Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package ruby-activerecord-2.3 This release fixes CVE-2013-0155, which was previously believed to not affect the Rails 2.3 series. The debdiff against the package in testing is attached. unblock ruby-activerecord-2.3/2.3.14-4 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terce...@debian.org>
diff -Nru ruby-activerecord-2.3-2.3.14/debian/changelog ruby-activerecord-2.3-2.3.14/debian/changelog --- ruby-activerecord-2.3-2.3.14/debian/changelog 2013-01-03 11:48:18.000000000 -0300 +++ ruby-activerecord-2.3-2.3.14/debian/changelog 2013-01-15 21:16:58.000000000 -0300 @@ -1,3 +1,10 @@ +ruby-activerecord-2.3 (2.3.14-4) unstable; urgency=high + + * Team upload. + * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk. + + -- Antonio Terceiro <terce...@debian.org> Tue, 15 Jan 2013 21:16:20 -0300 + ruby-activerecord-2.3 (2.3.14-3) unstable; urgency=high * Team upload. diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0155.patch ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0155.patch --- ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0155.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby-activerecord-2.3-2.3.14/debian/patches/CVE-2013-0155.patch 2013-01-16 08:06:02.000000000 -0300 @@ -0,0 +1,51 @@ +Description: Fix for CVE-2013-0155 + This includes the patch released in the updated announcement for CVE-2013-0155 + plus some previous changes that it requires. + . +Author: Justin Collins + (commit 62f81f4d cherry-picked from upstream git repository) +Author: Ernie Miller +Reviewed-By: Antonio Terceiro <terce...@debian.org> +Upstream-Bug: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/c7jT-EeN9eI + +--- + lib/active_record/base.rb | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/lib/active_record/base.rb ++++ b/lib/active_record/base.rb +@@ -2337,17 +2337,19 @@ module ActiveRecord #:nodoc: + # And for value objects on a composed_of relationship: + # { :address => Address.new("123 abc st.", "chicago") } + # # => "address_street='123 abc st.' and address_city='chicago'" +- def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name) ++ def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true) + attrs = expand_hash_conditions_for_aggregates(attrs) + ++ return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty? ++ + conditions = attrs.map do |attr, value| + table_name = default_table_name + +- unless value.is_a?(Hash) ++ if not value.is_a?(Hash) + attr = attr.to_s + + # Extract table name from qualified attribute names. +- if attr.include?('.') ++ if attr.include?('.') and top_level + attr_table_name, attr = attr.split('.', 2) + attr_table_name = connection.quote_table_name(attr_table_name) + else +@@ -2355,8 +2357,10 @@ module ActiveRecord #:nodoc: + end + + attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value) ++ elsif top_level ++ sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false) + else +- sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s)) ++ raise ActiveRecord::StatementInvalid + end + end.join(' AND ') + diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/series ruby-activerecord-2.3-2.3.14/debian/patches/series --- ruby-activerecord-2.3-2.3.14/debian/patches/series 2013-01-03 11:23:52.000000000 -0300 +++ ruby-activerecord-2.3-2.3.14/debian/patches/series 2013-01-15 21:16:07.000000000 -0300 @@ -1,3 +1,4 @@ 0001-remove_require_rubygems.patch activerecord-2.3.5-1.patch 2-3-dynamic_finder_injection.patch +CVE-2013-0155.patch
signature.asc
Description: Digital signature
