[rubygem-activerecord/f18] Fix for CVE-2013-0155.
Vít Ondruch
vondruch at fedoraproject.org
Wed Jan 9 16:16:15 UTC 2013
commit f73298834f9bb5c546960e684741550910ba626e
Author: Vít Ondruch <vondruch at redhat.com>
Date: Wed Jan 9 17:15:14 2013 +0100
Fix for CVE-2013-0155.
...ord-3.2.11-CVE-2013-0155-null_array_param.patch | 33 ++++++++++++++++++++
rubygem-activerecord.spec | 10 +++++-
2 files changed, 42 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-activerecord-3.2.11-CVE-2013-0155-null_array_param.patch b/rubygem-activerecord-3.2.11-CVE-2013-0155-null_array_param.patch
new file mode 100644
index 0000000..909bfb4
--- /dev/null
+++ b/rubygem-activerecord-3.2.11-CVE-2013-0155-null_array_param.patch
@@ -0,0 +1,33 @@
+From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+---
+ .../lib/active_record/relation/predicate_builder.rb | 7 ++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index 6b118b4..b31fdfd 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -6,7 +6,12 @@ module ActiveRecord
+
+ if allow_table_name && value.is_a?(Hash)
+ table = Arel::Table.new(column, engine)
+- build_from_hash(engine, value, table, false)
++
++ if value.empty?
++ '1 = 2'
++ else
++ build_from_hash(engine, value, table, false)
++ end
+ else
+ column = column.to_s
+
+--
+1.7.10.2 (Apple Git-33)
+
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index e3711b7..99adc8e 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -6,7 +6,7 @@ Summary: Implements the ActiveRecord pattern for ORM
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.2.8
-Release: 2%{?dist}
+Release: 3%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -21,6 +21,10 @@ Source1: activerecord-%{version}-tests.tgz
# https://bugzilla.redhat.com/show_bug.cgi?id=889649
Patch0: rubygem-activerecord-3.2.10-CVE-2012-6496-dynamic_finder_injection.patch
+# CVE-2013-0155
+# https://bugzilla.redhat.com/show_bug.cgi?id=892866
+Patch1: rubygem-activerecord-3.2.11-CVE-2013-0155-null_array_param.patch
+
Requires: ruby(abi) = %{rubyabi}
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
@@ -63,6 +67,7 @@ gem install --local --install-dir .%{gem_dir} \
pushd .%{gem_instdir}
%patch0 -p2
+%patch1 -p2
popd
%build
@@ -109,6 +114,9 @@ popd
%changelog
+* Wed Jan 09 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-3
+- Fix for CVE-2013-0155.
+
* Fri Jan 04 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-2
- Fix for CVE-2012-6496.
More information about the scm-commits
mailing list