Bug#697284: marked as done (unblock: ruby-activerecord-2.3/2.3.14-3)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#697284: marked as done (unblock: ruby-activerecord-2.3/2.3.14-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 03 Jan 2013 19:12:06 +0000
Message-id: <handler.697284.D697284.135724011726620.ackdone@bugs.debian.org>
References: <1357240109.28152.2.camel@jacala.jungle.funky-badger.org> <20130103150027.GA6752@debian.org>

Your message dated Thu, 03 Jan 2013 19:08:29 +0000
with message-id <1357240109.28152.2.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#697284: unblock: ruby-activerecord-2.3/2.3.14-3
has caused the Debian Bug report #697284,
regarding unblock: ruby-activerecord-2.3/2.3.14-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
697284: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697284
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: ruby-activerecord-2.3/2.3.14-3
From: Antonio Terceiro <terceiro@debian.org>
Date: Thu, 3 Jan 2013 12:00:27 -0300
Message-id: <20130103150027.GA6752@debian.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby-activerecord-2.3

This release fixes a SQL injection vulnerability (CVE-2012-5664).

Attached is the debdiff between this version and the one in testing.

unblock ruby-activerecord-2.3/2.3.14-3

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru ruby-activerecord-2.3-2.3.14/debian/changelog ruby-activerecord-2.3-2.3.14/debian/changelog
--- ruby-activerecord-2.3-2.3.14/debian/changelog	2012-06-29 14:37:30.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/changelog	2013-01-03 11:48:18.000000000 -0300
@@ -1,3 +1,11 @@
+ruby-activerecord-2.3 (2.3.14-3) unstable; urgency=high
+
+  * Team upload.
+  * debian/patches/2-3-dynamic_finder_injection.patch: fix SQL injection
+    vulnerability (CVE-2012-5664).
+
+ -- Antonio Terceiro <terceiro@debian.org>  Thu, 03 Jan 2013 11:43:56 -0300
+
 ruby-activerecord-2.3 (2.3.14-2) unstable; urgency=low
 
   * Team upload.
diff -Nru ruby-activerecord-2.3-2.3.14/debian/control ruby-activerecord-2.3-2.3.14/debian/control
--- ruby-activerecord-2.3-2.3.14/debian/control	2012-06-29 14:45:22.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/control	2012-09-01 17:37:56.000000000 -0300
@@ -2,7 +2,6 @@
 Section: ruby
 Priority: optional
 Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
-Uploaders: Ondřej Surý <ondrej@debian.org>
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~),
 	       gem2deb (>= 0.3.0~),
diff -Nru ruby-activerecord-2.3-2.3.14/debian/control.in ruby-activerecord-2.3-2.3.14/debian/control.in
--- ruby-activerecord-2.3-2.3.14/debian/control.in	2012-06-29 14:45:14.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/control.in	2012-09-01 17:37:56.000000000 -0300
@@ -2,7 +2,6 @@
 Section: ruby
 Priority: optional
 Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
-Uploaders: Ondřej Surý <ondrej@debian.org>
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~),
 	       gem2deb (>= 0.3.0~),
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch
--- ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch	2013-01-03 11:31:43.000000000 -0300
@@ -0,0 +1,54 @@
+From 9de9b359d0d24f70f0f6c5c58a7ad8750684d456 Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson@gmail.com>
+Date: Sun, 23 Dec 2012 11:07:07 -0800
+Subject: [PATCH] CVE-2012-5664 options hashes should only be extracted if
+ there are extra parameters
+
+---
+ lib/active_record/base.rb |    6 +++++-
+ test/cases/finder_test.rb |   12 ++++++++++++
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/lib/active_record/base.rb b/glib/active_record/base.rb
+index 461007f..809a38c 100755
+--- a/lib/active_record/base.rb
++++ b/lib/active_record/base.rb
+@@ -1897,7 +1897,11 @@ module ActiveRecord #:nodoc:
+               # end
+               self.class_eval <<-EOS, __FILE__, __LINE__ + 1
+                 def self.#{method_id}(*args)
+-                  options = args.extract_options!
++                  options = if args.length > #{attribute_names.size}
++                              args.extract_options!
++                            else
++                              {}
++                            end
+                   attributes = construct_attributes_from_arguments(
+                     [:#{attribute_names.join(',:')}],
+                     args
+diff --git a/test/cases/finder_test.rb b/gtest/cases/finder_test.rb
+index c779a69..9e3ab92 100644
+--- a/test/cases/finder_test.rb
++++ b/test/cases/finder_test.rb
+@@ -66,6 +66,18 @@ end
+ class FinderTest < ActiveRecord::TestCase
+   fixtures :companies, :topics, :entrants, :developers, :developers_projects, :posts, :comments, :accounts, :authors, :customers
+ 
++  def test_find_by_id_with_hash
++    assert_raises(ActiveRecord::StatementInvalid) do
++      Post.find_by_id(:limit => 1)
++    end
++  end
++
++  def test_find_by_title_and_id_with_hash
++    assert_raises(ActiveRecord::StatementInvalid) do
++      Post.find_by_title_and_id('foo', :limit => 1)
++    end
++  end
++
+   def test_find
+     assert_equal(topics(:first).title, Topic.find(1).title)
+   end
+-- 
+1.7.10.2 (Apple Git-33)
+
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/series ruby-activerecord-2.3-2.3.14/debian/patches/series
--- ruby-activerecord-2.3-2.3.14/debian/patches/series	2012-02-02 20:56:24.000000000 -0200
+++ ruby-activerecord-2.3-2.3.14/debian/patches/series	2013-01-03 11:23:52.000000000 -0300
@@ -1,2 +1,3 @@
 0001-remove_require_rubygems.patch
 activerecord-2.3.5-1.patch
+2-3-dynamic_finder_injection.patch

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: Antonio Terceiro <terceiro@debian.org>, 697284-done@bugs.debian.org

Subject: Re: Bug#697284: unblock: ruby-activerecord-2.3/2.3.14-3

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Thu, 03 Jan 2013 19:08:29 +0000

Message-id: <1357240109.28152.2.camel@jacala.jungle.funky-badger.org>

In-reply-to: <20130103150027.GA6752@debian.org>

References: <20130103150027.GA6752@debian.org>
On Thu, 2013-01-03 at 12:00 -0300, Antonio Terceiro wrote:
> Please unblock package ruby-activerecord-2.3
> 
> This release fixes a SQL injection vulnerability (CVE-2012-5664).

Unblocked; thanks.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#697284: unblock: ruby-activerecord-2.3/2.3.14-3
  - From: Antonio Terceiro <terceiro@debian.org>

Prev by Date: Bug#697283: marked as done (unblock: ruby-activerecord-3.2/3.2.6-3)
Next by Date: Bug#697283: unblock: ruby-activerecord-3.2/3.2.6-3
Previous by thread: Bug#697284: unblock: ruby-activerecord-2.3/2.3.14-3
Next by thread: redhat-cluster (and reverse dependencies) for wheezy
Index(es):
- Date
- Thread