[DRE-commits] [SCM] ruby-activerecord-3.2.git branch, master, updated. debian/3.2.6-4-4-g11ce818
Ondřej Surý
ondrej at sury.org
Tue Mar 19 08:40:00 UTC 2013
The following commit has been merged in the master branch:
commit bf4b848a84c3a91dcf17963d7f4f3d58d91a7f05
Author: Ondřej Surý <ondrej at sury.org>
Date: Tue Mar 19 09:35:49 2013 +0100
[CVE-2013-1854]: Fix symbol DoS vulnerability in Active Record
diff --git a/debian/patches/CVE-2013-1854.patch b/debian/patches/CVE-2013-1854.patch
new file mode 100644
index 0000000..6293196
--- /dev/null
+++ b/debian/patches/CVE-2013-1854.patch
@@ -0,0 +1,22 @@
+--- a/lib/active_record/relation.rb
++++ b/lib/active_record/relation.rb
+@@ -464,7 +464,7 @@ module ActiveRecord
+ node.left.relation.name == table_name
+ }
+
+- Hash[equalities.map { |where| [where.left.name, where.right] }]
++ Hash[equalities.map { |where| [where.left.name, where.right] }].with_indifferent_access
+ end
+
+ def scope_for_create
+--- a/lib/active_record/relation/predicate_builder.rb
++++ b/lib/active_record/relation/predicate_builder.rb
+@@ -20,7 +20,7 @@ module ActiveRecord
+ table = Arel::Table.new(table_name, engine)
+ end
+
+- attribute = table[column.to_sym]
++ attribute = table[column]
+
+ case value
+ when ActiveRecord::Relation
diff --git a/debian/patches/series b/debian/patches/series
index ee76ed2..14181fc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
Remove_rubygems_dependency.patch
3-2-dynamic_finder_injection.patch
CVE-2013-0155.patch
+CVE-2013-1854.patch
--
ruby-activerecord-3.2.git
More information about the Pkg-ruby-extras-commits
mailing list