[rubygem-activerecord/f19] Fix for CVE-2014-3482
Josef Stribny
jstribny at fedoraproject.org
Fri Jul 4 08:21:13 UTC 2014
commit 88f36750e6737853de7b39105620dad1c115b3b6
Author: Josef Stribny <jstribny at redhat.com>
Date: Thu Jul 3 16:52:07 2014 +0200
Fix for CVE-2014-3482
...cord-3.2.19-CVE-2014-3482-bit-string-test.patch | 19 ++++++++++++++
...iverecord-3.2.19-CVE-2014-3482-bit-string.patch | 26 ++++++++++++++++++++
rubygem-activerecord.spec | 19 +++++++++++++-
3 files changed, 62 insertions(+), 2 deletions(-)
---
diff --git a/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch
new file mode 100644
index 0000000..cb71c72
--- /dev/null
+++ b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch
@@ -0,0 +1,19 @@
+diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+index 172055f..cfdf16d 100644
+--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb
++++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+@@ -19,6 +19,11 @@ module ActiveRecord
+ assert_equal 'f', @conn.type_cast(false, nil)
+ assert_equal 'f', @conn.type_cast(false, c)
+ end
++
++ def test_quote_bit_string
++ c = PostgreSQLColumn.new(nil, 1, 'bit')
++ assert_equal nil, @conn.quote("'); SELECT * FORM users; /*\n01\n*/--", c)
++ end
+ end
+ end
+ end
+--
+2.0.0
+
diff --git a/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch
new file mode 100644
index 0000000..5c84235
--- /dev/null
+++ b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch
@@ -0,0 +1,26 @@
+diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
+index e98337e..3cd65d0 100644
+--- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
++++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
+@@ -446,8 +446,8 @@ module ActiveRecord
+ when 'xml' then "xml '#{quote_string(value)}'"
+ when /^bit/
+ case value
+- when /^[01]*$/ then "B'#{value}'" # Bit-string notation
+- when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
++ when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation
++ when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
+ end
+ else
+ super
+@@ -1155,7 +1155,7 @@ module ActiveRecord
+ FEATURE_NOT_SUPPORTED = "0A000" # :nodoc:
+
+ def exec_no_cache(sql, binds)
+- @connection.async_exec(sql)
++ @connection.async_exec(sql, [])
+ end
+
+ def exec_cache(sql, binds)
+
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 1fa1090..6023598 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -5,7 +5,7 @@ Summary: Implements the ActiveRecord pattern for ORM
Name: rubygem-%{gem_name}
Epoch: 1
Version: 3.2.13
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Development/Languages
License: MIT
URL: http://www.rubyonrails.org
@@ -15,6 +15,9 @@ Source0: http://rubygems.org/downloads/activerecord-%{version}.gem
# git checkout v3.2.13
# tar czvf activerecord-3.2.13-tests.tgz test/
Source1: activerecord-%{version}-tests.tgz
+# Fix for CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting
+Patch0: rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch
+Patch1: rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch
Requires: ruby(release)
Requires: ruby(rubygems)
Requires: rubygem(activesupport) = %{version}
@@ -53,6 +56,10 @@ Documentation for %{name}
%setup -q -c -T
%gem_install -n %{SOURCE0}
+pushd .%{gem_instdir}
+%patch0 -p2
+popd
+
%build
%install
@@ -64,10 +71,14 @@ pushd .%{gem_instdir}
tar xzvf %{SOURCE1}
+cat %{PATCH1} | patch -p2
+
# load_path is not available, remove its require.
sed -i '1,2d' test/cases/helper.rb
-ruby -I.:test:lib << EOF
+# One test fails
+# https://github.com/rails/rails/pull/13291
+ruby -I.:test:lib << EOF |
test_files = Dir.glob( "test/cases/**/*_test.rb" )
test_files.reject! { |x| x =~ %r|/adapters/| }
@@ -79,6 +90,7 @@ ruby -I.:test:lib << EOF
test_files.each { |f| require f }
EOF
+grep '3366 tests, 10527 assertions, 1 failures, 0 errors, 7 skips'
popd
@@ -97,6 +109,9 @@ popd
%changelog
+* Thu Jul 03 2014 Josef Stribny <jstribny at redhat.com> - 1:3.2.13-2
+- Fix for CVE-2014-3482
+
* Tue Mar 19 2013 Vít Ondruch <vondruch at redhat.com> - 1:3.2.13-1
- Update to ActiveRecord 3.2.13.
More information about the scm-commits
mailing list