[rubygem-activerecord/f20] Fix for CVE-2014-3483

Josef Stribny jstribny at fedoraproject.org
Thu Jul 3 13:35:52 UTC 2014 

commit ba6017dc17adf73eb6028441e8d1f00be52f3330
Author: Josef Stribny <jstribny at redhat.com>
Date:   Thu Jul 3 15:35:28 2014 +0200

    Fix for CVE-2014-3483

 ...em-activerecord-4.0.7-CVE-2014-3483-range.patch |   71 ++++++++++++++++++++
 rubygem-activerecord.spec                          |    8 ++-
 2 files changed, 78 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-activerecord-4.0.7-CVE-2014-3483-range.patch b/rubygem-activerecord-4.0.7-CVE-2014-3483-range.patch
new file mode 100644
index 0000000..e6165d0
--- /dev/null
+++ b/rubygem-activerecord-4.0.7-CVE-2014-3483-range.patch
@@ -0,0 +1,71 @@
+From 37d5e2cf429f6be937aeab1cf940ebc6e6c6d290 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafaelmfranca at gmail.com>
+Date: Thu, 5 Jun 2014 14:08:40 -0300
+Subject: [PATCH] Fix SQL injection when querying against ranges and bitstrings
+
+Fix CVE-2014-3483 and protect against CVE-2014-3482.
+---
+ .../lib/active_record/connection_adapters/postgresql/quoting.rb    | 7 ++++---
+ .../lib/active_record/connection_adapters/postgresql_adapter.rb    | 2 +-
+ activerecord/test/cases/adapters/postgresql/quoting_test.rb        | 6 ++++++
+ 3 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
+index 7efdd8a..06b6478 100644
+--- a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
++++ b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
+@@ -21,7 +21,8 @@ module ActiveRecord
+           case value
+           when Range
+             if /range$/ =~ sql_type
+-              "'#{PostgreSQLColumn.range_to_string(value)}'::#{sql_type}"
++              escaped = quote_string(PostgreSQLColumn.range_to_string(value))
++              "#{escaped}::#{sql_type}"
+             else
+               super
+             end
+@@ -70,8 +71,8 @@ module ActiveRecord
+             when 'xml'   then "xml '#{quote_string(value)}'"
+             when /^bit/
+               case value
+-              when /^[01]*$/      then "B'#{value}'" # Bit-string notation
+-              when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
++              when /\A[01]*\Z/      then "B'#{value}'" # Bit-string notation
++              when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
+               end
+             else
+               super
+diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
+index 9ac5af8..6bb0957 100644
+--- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
++++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
+@@ -765,7 +765,7 @@ module ActiveRecord
+         FEATURE_NOT_SUPPORTED = "0A000" # :nodoc:
+ 
+         def exec_no_cache(sql, binds)
+-          @connection.async_exec(sql)
++          @connection.async_exec(sql, [])
+         end
+ 
+         def exec_cache(sql, binds)
+diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+index b342964..0cafb63 100644
+--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb
++++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+@@ -52,6 +52,12 @@ module ActiveRecord
+           c = Column.new(nil, nil, 'text')
+           assert_equal "'666'", @conn.quote(fixnum, c)
+         end
++
++        def test_quote_range
++          range = "1,2]'; SELECT * FROM users; --".."a"
++          c = PostgreSQLColumn.new(nil, nil, OID::Range.new(:integer), 'int8range')
++          assert_equal "[1,2]''; SELECT * FROM users; --,a]::int8range", @conn.quote(range, c)
++        end
+       end
+     end
+   end
+-- 
+2.0.0
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index c90a5d4..28bbf3f 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -5,7 +5,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 4.0.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -20,6 +20,8 @@ Patch0: rubygem-activerecord-4.0.3-CVE-2014-0080-PostgreSQL.patch
 # Fix SQlite 3.2.8 tests
 # https://github.com/rails/rails/pull/13291
 Patch1: rubygem-activerecord-sqlite-3.2.8-test.patch
+# Fix for CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting
+Patch2: rubygem-activerecord-4.0.7-CVE-2014-3483-range.patch
 Requires: ruby(release)
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = %{version}
@@ -66,6 +68,7 @@ pushd .%{gem_instdir}
 tar xzvf %{SOURCE1}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p2
 popd
 
 %build
@@ -111,6 +114,9 @@ popd
 
 
 %changelog
+* Thu Jul 03 2014 Josef Stribny <jstribny at redhat.com> - 1:4.0.0-3
+- Fix CVE-2014-3483
+
 * Wed Feb 26 2014 Josef Stribny <jstribny at redhat.com> - 1:4.0.0-2
 - Fix CVE-2014-0080: PostgreSQL array data injection vulnerability
 - Fix SQLite tests

More information about the scm-commits mailing list