(value, table, false)
+         else
+           column = column.to_s
+ 
+-          if check_column && column.include?('.')
++          if allow_table_name && column.include?('.')
+             table_name, column = column.split('.', 2)
+             table = Arel::Table.new(table_name, :engine => @engine)
+           end
+diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
+index 90c690e..b9eef1d 100644
+--- a/activerecord/test/cases/relation/where_test.rb
++++ b/activerecord/test/cases/relation/where_test.rb
+@@ -11,6 +11,12 @@ module ActiveRecord
+       end
+     end
+ 
++    def test_where_error_with_hash
++      assert_raises(ActiveRecord::StatementInvalid) do
++        Post.where(:id => { :posts => {:author_id => 10} }).first
++      end
++    end
++
+     def test_where_with_table_name
+       post = Post.first
+       assert_equal post, Post.where(:posts => { 'id' => post.id }).first
+-- 
+1.7.5.4
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 8e75344..51f32d9 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -7,7 +7,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 3.0.11
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -38,6 +38,10 @@ Patch2: activerecord-downgrade-dependencies.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=827363
 Patch3: activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
 
+# Fixes CVE-2012-2695
+# https://bugzilla.redhat.com/show_bug.cgi?id=831573
+Patch4: activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch
+
 Requires: ruby(abi) = %{rubyabi}
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = %{version}
@@ -85,6 +89,7 @@ pushd ./%{gem_instdir}
 %patch0 -p0
 %patch1 -p0
 %patch3 -p2
+%patch4 -p2
 popd
 
 pushd .%{gem_dir}
@@ -155,6 +160,9 @@ popd
 %{gem_spec}
 
 %changelog
+* Mon Jun 18 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-3
+- Fix for CVE-2012-2695.
+
 * Mon Jun 04 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-2
 - Fix for CVE-2012-2661.

More information about the scm-commits mailing list