[rubygem-activerecord/f15] Fix for CVE-2012-2695.

Vít Ondruch vondruch at fedoraproject.org
Mon Jun 18 11:14:30 UTC 2012 

commit 878495a1ce608e7aef4b07b0db4314f7ed17124e
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Mon Jun 18 11:45:38 2012 +0200

    Fix for CVE-2012-2695.

 ...012-2695-additional-fix-for-CVE-2012-2661.patch |   60 ++++++++++++++++++++
 rubygem-activerecord.spec                          |   10 +++-
 2 files changed, 69 insertions(+), 1 deletions(-)
---
diff --git a/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch b/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch
new file mode 100644
index 0000000..11ed5fb
--- /dev/null
+++ b/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch
@@ -0,0 +1,60 @@
+From 176af7eff2e33b331c92febbeda98123da1151f3 Mon Sep 17 00:00:00 2001
+From: Ernie Miller <ernie at erniemiller.org>
+Date: Fri, 8 Jun 2012 16:42:01 -0400
+Subject: [PATCH] Additional fix for CVE-2012-2661
+
+While the patched PredicateBuilder in 3.0.13 prevents a user
+from specifying a table name using the `table.column` format,
+it doesn't protect against the nesting of hashes changing the
+table context in the next call to build_from_hash. This fix
+covers this case as well.
+---
+ .../active_record/relation/predicate_builder.rb    |    6 +++---
+ activerecord/test/cases/relation/where_test.rb     |    6 ++++++
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index 84e88cf..e74ba73 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -5,17 +5,17 @@ module ActiveRecord
+       @engine = engine
+     end
+ 
+-    def build_from_hash(attributes, default_table, check_column = true)
++    def build_from_hash(attributes, default_table, allow_table_name = true)
+       predicates = attributes.map do |column, value|
+         table = default_table
+ 
+-        if value.is_a?(Hash)
++        if allow_table_name && value.is_a?(Hash)
+           table = Arel::Table.new(column, :engine => @engine)
+           build_from_hash(value, table, false)
+         else
+           column = column.to_s
+ 
+-          if check_column && column.include?('.')
++          if allow_table_name && column.include?('.')
+             table_name, column = column.split('.', 2)
+             table = Arel::Table.new(table_name, :engine => @engine)
+           end
+diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb
+index 90c690e..b9eef1d 100644
+--- a/activerecord/test/cases/relation/where_test.rb
++++ b/activerecord/test/cases/relation/where_test.rb
+@@ -11,6 +11,12 @@ module ActiveRecord
+       end
+     end
+ 
++    def test_where_error_with_hash
++      assert_raises(ActiveRecord::StatementInvalid) do
++        Post.where(:id => { :posts => {:author_id => 10} }).first
++      end
++    end
++
+     def test_where_with_table_name
+       post = Post.first
+       assert_equal post, Post.where(:posts => { 'id' => post.id }).first
+-- 
+1.7.5.4
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 7fe0e09..3d547f4 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -9,7 +9,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 3.0.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -50,6 +50,10 @@ Patch6: activerecord-3.0.13-fix-failing-tests.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=827363
 Patch7: activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch
 
+# Fixes CVE-2012-2695
+# https://bugzilla.redhat.com/show_bug.cgi?id=831573
+Patch8: activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch
+
 Requires: ruby(abi) = %{rubyabi}
 Requires: rubygems
 Requires: rubygem(activesupport) = %{version}
@@ -99,6 +103,7 @@ pushd ./%{geminstdir}
 %patch5 -p2
 %patch6 -p2
 %patch7 -p2
+%patch8 -p2
 popd
 
 # Remove backup files
@@ -158,6 +163,9 @@ rake test_sqlite3 --trace
 %{gemdir}/specifications/%{gemname}-%{version}.gemspec
 
 %changelog
+* Mon Jun 18 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.5-4
+- Fix for CVE-2012-2695.
+
 * Tue Jun 05 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.5-3
 - Fix for CVE-2012-2661.

More information about the scm-commits mailing list