[rubygem-activerecord/f20] Fix CVE-2014-3483 regression

Josef Stribny jstribny at fedoraproject.org
Wed Jul 9 14:22:09 UTC 2014 

commit a93a4ccec4f60d6de0a8faf3f684b2032445b988
Author: Josef Stribny <jstribny at redhat.com>
Date:   Wed Jul 9 16:22:09 2014 +0200

    Fix CVE-2014-3483 regression

 ...cord-4.0.8-CVE-2014-3483-range-regression.patch |   74 ++++++++++++++++++++
 rubygem-activerecord.spec                          |    8 ++-
 2 files changed, 81 insertions(+), 1 deletions(-)
---
diff --git a/rubygem-activerecord-4.0.8-CVE-2014-3483-range-regression.patch b/rubygem-activerecord-4.0.8-CVE-2014-3483-range-regression.patch
new file mode 100644
index 0000000..4a7a803
--- /dev/null
+++ b/rubygem-activerecord-4.0.8-CVE-2014-3483-range-regression.patch
@@ -0,0 +1,74 @@
+From c1156bfc43dd90e89acb8ffdd4e844f4e4e404ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafaelmfranca at gmail.com>
+Date: Wed, 2 Jul 2014 15:15:21 -0300
+Subject: [PATCH] Make sure range strings are quoted after we quote the range.
+
+---
+ .../connection_adapters/postgresql/quoting.rb      |  2 +-
+ .../test/cases/adapters/postgresql/quoting_test.rb |  2 +-
+ .../test/cases/adapters/postgresql/range_test.rb   | 26 ++++++++++++++++++++++
+ 3 files changed, 28 insertions(+), 2 deletions(-)
+ create mode 100644 activerecord/test/cases/adapters/postgresql/range_test.rb
+
+diff --git a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
+index 06b6478..1b5109a 100644
+--- a/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
++++ b/activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb
+@@ -24,7 +24,7 @@ module ActiveRecord
+           when Range
+             if /range$/ =~ sql_type
+               escaped = quote_string(PostgreSQLColumn.range_to_string(value))
+-              "#{escaped}::#{sql_type}"
++              "'#{escaped}'::#{sql_type}"
+             else
+               super
+             end
+diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+index 0cafb63..488cd61 100644
+--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb
++++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb
+@@ -56,7 +56,7 @@ module ActiveRecord
+         def test_quote_range
+           range = "1,2]'; SELECT * FROM users; --".."a"
+           c = PostgreSQLColumn.new(nil, nil, OID::Range.new(:integer), 'int8range')
+-          assert_equal "[1,2]''; SELECT * FROM users; --,a]::int8range", @conn.quote(range, c)
++          assert_equal "'[1,2]''; SELECT * FROM users; --,a]'::int8range", @conn.quote(range, c)
+         end
+       end
+     end
+diff --git a/activerecord/test/cases/adapters/postgresql/range_test.rb b/activerecord/test/cases/adapters/postgresql/range_test.rb
+new file mode 100644
+index 0000000..d16f990
+--- /dev/null
++++ b/activerecord/test/cases/adapters/postgresql/range_test.rb
+@@ -0,0 +1,26 @@
++require "cases/helper"
++
++if ActiveRecord::Base.connection.supports_ranges?
++  class PostgresqlRange < ActiveRecord::Base
++    self.table_name = "postgresql_ranges"
++  end
++
++  class PostgresqlRangeTest < ActiveRecord::TestCase
++    test "update_all with ranges" do
++      PostgresqlRange.create!
++
++      PostgresqlRange.update_all(int8_range: 1..100)
++
++      assert_equal 1...101, PostgresqlRange.first.int8_range
++    end
++
++    test "ranges correctly escape input" do
++      e = assert_raises(ActiveRecord::StatementInvalid) do
++        range = "1,2]'; SELECT * FROM users; --".."a"
++        PostgresqlRange.update_all(int8_range: range)
++      end
++
++      assert e.message.starts_with?("PG::InvalidTextRepresentation")
++    end
++  end
++end
+-- 
+2.0.0
+
diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec
index 28bbf3f..77fbd5e 100644
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@@ -5,7 +5,7 @@ Summary: Implements the ActiveRecord pattern for ORM
 Name: rubygem-%{gem_name}
 Epoch: 1
 Version: 4.0.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -22,6 +22,8 @@ Patch0: rubygem-activerecord-4.0.3-CVE-2014-0080-PostgreSQL.patch
 Patch1: rubygem-activerecord-sqlite-3.2.8-test.patch
 # Fix for CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting
 Patch2: rubygem-activerecord-4.0.7-CVE-2014-3483-range.patch
+# Fix for CVE-2014-3483 introduced regression (from v4.0.8)
+Patch3: rubygem-activerecord-4.0.8-CVE-2014-3483-range-regression.patch
 Requires: ruby(release)
 Requires: ruby(rubygems)
 Requires: rubygem(activesupport) = %{version}
@@ -69,6 +71,7 @@ tar xzvf %{SOURCE1}
 %patch0 -p1
 %patch1 -p1
 %patch2 -p2
+%patch3 -p2
 popd
 
 %build
@@ -114,6 +117,9 @@ popd
 
 
 %changelog
+* Wed Jul 09 2014 Josef Stribny <jstribny at redhat.com> - 1:4.0.0-4
+- Fix CVE-2014-3483 regression
+
 * Thu Jul 03 2014 Josef Stribny <jstribny at redhat.com> - 1:4.0.0-3
 - Fix CVE-2014-3483

More information about the scm-commits mailing list