[rubygem-activerecord/f18] Fix for CVE-2013-1854.
Vít Ondruch
vondruch at fedoraproject.org
Thu Mar 21 11:06:03 UTC 2013
commit 962e7a3f3840c58d6c72bda1f7c31214fccffdd5
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Mar 21 12:05:46 2013 +0100
Fix for CVE-2013-1854.
...2.13-CVE-2013-1854-attribute_symbols-test.patch | 92 ++++++++++++++++++++
...rd-3.2.13-CVE-2013-1854-attribute_symbols.patch | 41 +++++++++
rubygem-activerecord.spec | 13 +++-
3 files changed, 145 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-activerecord-3.2.13-CVE-2013-1854-attribute_symbols-test.patch b/rubygem-activerecord-3.2.13-CVE-2013-1854-attribute_symbols-test.patch
new file mode 100644
index 0000000..0f3202b
--- /dev/null
+++ b/rubygem-activerecord-3.2.13-CVE-2013-1854-attribute_symbols-test.patch
@@ -0,0 +1,92 @@
+From 35fc5e67961e7242a426f0a38f618e6e595ceec6 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Tue, 5 Mar 2013 14:52:08 -0800
+Subject: [PATCH] stop calling to_sym when building arel nodes
+
+---
+ activerecord/test/cases/method_scoping_test.rb | 10 +++++-----
+ activerecord/test/cases/relation_test.rb | 6 +++---
+ 2 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/activerecord/test/cases/method_scoping_test.rb b/activerecord/test/cases/method_scoping_test.rb
+index 0ab4f30..ac84306 100644
+--- a/activerecord/test/cases/method_scoping_test.rb
++++ b/activerecord/test/cases/method_scoping_test.rb
+@@ -212,14 +212,14 @@ class MethodScopingTest < ActiveRecord::TestCase
+ table = VerySpecialComment.arel_table
+ relation = VerySpecialComment.scoped
+ relation.where_values << table[:id].not_eq(1)
+- assert_equal({:type => "VerySpecialComment"}, relation.send(:scope_for_create))
++ assert_equal({'type' => "VerySpecialComment"}, relation.send(:scope_for_create))
+ end
+
+ def test_scoped_create
+ new_comment = nil
+
+ VerySpecialComment.send(:with_scope, :create => { :post_id => 1 }) do
+- assert_equal({:post_id => 1, :type => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create))
++ assert_equal({'post_id' => 1, 'type' => 'VerySpecialComment' }, VerySpecialComment.scoped.send(:scope_for_create))
+ new_comment = VerySpecialComment.create :body => "Wonderful world"
+ end
+
+@@ -228,7 +228,7 @@ class MethodScopingTest < ActiveRecord::TestCase
+
+ def test_scoped_create_with_join_and_merge
+ Comment.where(:body => "but Who's Buying?").joins(:post).merge(Post.where(:body => 'Peace Sells...')).with_scope do
+- assert_equal({:body => "but Who's Buying?"}, Comment.scoped.scope_for_create)
++ assert_equal({'body' => "but Who's Buying?"}, Comment.scoped.scope_for_create)
+ end
+ end
+
+@@ -441,7 +441,7 @@ class NestedScopingTest < ActiveRecord::TestCase
+ comment = nil
+ Comment.send(:with_scope, :create => { :post_id => 1}) do
+ Comment.send(:with_scope, :create => { :post_id => 2}) do
+- assert_equal({:post_id => 2}, Comment.scoped.send(:scope_for_create))
++ assert_equal({'post_id' => 2}, Comment.scoped.send(:scope_for_create))
+ comment = Comment.create :body => "Hey guys, nested scopes are broken. Please fix!"
