Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ruby-activerecord-2.3 This release fixes CVE-2013-0155, which was previously believed to not affect the Rails 2.3 series. The debdiff against the package in testing is attached. unblock ruby-activerecord-2.3/2.3.14-4 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terceiro@debian.org>
diff -Nru ruby-activerecord-2.3-2.3.14/debian/changelog ruby-activerecord-2.3-2.3.14/debian/changelog
--- ruby-activerecord-2.3-2.3.14/debian/changelog 2013-01-03 11:48:18.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/changelog 2013-01-15 21:16:58.000000000 -0300
@@ -1,3 +1,10 @@
+ruby-activerecord-2.3 (2.3.14-4) unstable; urgency=high
+
+ * Team upload.
+ * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk.
+
+ -- Antonio Terceiro <terceiro@debian.org> Tue, 15 Jan 2013 21:16:20 -0300
+
ruby-activerecord-2.3 (2.3.14-3) unstable; urgency=high
* Team upload.
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0155.patch ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0155.patch
--- ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0155.patch 1969-12-31 21:00:00.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0155.patch 2013-01-16 08:06:02.000000000 -0300
@@ -0,0 +1,51 @@
+Description: Fix for CVE-2013-0155
+ This includes the patch released in the updated announcement for CVE-2013-0155
+ plus some previous changes that it requires.
+ .
+Author: Justin Collins
+ (commit 62f81f4d cherry-picked from upstream git repository)
+Author: Ernie Miller
+Reviewed-By: Antonio Terceiro <terceiro@debian.org>
+Upstream-Bug: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/c7jT-EeN9eI
+
+---
+ lib/active_record/base.rb | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/lib/active_record/base.rb
++++ b/lib/active_record/base.rb
+@@ -2337,17 +2337,19 @@ module ActiveRecord #:nodoc:
+ # And for value objects on a composed_of relationship:
+ # { :address => Address.new("123 abc st.", "chicago") }
+ # # => "address_street='123 abc st.' and address_city='chicago'"
+- def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name)
++ def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
+ attrs = expand_hash_conditions_for_aggregates(attrs)
+
++ return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
++
+ conditions = attrs.map do |attr, value|
+ table_name = default_table_name
+
+- unless value.is_a?(Hash)
++ if not value.is_a?(Hash)
+ attr = attr.to_s
+
+ # Extract table name from qualified attribute names.
+- if attr.include?('.')
++ if attr.include?('.') and top_level
+ attr_table_name, attr = attr.split('.', 2)
+ attr_table_name = connection.quote_table_name(attr_table_name)
+ else
+@@ -2355,8 +2357,10 @@ module ActiveRecord #:nodoc:
+ end
+
+ attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
++ elsif top_level
++ sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
+ else
+- sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s))
++ raise ActiveRecord::StatementInvalid
+ end
+ end.join(' AND ')
+
diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/series ruby-activerecord-2.3-2.3.14/debian/patches/series
--- ruby-activerecord-2.3-2.3.14/debian/patches/series 2013-01-03 11:23:52.000000000 -0300
+++ ruby-activerecord-2.3-2.3.14/debian/patches/series 2013-01-15 21:16:07.000000000 -0300
@@ -1,3 +1,4 @@
0001-remove_require_rubygems.patch
activerecord-2.3.5-1.patch
2-3-dynamic_finder_injection.patch
+CVE-2013-0155.patch
Attachment:
signature.asc
Description: Digital signature