[rubygem-activeresource/f18] Fix FTBFS caused by fix for CVE-2013-0156.
Vít Ondruch
vondruch at fedoraproject.org
Thu Jun 13 10:10:51 UTC 2013
commit 543c6cd46121a0bf1ccdd08b371efa6a0d884f3d
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Jun 13 11:37:52 2013 +0200
Fix FTBFS caused by fix for CVE-2013-0156.
- Resolves: rhbz#973651
...e-3.2.13-Remove-text-for-XML-YAML-parsing.patch | 71 ++++++++++++++++++++
rubygem-activeresource.spec | 12 +++-
2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch b/rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch
new file mode 100644
index 0000000..42a7cf6
--- /dev/null
+++ b/rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch
@@ -0,0 +1,71 @@
+From e134e171c201e136ce28dc229cdc61944dc59cf2 Mon Sep 17 00:00:00 2001
+From: Prem Sichanugrist <s at sikac.hu>
+Date: Tue, 8 Jan 2013 19:39:25 -0500
+Subject: [PATCH] Remove test for XML YAML parsing
+
+The support for YAML parsing in XML has been removed from Active Support
+since it introduced an security risk. See 43109ec for more detail.
+---
+ activeresource/test/abstract_unit.rb | 14 --------------
+ activeresource/test/cases/base_test.rb | 13 -------------
+ 2 files changed, 27 deletions(-)
+
+diff --git a/activeresource/test/abstract_unit.rb b/activeresource/test/abstract_unit.rb
+index 9c1e9a5..583fd2a 100644
+--- a/activeresource/test/abstract_unit.rb
++++ b/activeresource/test/abstract_unit.rb
+@@ -77,19 +77,6 @@ def setup_response
+ }]
+ }
+ }.to_json
+- # - resource with yaml array of strings; for ARs using serialize :bar, Array
+- @marty = <<-eof.strip
+- <?xml version=\"1.0\" encoding=\"UTF-8\"?>
+- <person>
+- <id type=\"integer\">5</id>
+- <name>Marty</name>
+- <colors type=\"yaml\">---
+- - \"red\"
+- - \"green\"
+- - \"blue\"
+- </colors>
+- </person>
+- eof
+
+ @startup_sound = {
+ :sound => {
+@@ -101,7 +88,6 @@ def setup_response
+ mock.get "/people/1.json", {}, @matz
+ mock.get "/people/1.xml", {}, @matz_xml
+ mock.get "/people/2.xml", {}, @david
+- mock.get "/people/5.xml", {}, @marty
+ mock.get "/people/Greg.json", {}, @greg
+ mock.get "/people/6.json", {}, @joe
+ mock.get "/people/4.json", { 'key' => 'value' }, nil, 404
+diff --git a/activeresource/test/cases/base_test.rb b/activeresource/test/cases/base_test.rb
+index 5ef8a51..983f054 100644
+--- a/activeresource/test/cases/base_test.rb
++++ b/activeresource/test/cases/base_test.rb
+@@ -1077,19 +1077,6 @@ def test_parse_deep_nested_resources
+ end
+ end
+
+- def test_load_yaml_array
+- assert_nothing_raised do
+- Person.format = :xml
+- marty = Person.find(5)
+- assert_equal 3, marty.colors.size
+- marty.colors.each do |color|
+- assert_kind_of String, color
+- end
+- end
+- ensure
+- Person.format = :json
+- end
+-
+ def test_with_custom_formatter
+ addresses = [{ :id => "1", :street => "1 Infinite Loop", :city => "Cupertino", :state => "CA" }].to_xml(:root => :addresses)
+
+--
+1.8.1.6
+
diff --git a/rubygem-activeresource.spec b/rubygem-activeresource.spec
index 0f12d63..af167c2 100644
--- a/rubygem-activeresource.spec
+++ b/rubygem-activeresource.spec
@@ -7,7 +7,7 @@ Summary: Active Record for web resources
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.2.8
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -22,6 +22,10 @@ Source0: http://rubygems.org/downloads/activeresource-%{version}.gem
# tar czvf activeresource-3.2.8-tests.tgz test/
Source1: activeresource-%{version}-tests.tgz
+# Remove test for XML YAML parsing disabled due to CVE-2013-0156
+# https://github.com/rails/rails/commit/e134e171c201e136ce28dc229cdc61944dc59cf2
+Patch0: rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch
+
# Let's keep Requires and BuildRequires sorted alphabeticaly
Requires: ruby(abi) = %{rubyabi}
Requires: ruby(rubygems)
@@ -79,6 +83,8 @@ done
pushd .%{gem_instdir}
tar xzvf %{SOURCE1}
+cat %{PATCH0} | patch -p2
+
# load_path is not available, remove its require.
sed -i '1,+1d' test/abstract_unit.rb
@@ -99,6 +105,10 @@ popd
%doc %{gem_instdir}/README.rdoc
%changelog
+* Thu Jun 13 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-2
+- Fix FTBFS caused by fix for CVE-2013-0156.
+ - Resolves: rhbz#973651
+
* Mon Aug 13 2012 Vít Ondruch <vondruch at redhat.com> - 1:3.2.8-1
- Update to ActiveResource 3.2.8.
More information about the scm-commits
mailing list