+ end
+ end
+@@ -453,7 +453,7 @@ class NestedScopingTest < ActiveRecord::TestCase
+
+ Comment.send(:with_scope, :create => { :body => "Hey guys, nested scopes are broken. Please fix!" }) do
+ Comment.send(:with_exclusive_scope, :create => { :post_id => 1 }) do
+- assert_equal({:post_id => 1}, Comment.scoped.send(:scope_for_create))
++ assert_equal({'post_id' => 1}, Comment.scoped.send(:scope_for_create))
+ assert_blank Comment.new.body
+ comment = Comment.create :body => "Hey guys"
+ end
+diff --git a/activerecord/test/cases/relation_test.rb b/activerecord/test/cases/relation_test.rb
+index 7a75a84..6efdeac 100644
+--- a/activerecord/test/cases/relation_test.rb
++++ b/activerecord/test/cases/relation_test.rb
+@@ -71,7 +71,7 @@ module ActiveRecord
+ def test_has_values
+ relation = Relation.new Post, Post.arel_table
+ relation.where_values << relation.table[:id].eq(10)
+- assert_equal({:id => 10}, relation.where_values_hash)
++ assert_equal({'id' => 10}, relation.where_values_hash)
+ end
+
+ def test_values_wrong_table
+@@ -101,7 +101,7 @@ module ActiveRecord
+
+ def test_create_with_value
+ relation = Relation.new Post, Post.arel_table
+- hash = { :hello => 'world' }
++ hash = { 'hello' => 'world' }
+ relation.create_with_value = hash
+ assert_equal hash, relation.scope_for_create
+ end
+@@ -110,7 +110,7 @@ module ActiveRecord
+ relation = Relation.new Post, Post.arel_table
+ relation.where_values << relation.table[:id].eq(10)
+ relation.create_with_value = {:hello => 'world'}
+- assert_equal({:hello => 'world', :id => 10}, relation.scope_for_create)
++ assert_equal({'hello' => 'world', 'id' => 10}, relation.scope_for_create)
+ end
+
+ # FIXME: is this really wanted or expected behavior?
+--
+1.8.1.1
+
diff --git a/rubygem-activerecord-3.2.13-CVE-2013-1854-attribute_symbols.patch b/rubygem-activerecord-3.2.13-CVE-2013-1854-attribute_symbols.patch
new file mode 100644
index 0000000..362dae9
--- /dev/null
+++ b/rubygem-activerecord-3.2.13-CVE-2013-1854-attribute_symbols.patch
@@ -0,0 +1,41 @@
+From 35fc5e67961e7242a426f0a38f618e6e595ceec6 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Tue, 5 Mar 2013 14:52:08 -0800
+Subject: [PATCH] stop calling to_sym when building arel nodes
+
+---
+ activerecord/lib/active_record/relation.rb | 2 +-
+ activerecord/lib/active_record/relation/predicate_builder.rb | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/activerecord/lib/active_record/relation.rb b/activerecord/lib/active_record/relation.rb
+index 4b3b30d..ae1a575 100644
+--- a/activerecord/lib/active_record/relation.rb
++++ b/activerecord/lib/active_record/relation.rb
+@@ -464,7 +464,7 @@ module ActiveRecord
+ node.left.relation.name == table_name
+ }
+
+- Hash[equalities.map { |where| [where.left.name, where.right] }]
++ Hash[equalities.map { |where| [where.left.name, where.right] }].with_indifferent_access
+ end
+
+ def scope_for_create
+diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb
+index b31fdfd..413b81c 100644
+--- a/activerecord/lib/active_record/relation/predicate_builder.rb
++++ b/activerecord/lib/active_record/relation/predicate_builder.rb
+@@ -20,7 +20,7 @@ module ActiveRecord
+ table = Arel::Table.new(table_name, engine)
+ end
+
+- attribute = table[column.to_sym]
++ attribute = table[column]
+
+ case value
+ when ActiveRecord::Relation
+diff --git a/activerecord/test/cases/method_scoping_test.rb b/activerecord/test/cases/method_scoping_test.rb
+index 0ab4f30..ac84306 100644
+--
+1.8.1.1
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 99adc8e..00e78aa 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -6,7 +6,7 @@ Summary: Implements the ActiveRecord pattern for ORM
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.2.8
-Release: 3%{?dist}
+Release: 4%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -25,6 +25,11 @@ Patch0: rubygem-activerecord-3.2.10-CVE-2012-6496-dynamic_finder_injection.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=892866
Patch1: rubygem-activerecord-3.2.11-CVE-2013-0155-null_array_param.patch
+# CVE-2013-1854
+# https://bugzilla.redhat.com/show_bug.cgi?id=921329
+Patch2: rubygem-activerecord-3.2.13-CVE-2013-1854-attribute_symbols.patch
+Patch3: rubygem-activerecord-3.2.13-CVE-2013-1854-attribute_symbols-test.patch
+
Requires: ruby(abi) = %{rubyabi}
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
@@ -68,6 +73,7 @@ gem install --local --install-dir .%{gem_dir} \
pushd .%{gem_instdir}
%patch0 -p2
%patch1 -p2
+%patch2 -p2
popd
%build
@@ -81,6 +87,8 @@ pushd .%{gem_instdir}
tar xzvf %{SOURCE1}
+cat %{PATCH3} | patch -p2
+
# load_path is not available, remove its require.
sed -i '1,2d' test/cases/helper.rb
@@ -114,6 +122,9 @@ popd
%changelog
+* Thu Mar 21 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-4
+- Fix for CVE-2013-1854.
+
* Wed Jan 09 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-3
- Fix for CVE-2013-0155.
More information about the scm-commits
mailing list