From 88f36750e6737853de7b39105620dad1c115b3b6 Mon Sep 17 00:00:00 2001 From: Josef Stribny Date: Jul 03 2014 14:52:07 +0000 Subject: Fix for CVE-2014-3482 --- diff --git a/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch new file mode 100644 index 0000000..cb71c72 --- /dev/null +++ b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch @@ -0,0 +1,19 @@ +diff --git a/activerecord/test/cases/adapters/postgresql/quoting_test.rb b/activerecord/test/cases/adapters/postgresql/quoting_test.rb +index 172055f..cfdf16d 100644 +--- a/activerecord/test/cases/adapters/postgresql/quoting_test.rb ++++ b/activerecord/test/cases/adapters/postgresql/quoting_test.rb +@@ -19,6 +19,11 @@ module ActiveRecord + assert_equal 'f', @conn.type_cast(false, nil) + assert_equal 'f', @conn.type_cast(false, c) + end ++ ++ def test_quote_bit_string ++ c = PostgreSQLColumn.new(nil, 1, 'bit') ++ assert_equal nil, @conn.quote("'); SELECT * FORM users; /*\n01\n*/--", c) ++ end + end + end + end +-- +2.0.0 + diff --git a/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch new file mode 100644 index 0000000..5c84235 --- /dev/null +++ b/rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch @@ -0,0 +1,26 @@ +diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb +index e98337e..3cd65d0 100644 +--- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb ++++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb +@@ -446,8 +446,8 @@ module ActiveRecord + when 'xml' then "xml '#{quote_string(value)}'" + when /^bit/ + case value +- when /^[01]*$/ then "B'#{value}'" # Bit-string notation +- when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation ++ when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation ++ when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation + end + else + super +@@ -1155,7 +1155,7 @@ module ActiveRecord + FEATURE_NOT_SUPPORTED = "0A000" # :nodoc: + + def exec_no_cache(sql, binds) +- @connection.async_exec(sql) ++ @connection.async_exec(sql, []) + end + + def exec_cache(sql, binds) + + diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec index 1fa1090..6023598 100644 --- a/rubygem-activerecord.spec +++ b/rubygem-activerecord.spec @@ -5,7 +5,7 @@ Summary: Implements the ActiveRecord pattern for ORM Name: rubygem-%{gem_name} Epoch: 1 Version: 3.2.13 -Release: 1%{?dist} +Release: 2%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -15,6 +15,9 @@ Source0: http://rubygems.org/downloads/activerecord-%{version}.gem # git checkout v3.2.13 # tar czvf activerecord-3.2.13-tests.tgz test/ Source1: activerecord-%{version}-tests.tgz +# Fix for CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting +Patch0: rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string.patch +Patch1: rubygem-activerecord-3.2.19-CVE-2014-3482-bit-string-test.patch Requires: ruby(release) Requires: ruby(rubygems) Requires: rubygem(activesupport) = %{version} @@ -53,6 +56,10 @@ Documentation for %{name} %setup -q -c -T %gem_install -n %{SOURCE0} +pushd .%{gem_instdir} +%patch0 -p2 +popd + %build %install @@ -64,10 +71,14 @@ pushd .%{gem_instdir} tar xzvf %{SOURCE1} +cat %{PATCH1} | patch -p2 + # load_path is not available, remove its require. sed -i '1,2d' test/cases/helper.rb -ruby -I.:test:lib << EOF +# One test fails +# https://github.com/rails/rails/pull/13291 +ruby -I.:test:lib << EOF | test_files = Dir.glob( "test/cases/**/*_test.rb" ) test_files.reject! { |x| x =~ %r|/adapters/| } @@ -79,6 +90,7 @@ ruby -I.:test:lib << EOF test_files.each { |f| require f } EOF +grep '3366 tests, 10527 assertions, 1 failures, 0 errors, 7 skips' popd @@ -97,6 +109,9 @@ popd %changelog +* Thu Jul 03 2014 Josef Stribny - 1:3.2.13-2 +- Fix for CVE-2014-3482 + * Tue Mar 19 2013 Vít Ondruch - 1:3.2.13-1 - Update to ActiveRecord 3.2.13.