Bug#697283: unblock: ruby-activerecord-3.2/3.2.6-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#697283: unblock: ruby-activerecord-3.2/3.2.6-3
From: Antonio Terceiro <terceiro@debian.org>
Date: Thu, 3 Jan 2013 11:47:50 -0300
Message-id: <20130103144750.GA16400@debian.org>
Reply-to: Antonio Terceiro <terceiro@debian.org>, 697283@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby-activerecord-3.2

This release fixes a recently undisclosed security problem
(CVE-2012-5664)

Attached is the debdiff between this version and the version in testing.

unblock ruby-activerecord-3.2/3.2.6-3

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru ruby-activerecord-3.2-3.2.6/debian/changelog ruby-activerecord-3.2-3.2.6/debian/changelog
--- ruby-activerecord-3.2-3.2.6/debian/changelog	2012-06-24 18:52:31.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/changelog	2013-01-03 11:21:21.000000000 -0300
@@ -1,3 +1,10 @@
+ruby-activerecord-3.2 (3.2.6-3) unstable; urgency=high
+
+  * debian/patches/3-2-dynamic_finder_injection.patch: fix SQL injection
+    vulnerability (CVE-2012-5664).
+
+ -- Antonio Terceiro <terceiro@debian.org>  Thu, 03 Jan 2013 11:21:18 -0300
+
 ruby-activerecord-3.2 (3.2.6-2) unstable; urgency=low
 
   * Bump build dependency on gem2deb to >= 0.3.0~
diff -Nru ruby-activerecord-3.2-3.2.6/debian/control ruby-activerecord-3.2-3.2.6/debian/control
--- ruby-activerecord-3.2-3.2.6/debian/control	2012-06-24 18:52:06.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/control	2012-09-01 17:38:02.000000000 -0300
@@ -3,7 +3,6 @@
 Priority: optional
 Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
 Uploaders:
-	Ondřej Surý <ondrej@debian.org>,
 	Antonio Terceiro <terceiro@debian.org>,
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~),
diff -Nru ruby-activerecord-3.2-3.2.6/debian/control.in ruby-activerecord-3.2-3.2.6/debian/control.in
--- ruby-activerecord-3.2-3.2.6/debian/control.in	2012-06-16 20:57:42.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/control.in	2012-09-01 17:38:02.000000000 -0300
@@ -3,7 +3,6 @@
 Priority: optional
 Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
 Uploaders:
-	Ondřej Surý <ondrej@debian.org>,
 	Antonio Terceiro <terceiro@debian.org>,
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~),
diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/3-2-dynamic_finder_injection.patch ruby-activerecord-3.2-3.2.6/debian/patches/3-2-dynamic_finder_injection.patch
--- ruby-activerecord-3.2-3.2.6/debian/patches/3-2-dynamic_finder_injection.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/patches/3-2-dynamic_finder_injection.patch	2013-01-03 11:14:35.000000000 -0300
@@ -0,0 +1,32 @@
+From 325669f0795a9148fd31f7f496a40dc8e114ef52 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson@gmail.com>
+Date: Sun, 23 Dec 2012 11:07:07 -0800
+Subject: [PATCH] CVE-2012-5664 options hashes should only be extracted if
+ there are extra parameters
+
+---
+ lib/active_record/dynamic_matchers.rb |    7 ++++++-
+ test/cases/finder_test.rb             |   12 ++++++++++++
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/lib/active_record/dynamic_matchers.rb b/lib/active_record/dynamic_matchers.rb
+index b6b8e24..f15d0b7 100644
+--- a/lib/active_record/dynamic_matchers.rb
++++ b/lib/active_record/dynamic_matchers.rb
+@@ -40,7 +40,12 @@ module ActiveRecord
+           METHOD
+           send(method_id, *arguments)
+         elsif match.finder?
+-          options = arguments.extract_options!
++          options = if arguments.length > attribute_names.size
++                      arguments.extract_options!
++                    else
++                      {}
++                    end
++
+           relation = options.any? ? scoped(options) : scoped
+           relation.send :find_by_attributes, match, attribute_names, *arguments, &block
+         elsif match.instantiator?
+-- 
+1.7.10.2 (Apple Git-33)
+
diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/series ruby-activerecord-3.2-3.2.6/debian/patches/series
--- ruby-activerecord-3.2-3.2.6/debian/patches/series	2012-06-16 11:10:55.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/patches/series	2013-01-03 11:04:55.000000000 -0300
@@ -1 +1,2 @@
 Remove_rubygems_dependency.patch
+3-2-dynamic_finder_injection.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#697283: marked as done (unblock: ruby-activerecord-3.2/3.2.6-3)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#697281: unblock: xen-api/1.3.2-14 (Fixes #696810: bad debconf handling)
Next by Date: Bug#697284: unblock: ruby-activerecord-2.3/2.3.14-3
Previous by thread: Bug#697281: marked as done (unblock: xen-api/1.3.2-14 (Fixes #696810: bad debconf handling))
Next by thread: Bug#697283: marked as done (unblock: ruby-activerecord-3.2/3.2.6-3)
Index(es):
- Date
- Thread