From 77e9ac72e32525b8320405788a468598c6b84fa8 Mon Sep 17 00:00:00 2001 From: Vít Ondruch Date: Jun 18 2012 09:45:38 +0000 Subject: Fix for CVE-2012-2695. --- diff --git a/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch b/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch new file mode 100644 index 0000000..11ed5fb --- /dev/null +++ b/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch @@ -0,0 +1,60 @@ +From 176af7eff2e33b331c92febbeda98123da1151f3 Mon Sep 17 00:00:00 2001 +From: Ernie Miller +Date: Fri, 8 Jun 2012 16:42:01 -0400 +Subject: [PATCH] Additional fix for CVE-2012-2661 + +While the patched PredicateBuilder in 3.0.13 prevents a user +from specifying a table name using the `table.column` format, +it doesn't protect against the nesting of hashes changing the +table context in the next call to build_from_hash. This fix +covers this case as well. +--- + .../active_record/relation/predicate_builder.rb | 6 +++--- + activerecord/test/cases/relation/where_test.rb | 6 ++++++ + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb +index 84e88cf..e74ba73 100644 +--- a/activerecord/lib/active_record/relation/predicate_builder.rb ++++ b/activerecord/lib/active_record/relation/predicate_builder.rb +@@ -5,17 +5,17 @@ module ActiveRecord + @engine = engine + end + +- def build_from_hash(attributes, default_table, check_column = true) ++ def build_from_hash(attributes, default_table, allow_table_name = true) + predicates = attributes.map do |column, value| + table = default_table + +- if value.is_a?(Hash) ++ if allow_table_name && value.is_a?(Hash) + table = Arel::Table.new(column, :engine => @engine) + build_from_hash(value, table, false) + else + column = column.to_s + +- if check_column && column.include?('.') ++ if allow_table_name && column.include?('.') + table_name, column = column.split('.', 2) + table = Arel::Table.new(table_name, :engine => @engine) + end +diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb +index 90c690e..b9eef1d 100644 +--- a/activerecord/test/cases/relation/where_test.rb ++++ b/activerecord/test/cases/relation/where_test.rb +@@ -11,6 +11,12 @@ module ActiveRecord + end + end + ++ def test_where_error_with_hash ++ assert_raises(ActiveRecord::StatementInvalid) do ++ Post.where(:id => { :posts => {:author_id => 10} }).first ++ end ++ end ++ + def test_where_with_table_name + post = Post.first + assert_equal post, Post.where(:posts => { 'id' => post.id }).first +-- +1.7.5.4 + diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec index 8e75344..51f32d9 100644 --- a/rubygem-activerecord.spec +++ b/rubygem-activerecord.spec @@ -7,7 +7,7 @@ Summary: Implements the ActiveRecord pattern for ORM Name: rubygem-%{gem_name} Epoch: 1 Version: 3.0.11 -Release: 2%{?dist} +Release: 3%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -38,6 +38,10 @@ Patch2: activerecord-downgrade-dependencies.patch # https://bugzilla.redhat.com/show_bug.cgi?id=827363 Patch3: activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch +# Fixes CVE-2012-2695 +# https://bugzilla.redhat.com/show_bug.cgi?id=831573 +Patch4: activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch + Requires: ruby(abi) = %{rubyabi} Requires: ruby(rubygems) Requires: rubygem(activesupport) = %{version} @@ -85,6 +89,7 @@ pushd ./%{gem_instdir} %patch0 -p0 %patch1 -p0 %patch3 -p2 +%patch4 -p2 popd pushd .%{gem_dir} @@ -155,6 +160,9 @@ popd %{gem_spec} %changelog +* Mon Jun 18 2012 Vít Ondruch - 1:3.0.11-3 +- Fix for CVE-2012-2695. + * Mon Jun 04 2012 Vít Ondruch - 1:3.0.11-2 - Fix for CVE-2012-2661.