[rubygem-activerecord/f18] Fix for CVE-2013-0276.

[Vít Ondruch]

commit 27308d1f33aa1d48dba463d557834bc5debb938c
Author: Vít Ondruch <vondruch at redhat.com>
Date:   Tue Feb 12 13:24:41 2013 +0100

    Fix for CVE-2013-0276.

 ...ecord-3.2.12-CVE-2013-0276-attr_protected.patch |   41 ++++++++++++++++++++
 rubygem-activerecord.spec                          |    9 ++++-
 2 files changed, 49 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-activerecord-3.2.12-CVE-2013-0276-attr_protected.patch b/rubygem-activerecord-3.2.12-CVE-2013-0276-attr_protected.patch
new file mode 100644
index 0000000..6ccc10e
--- /dev/null
+++ b/rubygem-activerecord-3.2.12-CVE-2013-0276-attr_protected.patch
@@ -0,0 +1,41 @@
+From 060bb7250b963609a0d8a5d0559e36b99d2402c6 Mon Sep 17 00:00:00 2001
+From: joernchen of Phenoelit <joernchen at phenoelit.de>
+Date: Sat, 9 Feb 2013 15:46:44 -0800
+Subject: [PATCH] Fix issue with attr_protected where malformed input could
+ circumvent protection
+
+Fixes: CVE-2013-0276
+---
+ activemodel/lib/active_model/attribute_methods.rb                       | 2 +-
+ activemodel/lib/active_model/mass_assignment_security/permission_set.rb | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/activemodel/lib/active_model/attribute_methods.rb b/activemodel/lib/active_model/attribute_methods.rb
+index f033a94..96f2c82 100644
+--- a/activemodel/lib/active_model/attribute_methods.rb
++++ b/activemodel/lib/active_model/attribute_methods.rb
+@@ -365,7 +365,7 @@ module ActiveModel
+             end
+ 
+             @prefix, @suffix = options[:prefix] || '', options[:suffix] || ''
+-            @regex = /^(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})$/
++            @regex = /\A(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})\z/
+             @method_missing_target = "#{@prefix}attribute#{@suffix}"
+             @method_name = "#{prefix}%s#{suffix}"
+           end
+diff --git a/activemodel/lib/active_model/mass_assignment_security/permission_set.rb b/activemodel/lib/active_model/mass_assignment_security/permission_set.rb
+index a1fcdf1..10faa29 100644
+--- a/activemodel/lib/active_model/mass_assignment_security/permission_set.rb
++++ b/activemodel/lib/active_model/mass_assignment_security/permission_set.rb
+@@ -19,7 +19,7 @@ module ActiveModel
+     protected
+ 
+       def remove_multiparameter_id(key)
+-        key.to_s.gsub(/\(.+/, '')
++        key.to_s.gsub(/\(.+/m, '')
+       end
+     end
+ 
+-- 
+1.8.1.1
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 99adc8e..9246a93 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -6,7 +6,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 3.2.8
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -25,6 +25,10 @@ Patch0: rubygem-activerecord-3.2.10-CVE-2012-6496-dynamic_finder_injection.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=892866
 Patch1: rubygem-activerecord-3.2.11-CVE-2013-0155-null_array_param.patch
 
+# CVE-2013-0276
+# https://bugzilla.redhat.com/show_bug.cgi?id=909528
+Patch2: rubygem-activerecord-3.2.12-CVE-2013-0276-attr_protected.patch
+
 Requires: ruby(abi) = %{rubyabi}
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = %{version}
@@ -114,6 +118,9 @@ popd
 
 
 %changelog
+* Tue Feb 12 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-4
+- Fix for CVE-2013-0276.
+
 * Wed Jan 09 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-3
 - Fix for CVE-2013-0155.