[rubygem-activerecord/f19] Fix for CVE-2014-3482

Fri Jul 4 08:21:13 UTC 2014

commit 88f36750e6737853de7b39105620dad1c115b3b6
Author: Josef Stribny <jstribny at redhat.com>
Date:   Thu Jul 3 16:52:07 2014 +0200

    Fix for CVE-2014-3482

 ...cord-3.2.19-CVE-2014-3482-bit-string-test.patch |   19 ++++++++++++++
 ...iverecord-3.2.19-CVE-2014-3482-bit-string.patch |   26 ++++++++++++++++++++
 rubygem-activerecord.spec                          |   19 +++++++++++++-
 3 files changed, 62 insertions(+), 2 deletions(-)
---

diff --git a/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch
new file mode 100644
index 0000000..cb71c72
--- /dev/null
+++ b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch
@@ -0,0 +1,19 @@
+diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+index 172055f..cfdf16d 100644
+--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb
++++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+@@ -19,6 +19,11 @@ module ActiveRecord
+           assert_equal 'f', @conn.type_cast(false, nil)
+           assert_equal 'f', @conn.type_cast(false, c)
+         end
++
++        def test_quote_bit_string
++          c = PostgreSQLColumn.new(nil, 1, 'bit')
++          assert_equal nil, @conn.quote("'); SELECT * FORM users; /*\n01\n*/--", c)
++        end
+       end
+     end
+   end
+-- 
+2.0.0
+
diff --git a/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch
new file mode 100644
index 0000000..5c84235
--- /dev/null
+++ b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch
@@ -0,0 +1,26 @@
+diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
+index e98337e..3cd65d0 100644
+--- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
++++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
+@@ -446,8 +446,8 @@ module ActiveRecord
+           when 'xml'   then "xml '#{quote_string(value)}'"
+           when /^bit/
+             case value
+-            when /^[01]*$/      then "B'#{value}'" # Bit-string notation
+-            when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
++            when /\A[01]*\Z/      then "B'#{value}'" # Bit-string notation
++            when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
+             end
+           else
+             super
+@@ -1155,7 +1155,7 @@ module ActiveRecord
+         FEATURE_NOT_SUPPORTED = "0A000" # :nodoc:
+ 
+         def exec_no_cache(sql, binds)
+-          @connection.async_exec(sql)
++          @connection.async_exec(sql, [])
+         end
+ 
+         def exec_cache(sql, binds)
+
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 1fa1090..6023598 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -5,7 +5,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 3.2.13
-Release: 1%{?dist}
+Release: 2%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -15,6 +15,9 @@ Source0: http://rubygems.org/downloads/activerecord-%{version}.gem
 # git checkout v3.2.13
 # tar czvf activerecord-3.2.13-tests.tgz test/
 Source1: activerecord-%{version}-tests.tgz
+# Fix for CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting
+Patch0: rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch
+Patch1: rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch
 Requires: ruby(release)
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = %{version}
@@ -53,6 +56,10 @@ Documentation for %{name}
 %setup -q -c -T
 %gem_install -n %{SOURCE0}
 
+pushd .%{gem_instdir}
+%patch0 -p2
+popd
+
 %build
 
 %install
@@ -64,10 +71,14 @@ pushd .%{gem_instdir}
 
 tar xzvf %{SOURCE1}
 
+cat %{PATCH1} | patch -p2
+
 # load_path is not available, remove its require.
 sed -i '1,2d' test/cases/helper.rb
 
-ruby -I.:test:lib << EOF
+# One test fails
+# https://github.com/rails/rails/pull/13291
+ruby -I.:test:lib << EOF |
   test_files = Dir.glob( "test/cases/**/*_test.rb" )
   test_files.reject! { |x| x =~ %r|/adapters/| }
 
@@ -79,6 +90,7 @@ ruby -I.:test:lib << EOF
 
   test_files.each { |f| require f }
 EOF
+grep '3366 tests, 10527 assertions, 1 failures, 0 errors, 7 skips'
 
 popd
 
@@ -97,6 +109,9 @@ popd
 
 
 %changelog
+* Thu Jul 03 2014 Josef Stribny <jstribny at redhat.com> - 1:3.2.13-2
+- Fix for CVE-2014-3482
+
 * Tue Mar 19 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.13-1
 - Update to ActiveRecord 3.2.13.
 
