[rubygem-activeresource/f17] Fix FTBFS caused by fix for CVE-2013-0156.
Vít Ondruch
vondruch at fedoraproject.org
Thu Jun 13 10:33:07 UTC 2013
commit 22cecaeabbb518e9ffdfe37497a1c329bd2eb087
Author: Vít Ondruch <vondruch at redhat.com>
Date: Thu Jun 13 11:37:52 2013 +0200
Fix FTBFS caused by fix for CVE-2013-0156.
- Resolves: rhbz#973651
...e-3.2.13-Remove-text-for-XML-YAML-parsing.patch | 60 ++++++++++++++++++++
rubygem-activeresource.spec | 11 +++-
2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch b/rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch
new file mode 100644
index 0000000..f0d6325
--- /dev/null
+++ b/rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch
@@ -0,0 +1,60 @@
+From e134e171c201e136ce28dc229cdc61944dc59cf2 Mon Sep 17 00:00:00 2001
+From: Prem Sichanugrist <s at sikac.hu>
+Date: Tue, 8 Jan 2013 19:39:25 -0500
+Subject: [PATCH] Remove test for XML YAML parsing
+
+The support for YAML parsing in XML has been removed from Active Support
+since it introduced an security risk. See 43109ec for more detail.
+---
+ activeresource/test/cases/base_test.rb | 27 -------------
+ 1 files changed, 27 deletions(-)
+
+diff --git a/activeresource/test/cases/base_test.rb b/activeresource/test/cases/base_test.rb
+index 5ef8a51..983f054 100644
+--- a/activeresource/test/cases/base_test.rb
++++ b/activeresource/test/cases/base_test.rb
+@@ -53,25 +53,11 @@
+ :children => [{:name => 'Natacha'}]},
+ {:name => 'Milena',
+ :children => []}]}]}.to_xml(:root => 'customer')
+- # - resource with yaml array of strings; for ARs using serialize :bar, Array
+- @marty = <<-eof.strip
+- <?xml version=\"1.0\" encoding=\"UTF-8\"?>
+- <person>
+- <id type=\"integer\">5</id>
+- <name>Marty</name>
+- <colors type=\"yaml\">---
+- - \"red\"
+- - \"green\"
+- - \"blue\"
+- </colors>
+- </person>
+- eof
+
+ ActiveResource::HttpMock.respond_to do |mock|
+ mock.get "/people/1.xml", {}, @matz
+ mock.get "/people/2.xml", {}, @david
+ mock.get "/people/6.json", {}, @joe
+- mock.get "/people/5.xml", {}, @marty
+ mock.get "/people/Greg.xml", {}, @greg
+ mock.get "/people/4.xml", {'key' => 'value'}, nil, 404
+ mock.put "/people/1.xml", {}, nil, 204
+@@ -1109,14 +1095,4 @@
+ end
+ end
+ end
+-
+- def test_load_yaml_array
+- assert_nothing_raised do
+- marty = Person.find(5)
+- assert_equal 3, marty.colors.size
+- marty.colors.each do |color|
+- assert_kind_of String, color
+- end
+- end
+- end
+ end
+
+--
+1.8.1.6
+
diff --git a/rubygem-activeresource.spec b/rubygem-activeresource.spec
index 85e236c..ce8030b 100644
--- a/rubygem-activeresource.spec
+++ b/rubygem-activeresource.spec
@@ -7,7 +7,7 @@ Summary: Active Record for web resources
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.0.11
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -33,6 +33,10 @@ Patch0: activeresource-rakefile-fix.patch
# dependency on a file in the greater rails proj
Patch1: activeresource-tests-fix.patch
+# Remove test for XML YAML parsing disabled due to CVE-2013-0156
+# https://github.com/rails/rails/commit/e134e171c201e136ce28dc229cdc61944dc59cf2
+Patch2: rubygem-activeresource-3.2.13-Remove-text-for-XML-YAML-parsing.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
@@ -67,6 +71,7 @@ tar xzvf %{SOURCE2} -C .%{gem_instdir}
pushd ./%{gem_instdir}
%patch0 -p0
%patch1 -p0
+%patch2 -p2
popd
%build
@@ -114,6 +119,10 @@ popd
%changelog
+* Thu Jun 13 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.0.11-2
+- Fix FTBFS caused by fix for CVE-2013-0156.
+ - Resolves: rhbz#973651
+
* Wed Jan 25 2012 Bohuslav Kabrda <bkabrda at redhat.com> - 1:3.0.11-1
- Rebuilt for Ruby 1.9.3.
- Update to ActiveResource 3.0.11
More information about the scm-commits
mailing list