[rubygem-actionpack/f16] Fix for CVE-2013-0155.

Vít Ondruch vondruch at fedoraproject.org
Thu Jan 10 16:05:18 UTC 2013 

commit cb2f90262e6e57ab7bfe76864c1d3b68c183667e
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Thu Jan 10 14:22:21 2013 +0100

    Fix for CVE-2013-0155.

 ...ack-3.0.19-CVE-2013-0155-null_array_param.patch |   70 ++++++++++++++++++++
 rubygem-actionpack.spec                            |   10 +++-
 2 files changed, 79 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-actionpack-3.0.19-CVE-2013-0155-null_array_param.patch b/rubygem-actionpack-3.0.19-CVE-2013-0155-null_array_param.patch
new file mode 100644
index 0000000..6835fbe
--- /dev/null
+++ b/rubygem-actionpack-3.0.19-CVE-2013-0155-null_array_param.patch
@@ -0,0 +1,70 @@
+From f943e386039e0f28e777e2cf7ec39a7dbe24c040 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+---
+ actionpack/lib/action_dispatch/http/request.rb        |   10 ++++------
+ .../lib/action_dispatch/middleware/params_parser.rb   |    4 ++--
+ 2 files changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/actionpack/lib/action_dispatch/http/request.rb b/actionpack/lib/action_dispatch/http/request.rb
+index 04b4a21..8767acb 100644
+--- a/actionpack/lib/action_dispatch/http/request.rb
++++ b/actionpack/lib/action_dispatch/http/request.rb
+@@ -258,18 +258,14 @@ module ActionDispatch
+       LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
+     end
+ 
+-    protected
+-
+     # Remove nils from the params hash
+     def deep_munge(hash)
+-      keys = hash.keys.find_all { |k| hash[k] == [nil] }
+-      keys.each { |k| hash[k] = nil }
+-
+-      hash.each_value do |v|
++      hash.each do |k, v|
+         case v
+         when Array
+           v.grep(Hash) { |x| deep_munge(x) }
+           v.compact!
++          hash[k] = nil if v.empty?
+         when Hash
+           deep_munge(v)
+         end
+@@ -278,6 +274,8 @@ module ActionDispatch
+       hash
+     end
+ 
++    protected
++
+     def parse_query(qs)
+       deep_munge(super)
+     end
+diff --git a/actionpack/lib/action_dispatch/middleware/params_parser.rb b/actionpack/lib/action_dispatch/middleware/params_parser.rb
+index d4208ca..aaf9680 100644
+--- a/actionpack/lib/action_dispatch/middleware/params_parser.rb
++++ b/actionpack/lib/action_dispatch/middleware/params_parser.rb
+@@ -38,13 +38,13 @@ module ActionDispatch
+         when Proc
+           strategy.call(request.raw_post)
+         when :xml_simple, :xml_node
+-          data = Hash.from_xml(request.body.read) || {}
++          data = request.deep_munge(Hash.from_xml(request.body.read) || {})
+           request.body.rewind if request.body.respond_to?(:rewind)
+           data.with_indifferent_access
+         when :yaml
+           YAML.load(request.raw_post)
+         when :json
+-          data = ActiveSupport::JSON.decode(request.body)
++          data = request.deep_munge ActiveSupport::JSON.decode(request.body)
+           request.body.rewind if request.body.respond_to?(:rewind)
+           data = {:_json => data} unless data.is_a?(Hash)
+           data.with_indifferent_access
+-- 
+1.7.10.2 (Apple Git-33)
+
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index 35fc081..ab17b2d 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -10,7 +10,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 3.0.10
-Release: 9%{?dist}
+Release: 10%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -78,6 +78,10 @@ Patch13: actionpack-3.0.17-CVE-2012-3464-Fix-tests-about-single-quote-escaping.p
 # https://bugzilla.redhat.com/show_bug.cgi?id=847200
 Patch14: actionpack-3.0.17-CVE-2012-3465-Do-not-mark-strip_tags-result-as-html_safe.patch
 
+# CVE-2013-0155
+# https://bugzilla.redhat.com/show_bug.cgi?id=892866
+Patch15: rubygem-actionpack-3.0.19-CVE-2013-0155-null_array_param.patch
+
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = %{version}
 Requires: rubygem(activemodel) = %{version}
@@ -146,6 +150,7 @@ pushd .%{geminstdir}
 %patch12 -p2
 %patch13 -p2
 %patch14 -p2
+%patch15 -p2
 
 # create missing symlink
 pushd test/fixtures/layout_tests/layouts/
@@ -217,6 +222,9 @@ rake test --trace
 
 
 %changelog
+* Thu Jan 10 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-6
+- Fix for CVE-2013-0155.
+
 * Mon Aug 13 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.0.10-9
 - Fixes for CVE-2012-3463, CVE-2012-3464 and CVE-2012-3465.

More information about the scm-commits mailing list