[rubygem-actionpack/f16] Fix for CVE-2013-0155.
Vít Ondruch
vondruch at fedoraproject.org
Thu Jan 10 16:05:18 UTC 2013
commit cb2f90262e6e57ab7bfe76864c1d3b68c183667e
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Jan 10 14:22:21 2013 +0100
Fix for CVE-2013-0155.
...ack-3.0.19-CVE-2013-0155-null_array_param.patch | 70 ++++++++++++++++++++
rubygem-actionpack.spec | 10 +++-
2 files changed, 79 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-actionpack-3.0.19-CVE-2013-0155-null_array_param.patch b/rubygem-actionpack-3.0.19-CVE-2013-0155-null_array_param.patch
new file mode 100644
index 0000000..6835fbe
--- /dev/null
+++ b/rubygem-actionpack-3.0.19-CVE-2013-0155-null_array_param.patch
@@ -0,0 +1,70 @@
+From f943e386039e0f28e777e2cf7ec39a7dbe24c040 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+---
+ actionpack/lib/action_dispatch/http/request.rb | 10 ++++------
+ .../lib/action_dispatch/middleware/params_parser.rb | 4 ++--
+ 2 files changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
+index 04b4a21..8767acb 100644
+--- a/actionpack/lib/action_dispatch/http/request.rb
++++ b/actionpack/lib/action_dispatch/http/request.rb
+@@ -258,18 +258,14 @@ module ActionDispatch
+ LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
+ end
+
+- protected
+-
+ # Remove nils from the params hash
+ def deep_munge(hash)
+- keys = hash.keys.find_all { |k| hash[k] == [nil] }
+- keys.each { |k| hash[k] = nil }
+-
+- hash.each_value do |v|
++ hash.each do |k, v|
+ case v
+ when Array
+ v.grep(Hash) { |x| deep_munge(x) }
+ v.compact!
++ hash[k] = nil if v.empty?
+ when Hash
+ deep_munge(v)
+ end
+@@ -278,6 +274,8 @@ module ActionDispatch
+ hash
+ end
+
++ protected
++
+ def parse_query(qs)
+ deep_munge(super)
+ end
+diff --git a/actionpack/lib/action_dispatch/middleware/params_parser.rb b/actionpack/lib/action_dispatch/middleware/params_parser.rb
+index d4208ca..aaf9680 100644
+--- a/actionpack/lib/action_dispatch/middleware/params_parser.rb
++++ b/actionpack/lib/action_dispatch/middleware/params_parser.rb
+@@ -38,13 +38,13 @@ module ActionDispatch
+ when Proc
+ strategy.call(request.raw_post)
+ when :xml_simple, :xml_node
+- data = Hash.from_xml(request.body.read) || {}
++ data = request.deep_munge(Hash.from_xml(request.body.read) || {})
+ request.body.rewind if request.body.respond_to?(:rewind)
+ data.with_indifferent_access
+ when :yaml
+ YAML.load(request.raw_post)
+ when :json
+- data = ActiveSupport::JSON.decode(request.body)
++ data = request.deep_munge ActiveSupport::JSON.decode(request.body)
+ request.body.rewind if request.body.respond_to?(:rewind)
+ data = {:_json => data} unless data.is_a?(Hash)
+ data.with_indifferent_access
+--
+1.7.10.2 (Apple Git-33)
+
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 35fc081..ab17b2d 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -10,7 +10,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
Name: rubygem-%{gemname}
Epoch: 1
Version: 3.0.10
-Release: 9%{?dist}
+Release: 10%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -78,6 +78,10 @@ Patch13: actionpack-3.0.17-CVE-2012-3464-Fix-tests-about-single-quote-escaping.p
# https://bugzilla.redhat.com/show_bug.cgi?id=847200
Patch14: actionpack-3.0.17-CVE-2012-3465-Do-not-mark-strip_tags-result-as-html_safe.patch
+# CVE-2013-0155
+# https://bugzilla.redhat.com/show_bug.cgi?id=892866
+Patch15: rubygem-actionpack-3.0.19-CVE-2013-0155-null_array_param.patch
+
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
Requires: rubygem(activemodel) = %{version}
@@ -146,6 +150,7 @@ pushd .%{geminstdir}
%patch12 -p2
%patch13 -p2
%patch14 -p2
+%patch15 -p2
# create missing symlink
pushd test/fixtures/layout_tests/layouts/
@@ -217,6 +222,9 @@ rake test --trace
%changelog
+* Thu Jan 10 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-6
+- Fix for CVE-2013-0155.
+
* Mon Aug 13 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-9
- Fixes for CVE-2012-3463, CVE-2012-3464 and CVE-2012-3465.
More information about the scm-commits
mailing list