[DRE-commits] [SCM] ruby-activerecord-3.2.git branch, master, updated. debian/3.2.6-2-7-g9128ca2

Antonio Terceiro terceiro at debian.org
Wed Jan 9 21:38:38 UTC 2013 

The following commit has been merged in the master branch:
commit 9128ca28b3fc8d7e85f3b50388f736fa868e3631
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Wed Jan 9 18:23:29 2013 -0300

    Fix CVE-2013-0155

diff --git a/debian/changelog b/debian/changelog
index 04449ee..21bd9e2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-activerecord-3.2 (3.2.6-4) unstable; urgency=high
+
+  * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk
+    [CVE-2013-0155] (Closes: #697744).
+
+ -- Antonio Terceiro <terceiro at debian.org>  Wed, 09 Jan 2013 18:18:07 -0300
+
 ruby-activerecord-3.2 (3.2.6-3) unstable; urgency=high
 
   * debian/patches/3-2-dynamic_finder_injection.patch: fix SQL injection
diff --git a/debian/patches/CVE-2013-0155.patch b/debian/patches/CVE-2013-0155.patch
new file mode 100644
index 0000000..4ab9f2a
--- /dev/null
+++ b/debian/patches/CVE-2013-0155.patch
@@ -0,0 +1,25 @@
+From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patterson at gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+diff --git a/lib/active_record/relation/predicate_builder.rb b/lib/active_record/relation/predicate_builder.rb
+index 6b118b4..b31fdfd 100644
+--- a/lib/active_record/relation/predicate_builder.rb
++++ b/lib/active_record/relation/predicate_builder.rb
+@@ -6,7 +6,12 @@ module ActiveRecord
+ 
+         if allow_table_name && value.is_a?(Hash)
+           table = Arel::Table.new(column, engine)
+-          build_from_hash(engine, value, table, false)
++
++          if value.empty?
++            '1 = 2'
++          else
++            build_from_hash(engine, value, table, false)
++          end
+         else
+           column = column.to_s
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 1524d9e..ee76ed2 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 Remove_rubygems_dependency.patch
 3-2-dynamic_finder_injection.patch
+CVE-2013-0155.patch

-- 
ruby-activerecord-3.2.git

More information about the Pkg-ruby-extras-commits mailing list