[DRE-commits] [SCM] ruby-activerecord-2.3.git branch, master, updated. debian/2.3.14-2-7-g90483c0

Wed Jan 16 11:21:05 UTC 2013

The following commit has been merged in the master branch:
commit 90483c0f251d89a6f2bd76db758a4ab0e50a5dbb
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Tue Jan 15 21:18:18 2013 -0300

    Fix for CVE-2013-1055

diff --git a/debian/changelog b/debian/changelog
index 280d145..93e0b8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-activerecord-2.3 (2.3.14-4) unstable; urgency=high
+
+  * Team upload.
+  * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk.
+
+ -- Antonio Terceiro <terceiro at debian.org>  Tue, 15 Jan 2013 21:16:20 -0300
+
 ruby-activerecord-2.3 (2.3.14-3) unstable; urgency=high
 
   * Team upload.
diff --git a/debian/patches/CVE-2013-0155.patch b/debian/patches/CVE-2013-0155.patch
new file mode 100644
index 0000000..7441e68
--- /dev/null
+++ b/debian/patches/CVE-2013-0155.patch
@@ -0,0 +1,51 @@
+Description: Fix for CVE-2013-0155
+ This includes the patch released in the updated announcement for CVE-2013-0155
+ plus some previous changes that it requires.
+ .
+Author: Justin Collins
+ (commit 62f81f4d cherry-picked from upstream git repository)
+Author: Ernie Miller
+Reviewed-By: Antonio Terceiro <terceiro at debian.org>
+Upstream-Bug: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/c7jT-EeN9eI
+
+---
+ lib/active_record/base.rb | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/lib/active_record/base.rb
++++ b/lib/active_record/base.rb
+@@ -2337,17 +2337,19 @@ module ActiveRecord #:nodoc:
+         # And for value objects on a composed_of relationship:
+         #   { :address => Address.new("123 abc st.", "chicago") }
+         #     # => "address_street='123 abc st.' and address_city='chicago'"
+-        def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name)
++        def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
+           attrs = expand_hash_conditions_for_aggregates(attrs)
+ 
++          return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
++
+           conditions = attrs.map do |attr, value|
+             table_name = default_table_name
+ 
+-            unless value.is_a?(Hash)
++            if not value.is_a?(Hash)
+               attr = attr.to_s
+ 
+               # Extract table name from qualified attribute names.
+-              if attr.include?('.')
++              if attr.include?('.') and top_level
+                 attr_table_name, attr = attr.split('.', 2)
+                 attr_table_name = connection.quote_table_name(attr_table_name)
+               else
+@@ -2355,8 +2357,10 @@ module ActiveRecord #:nodoc:
+               end
+ 
+               attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
++            elsif top_level
++              sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
+             else
+-              sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s))
++              raise ActiveRecord::StatementInvalid
+             end
+           end.join(' AND ')
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 9e176dd..a4803e0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 0001-remove_require_rubygems.patch
 activerecord-2.3.5-1.patch
 2-3-dynamic_finder_injection.patch
+CVE-2013-0155.patch

-- 
ruby-activerecord-2.3.git

