[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#697284: unblock: ruby-activerecord-2.3/2.3.14-3

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby-activerecord-2.3

This release fixes a SQL injection vulnerability (CVE-2012-5664).

Attached is the debdiff between this version and the one in testing.

unblock ruby-activerecord-2.3/2.3.14-3

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru ruby-activerecord-2.3-2.3.14/debian/changelog ruby-activerecord-2.3-2.3.14/debian/changelog
--- ruby-activerecord-2.3-2.3.14/debian/changelog	2012-06-29 14:37:30.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/changelog	2013-01-03 11:48:18.000000000 -0300
@@ -1,3 +1,11 @@
+ruby-activerecord-2.3 (2.3.14-3) unstable; urgency=high
+
+  * Team upload.
+  * debian/patches/2-3-dynamic_finder_injection.patch: fix SQL injection
+    vulnerability (CVE-2012-5664).
+
+ -- Antonio Terceiro <terceiro@debian.org>  Thu, 03 Jan 2013 11:43:56 -0300
+
 ruby-activerecord-2.3 (2.3.14-2) unstable; urgency=low
 
   * Team upload.
diff -Nru ruby-activerecord-2.3-2.3.14/debian/control ruby-activerecord-2.3-2.3.14/debian/control
--- ruby-activerecord-2.3-2.3.14/debian/control	2012-06-29 14:45:22.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/control	2012-09-01 17:37:56.000000000 -0300
@@ -2,7 +2,6 @@
 Section: ruby
 Priority: optional
 Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
-Uploaders: Ondřej Surý <ondrej@debian.org>
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~),
 	       gem2deb (>= 0.3.0~),
diff -Nru ruby-activerecord-2.3-2.3.14/debian/control.in ruby-activerecord-2.3-2.3.14/debian/control.in
--- ruby-activerecord-2.3-2.3.14/debian/control.in	2012-06-29 14:45:14.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/control.in	2012-09-01 17:37:56.000000000 -0300
@@ -2,7 +2,6 @@
 Section: ruby
 Priority: optional
 Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
-Uploaders: Ondřej Surý <ondrej@debian.org>
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~),
 	       gem2deb (>= 0.3.0~),
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch
--- ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch	2013-01-03 11:31:43.000000000 -0300
@@ -0,0 +1,54 @@
+From 9de9b359d0d24f70f0f6c5c58a7ad8750684d456 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson@gmail.com>
+Date: Sun, 23 Dec 2012 11:07:07 -0800
+Subject: [PATCH] CVE-2012-5664 options hashes should only be extracted if
+ there are extra parameters
+
+---
+ lib/active_record/base.rb |    6 +++++-
+ test/cases/finder_test.rb |   12 ++++++++++++
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/lib/active_record/base.rb b/glib/active_record/base.rb
+index 461007f..809a38c 100755
+--- a/lib/active_record/base.rb
++++ b/lib/active_record/base.rb
+@@ -1897,7 +1897,11 @@ module ActiveRecord #:nodoc:
+               # end
+               self.class_eval <<-EOS, __FILE__, __LINE__ + 1
+                 def self.#{method_id}(*args)
+-                  options = args.extract_options!
++                  options = if args.length > #{attribute_names.size}
++                              args.extract_options!
++                            else
++                              {}
++                            end
+                   attributes = construct_attributes_from_arguments(
+                     [:#{attribute_names.join(',:')}],
+                     args
+diff --git a/test/cases/finder_test.rb b/gtest/cases/finder_test.rb
+index c779a69..9e3ab92 100644
+--- a/test/cases/finder_test.rb
++++ b/test/cases/finder_test.rb
+@@ -66,6 +66,18 @@ end
+ class FinderTest < ActiveRecord::TestCase
+   fixtures :companies, :topics, :entrants, :developers, :developers_projects, :posts, :comments, :accounts, :authors, :customers
+ 
++  def test_find_by_id_with_hash
++    assert_raises(ActiveRecord::StatementInvalid) do
++      Post.find_by_id(:limit => 1)
++    end
++  end
++
++  def test_find_by_title_and_id_with_hash
++    assert_raises(ActiveRecord::StatementInvalid) do
++      Post.find_by_title_and_id('foo', :limit => 1)
++    end
++  end
++
+   def test_find
+     assert_equal(topics(:first).title, Topic.find(1).title)
+   end
+-- 
+1.7.10.2 (Apple Git-33)
+
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/series ruby-activerecord-2.3-2.3.14/debian/patches/series
--- ruby-activerecord-2.3-2.3.14/debian/patches/series	2012-02-02 20:56:24.000000000 -0200
+++ ruby-activerecord-2.3-2.3.14/debian/patches/series	2013-01-03 11:23:52.000000000 -0300
@@ -1,2 +1,3 @@
 0001-remove_require_rubygems.patch
 activerecord-2.3.5-1.patch
+2-3-dynamic_finder_injection.patch

Attachment: signature.asc
Description: Digital signature

Reply to: