diff --git a/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch b/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch new file mode 100644 index 0000000..11ed5fb --- /dev/null +++ b/activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch @@ -0,0 +1,60 @@ +From 176af7eff2e33b331c92febbeda98123da1151f3 Mon Sep 17 00:00:00 2001 +From: Ernie Miller +Date: Fri, 8 Jun 2012 16:42:01 -0400 +Subject: [PATCH] Additional fix for CVE-2012-2661 + +While the patched PredicateBuilder in 3.0.13 prevents a user +from specifying a table name using the `table.column` format, +it doesn't protect against the nesting of hashes changing the +table context in the next call to build_from_hash. This fix +covers this case as well. +--- + .../active_record/relation/predicate_builder.rb | 6 +++--- + activerecord/test/cases/relation/where_test.rb | 6 ++++++ + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/activerecord/lib/active_record/relation/predicate_builder.rb b/activerecord/lib/active_record/relation/predicate_builder.rb +index 84e88cf..e74ba73 100644 +--- a/activerecord/lib/active_record/relation/predicate_builder.rb ++++ b/activerecord/lib/active_record/relation/predicate_builder.rb +@@ -5,17 +5,17 @@ module ActiveRecord + @engine = engine + end + +- def build_from_hash(attributes, default_table, check_column = true) ++ def build_from_hash(attributes, default_table, allow_table_name = true) + predicates = attributes.map do |column, value| + table = default_table + +- if value.is_a?(Hash) ++ if allow_table_name && value.is_a?(Hash) + table = Arel::Table.new(column, :engine => @engine) + build_from_hash(value, table, false) + else + column = column.to_s + +- if check_column && column.include?('.') ++ if allow_table_name && column.include?('.') + table_name, column = column.split('.', 2) + table = Arel::Table.new(table_name, :engine => @engine) + end +diff --git a/activerecord/test/cases/relation/where_test.rb b/activerecord/test/cases/relation/where_test.rb +index 90c690e..b9eef1d 100644 +--- a/activerecord/test/cases/relation/where_test.rb ++++ b/activerecord/test/cases/relation/where_test.rb +@@ -11,6 +11,12 @@ module ActiveRecord + end + end + ++ def test_where_error_with_hash ++ assert_raises(ActiveRecord::StatementInvalid) do ++ Post.where(:id => { :posts => {:author_id => 10} }).first ++ end ++ end ++ + def test_where_with_table_name + post = Post.first + assert_equal post, Post.where(:posts => { 'id' => post.id }).first +-- +1.7.5.4 + diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec index 7fe0e09..3d547f4 100644 --- a/rubygem-activerecord.spec +++ b/rubygem-activerecord.spec @@ -9,7 +9,7 @@ Summary: Implements the ActiveRecord pattern for ORM Name: rubygem-%{gemname} Epoch: 1 Version: 3.0.5 -Release: 3%{?dist} +Release: 4%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -50,6 +50,10 @@ Patch6: activerecord-3.0.13-fix-failing-tests.patch # https://bugzilla.redhat.com/show_bug.cgi?id=827363 Patch7: activerecord-3.0.13-CVE-2012-2661-predicate-builder-should-not-recurse-for-determining.patch +# Fixes CVE-2012-2695 +# https://bugzilla.redhat.com/show_bug.cgi?id=831573 +Patch8: activerecord-3.0.15-CVE-2012-2695-additional-fix-for-CVE-2012-2661.patch + Requires: ruby(abi) = %{rubyabi} Requires: rubygems Requires: rubygem(activesupport) = %{version} @@ -99,6 +103,7 @@ pushd ./%{geminstdir} %patch5 -p2 %patch6 -p2 %patch7 -p2 +%patch8 -p2 popd # Remove backup files @@ -158,6 +163,9 @@ rake test_sqlite3 --trace %{gemdir}/specifications/%{gemname}-%{version}.gemspec %changelog +* Mon Jun 18 2012 Vít Ondruch - 1:3.0.5-4 +- Fix for CVE-2012-2695. + * Tue Jun 05 2012 Vít Ondruch - 1:3.0.5-3 - Fix for CVE-2012-2661.