Bug#697812: marked as done (unblock: ruby-activerecord-3.2/3.2.6-4)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 09 Jan 2013 22:09:11 +0000
with message-id <1357769351.21796.3.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#697812: unblock: ruby-activerecord-3.2/3.2.6-4
has caused the Debian Bug report #697812,
regarding unblock: ruby-activerecord-3.2/3.2.6-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
697812: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697812
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: ruby-activerecord-3.2/3.2.6-4
• From: Antonio Terceiro <terceiro@debian.org>
• Date: Wed, 9 Jan 2013 18:47:39 -0300
• Message-id: <20130109214739.GA9986@debian.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock packages ruby-activerecord-3.2 and ruby-actionpack-3.2.
The new versions uploaded do unstable fix CVE-2013-0155. Since the fix
is spread across those two packages, I think they should handled
together, and that's why I am filing a single unblock request for both
packages.

The debdiffs against the packages in testing are attached. You will
notice a buid-dependency bump change, but that's in debian/control.in,
not debian/control, so it's harmless.

unblock ruby-activerecord-3.2/3.2.6-4
unblock ruby-actionpack-3.2/3.2.6-5

TIA,

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru ruby-activerecord-3.2-3.2.6/debian/changelog ruby-activerecord-3.2-3.2.6/debian/changelog
--- ruby-activerecord-3.2-3.2.6/debian/changelog	2013-01-03 11:21:21.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/changelog	2013-01-09 18:22:50.000000000 -0300
@@ -1,3 +1,10 @@
+ruby-activerecord-3.2 (3.2.6-4) unstable; urgency=high
+
+  * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk
+    [CVE-2013-0155] (Closes: #697744).
+
+ -- Antonio Terceiro <terceiro@debian.org>  Wed, 09 Jan 2013 18:18:07 -0300
+
 ruby-activerecord-3.2 (3.2.6-3) unstable; urgency=high
 
   * debian/patches/3-2-dynamic_finder_injection.patch: fix SQL injection
diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch
--- ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch	2013-01-09 18:25:01.000000000 -0300
@@ -0,0 +1,25 @@
+From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson@gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+diff --git a/lib/active_record/relation/predicate_builder.rb b/lib/active_record/relation/predicate_builder.rb
+index 6b118b4..b31fdfd 100644
+--- a/lib/active_record/relation/predicate_builder.rb
++++ b/lib/active_record/relation/predicate_builder.rb
+@@ -6,7 +6,12 @@ module ActiveRecord
+ 
+         if allow_table_name && value.is_a?(Hash)
+           table = Arel::Table.new(column, engine)
+-          build_from_hash(engine, value, table, false)
++
++          if value.empty?
++            '1 = 2'
++          else
++            build_from_hash(engine, value, table, false)
++          end
+         else
+           column = column.to_s
+ 
diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/series ruby-activerecord-3.2-3.2.6/debian/patches/series
--- ruby-activerecord-3.2-3.2.6/debian/patches/series	2013-01-03 11:04:55.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/patches/series	2013-01-09 18:17:11.000000000 -0300
@@ -1,2 +1,3 @@
 Remove_rubygems_dependency.patch
 3-2-dynamic_finder_injection.patch
+CVE-2013-0155.patch

diff -Nru ruby-actionpack-3.2-3.2.6/debian/changelog ruby-actionpack-3.2-3.2.6/debian/changelog
--- ruby-actionpack-3.2-3.2.6/debian/changelog	2012-08-10 13:33:44.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/changelog	2013-01-09 18:27:16.000000000 -0300
@@ -1,3 +1,10 @@
+ruby-actionpack-3.2 (3.2.6-5) unstable; urgency=high
+
+  * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk
+    [CVE-2013-0155] (Closes: #697802)
+
+ -- Antonio Terceiro <terceiro@debian.org>  Wed, 09 Jan 2013 18:25:45 -0300
+
 ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high
 
