[DRE-commits] [ruby-activerecord-3.2] 02/02: security update; [CVE-2014-3482] [CVE-2014-3483]

[Antonio Terceiro]

This is an automated email from the git hooks/post-receive script.

terceiro pushed a commit to branch master-wheezy
in repository ruby-activerecord-3.2.

commit 4ff6647e49ca258302080508d434c76d661e2d76
Author: Antonio Terceiro <terceiro at debian.org>
Date:   Mon Jul 14 21:53:47 2014 -0300

    security update; [CVE-2014-3482] [CVE-2014-3483]
---
 debian/changelog                       |  7 ++++++
 debian/patches/3-2-postgres-sqli.patch | 39 ++++++++++++++++++++++++++++++++++
 debian/patches/series                  |  1 +
 3 files changed, 47 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index c6362ba..9a3ca0f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ruby-activerecord-3.2 (3.2.6-5+deb7u1) wheezy-security; urgency=medium
+
+  * debian/patches/3-2-postgres-sqli.patch: fix vulnerabilities in PostgreSQL database
+    adapter. [CVE-2014-3482] [CVE-2014-3483]
+
+ -- Antonio Terceiro <terceiro at debian.org>  Mon, 14 Jul 2014 21:50:22 -0300
+
 ruby-activerecord-3.2 (3.2.6-5) unstable; urgency=high
 
   * Bump build dependency on gem2deb to >- 0.3.0~ in debian/control.in
diff --git a/debian/patches/3-2-postgres-sqli.patch b/debian/patches/3-2-postgres-sqli.patch
new file mode 100644
index 0000000..958833a
--- /dev/null
+++ b/debian/patches/3-2-postgres-sqli.patch
@@ -0,0 +1,39 @@
+From 1bf1a25b1789ec10f71a749fd038c6b3118da589 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
+ <rafaelmfranca at gmail.com>
+Date: Thu, 5 Jun 2014 12:34:07 -0300
+Subject: [PATCH] Check against bit string values using multiline regexp
+
+Fix CVE-2014-3482.
+---
+ .../lib/active_record/connection_adapters/postgresql_adapter.rb     | 6 +++---
+ activerecord/test/cases/adapters/postgresql/quoting_test.rb         | 5 +++++
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
+index e98337e..3cd65d0 100644
+--- a/lib/active_record/connection_adapters/postgresql_adapter.rb
++++ b/lib/active_record/connection_adapters/postgresql_adapter.rb
+@@ -442,8 +442,8 @@ module ActiveRecord
+           when 'xml'   then "xml '#{quote_string(value)}'"
+           when /^bit/
+             case value
+-            when /^[01]*$/      then "B'#{value}'" # Bit-string notation
+-            when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
++            when /\A[01]*\Z/      then "B'#{value}'" # Bit-string notation
++            when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
+             end
+           else
+             super
+@@ -1160,7 +1160,7 @@ module ActiveRecord
+         FEATURE_NOT_SUPPORTED = "0A000" # :nodoc:
+ 
+         def exec_no_cache(sql, binds)
+-          @connection.async_exec(sql)
++          @connection.async_exec(sql, [])
+         end
+ 
+         def exec_cache(sql, binds)
+-- 
+2.0.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 14181fc..0efb041 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+3-2-postgres-sqli.patch
 Remove_rubygems_dependency.patch
 3-2-dynamic_finder_injection.patch
 CVE-2013-0155.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-activerecord-3.2.git