   * Add patches for security problems (Closes: #684454):
diff -Nru ruby-actionpack-3.2-3.2.6/debian/control.in ruby-actionpack-3.2-3.2.6/debian/control.in
--- ruby-actionpack-3.2-3.2.6/debian/control.in	2012-06-16 21:11:38.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/control.in	2012-11-14 09:42:31.000000000 -0300
@@ -7,7 +7,7 @@
 	Antonio Terceiro <terceiro@debian.org>,
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~),
-	       gem2deb (>= 0.2.13~),
+	       gem2deb (>= 0.3.0~),
 	       ruby-activesupport-3.2 (>= @RAILS_VERSION@),
 	       ruby-activesupport-3.2 (<< @RAILS_VERSION@.),
 	       ruby-activerecord-3.2 (>= @RAILS_VERSION@),
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch
--- ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch	2013-01-09 18:28:16.000000000 -0300
@@ -0,0 +1,57 @@
+From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson@gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+--- a/lib/action_dispatch/http/request.rb
++++ b/lib/action_dispatch/http/request.rb
+@@ -247,18 +247,14 @@ module ActionDispatch
+       LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
+     end
+ 
+-    protected
+-
+     # Remove nils from the params hash
+     def deep_munge(hash)
+-      keys = hash.keys.find_all { |k| hash[k] == [nil] }
+-      keys.each { |k| hash[k] = nil }
+-
+-      hash.each_value do |v|
++      hash.each do |k, v|
+         case v
+         when Array
+           v.grep(Hash) { |x| deep_munge(x) }
+           v.compact!
++          hash[k] = nil if v.empty?
+         when Hash
+           deep_munge(v)
+         end
+@@ -267,6 +263,8 @@ module ActionDispatch
+       hash
+     end
+ 
++    protected
++
+     def parse_query(qs)
+       deep_munge(super)
+     end
+--- a/lib/action_dispatch/middleware/params_parser.rb
++++ b/lib/action_dispatch/middleware/params_parser.rb
+@@ -38,13 +38,13 @@ module ActionDispatch
+         when Proc
+           strategy.call(request.raw_post)
+         when :xml_simple, :xml_node
+-          data = Hash.from_xml(request.body.read) || {}
++          data = request.deep_munge(Hash.from_xml(request.body.read) || {})
+           request.body.rewind if request.body.respond_to?(:rewind)
+           data.with_indifferent_access
+         when :yaml
+           YAML.load(request.raw_post)
+         when :json
+-          data = ActiveSupport::JSON.decode(request.body)
++          data = request.deep_munge ActiveSupport::JSON.decode(request.body)
+           request.body.rewind if request.body.respond_to?(:rewind)
+           data = {:_json => data} unless data.is_a?(Hash)
+           data.with_indifferent_access
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/series ruby-actionpack-3.2-3.2.6/debian/patches/series
--- ruby-actionpack-3.2-3.2.6/debian/patches/series	2012-08-10 13:29:41.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/patches/series	2013-01-09 18:24:02.000000000 -0300
@@ -1,3 +1,4 @@
 CVE-2012-3424.patch
 CVE-2012-3463.patch
 CVE-2012-3465.patch
+CVE-2013-0155.patch

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

• To: Antonio Terceiro <terceiro@debian.org>, 697812-done@bugs.debian.org
• Subject: Re: Bug#697812: unblock: ruby-activerecord-3.2/3.2.6-4
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Wed, 09 Jan 2013 22:09:11 +0000
• Message-id: <1357769351.21796.3.camel@jacala.jungle.funky-badger.org>
• In-reply-to: <20130109214739.GA9986@debian.org>
• References: <20130109214739.GA9986@debian.org>

On Wed, 2013-01-09 at 18:47 -0300, Antonio Terceiro wrote:
> Please unblock packages ruby-activerecord-3.2 and ruby-actionpack-3.2.
> The new versions uploaded do unstable fix CVE-2013-0155. Since the fix
> is spread across those two packages, I think they should handled
> together, and that's why I am filing a single unblock request for both
> packages.

Unblocked; thanks.

Regards,

Adam

--- End Message ---