Bug#697812: unblock: ruby-activerecord-3.2/3.2.6-4

Wed, 09 Jan 2013 13:51:14 -0800 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock packages ruby-activerecord-3.2 and ruby-actionpack-3.2.
The new versions uploaded do unstable fix CVE-2013-0155. Since the fix
is spread across those two packages, I think they should handled
together, and that's why I am filing a single unblock request for both
packages.

The debdiffs against the packages in testing are attached. You will
notice a buid-dependency bump change, but that's in debian/control.in,
not debian/control, so it's harmless.

unblock ruby-activerecord-3.2/3.2.6-4
unblock ruby-actionpack-3.2/3.2.6-5

TIA,

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Antonio Terceiro <terce...@debian.org>

diff -Nru ruby-activerecord-3.2-3.2.6/debian/changelog ruby-activerecord-3.2-3.2.6/debian/changelog
--- ruby-activerecord-3.2-3.2.6/debian/changelog	2013-01-03 11:21:21.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/changelog	2013-01-09 18:22:50.000000000 -0300
@@ -1,3 +1,10 @@
+ruby-activerecord-3.2 (3.2.6-4) unstable; urgency=high
+
+  * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk
+    [CVE-2013-0155] (Closes: #697744).
+
+ -- Antonio Terceiro <terce...@debian.org>  Wed, 09 Jan 2013 18:18:07 -0300
+
 ruby-activerecord-3.2 (3.2.6-3) unstable; urgency=high
 
   * debian/patches/3-2-dynamic_finder_injection.patch: fix SQL injection
diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch
--- ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/patches/CVE-2013-0155.patch	2013-01-09 18:25:01.000000000 -0300
@@ -0,0 +1,25 @@
+From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patter...@gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+diff --git a/lib/active_record/relation/predicate_builder.rb b/lib/active_record/relation/predicate_builder.rb
+index 6b118b4..b31fdfd 100644
+--- a/lib/active_record/relation/predicate_builder.rb
++++ b/lib/active_record/relation/predicate_builder.rb
+@@ -6,7 +6,12 @@ module ActiveRecord
+ 
+         if allow_table_name && value.is_a?(Hash)
+           table = Arel::Table.new(column, engine)
+-          build_from_hash(engine, value, table, false)
++
++          if value.empty?
++            '1 = 2'
++          else
++            build_from_hash(engine, value, table, false)
++          end
+         else
+           column = column.to_s
+ 
diff -Nru ruby-activerecord-3.2-3.2.6/debian/patches/series ruby-activerecord-3.2-3.2.6/debian/patches/series
--- ruby-activerecord-3.2-3.2.6/debian/patches/series	2013-01-03 11:04:55.000000000 -0300
+++ ruby-activerecord-3.2-3.2.6/debian/patches/series	2013-01-09 18:17:11.000000000 -0300
@@ -1,2 +1,3 @@
 Remove_rubygems_dependency.patch
 3-2-dynamic_finder_injection.patch
+CVE-2013-0155.patch

diff -Nru ruby-actionpack-3.2-3.2.6/debian/changelog ruby-actionpack-3.2-3.2.6/debian/changelog
--- ruby-actionpack-3.2-3.2.6/debian/changelog	2012-08-10 13:33:44.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/changelog	2013-01-09 18:27:16.000000000 -0300
@@ -1,3 +1,10 @@
+ruby-actionpack-3.2 (3.2.6-5) unstable; urgency=high
+
+  * debian/patches/CVE-2013-0155.patch: fix Unsafe Query Generation Risk
+    [CVE-2013-0155] (Closes: #697802)
+
+ -- Antonio Terceiro <terce...@debian.org>  Wed, 09 Jan 2013 18:25:45 -0300
+
 ruby-actionpack-3.2 (3.2.6-4) unstable; urgency=high
 
   * Add patches for security problems (Closes: #684454):
diff -Nru ruby-actionpack-3.2-3.2.6/debian/control.in ruby-actionpack-3.2-3.2.6/debian/control.in
--- ruby-actionpack-3.2-3.2.6/debian/control.in	2012-06-16 21:11:38.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/control.in	2012-11-14 09:42:31.000000000 -0300
@@ -7,7 +7,7 @@
 	Antonio Terceiro <terce...@debian.org>,
 DM-Upload-Allowed: yes
 Build-Depends: debhelper (>= 7.0.50~),
-	       gem2deb (>= 0.2.13~),
+	       gem2deb (>= 0.3.0~),
 	       ruby-activesupport-3.2 (>= @RAILS_VERSION@),
 	       ruby-activesupport-3.2 (<< @RAILS_VERSION@.),
 	       ruby-activerecord-3.2 (>= @RAILS_VERSION@),
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch
--- ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch	1969-12-31 21:00:00.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/patches/CVE-2013-0155.patch	2013-01-09 18:28:16.000000000 -0300
@@ -0,0 +1,57 @@
+From b7d666e95aee11e441908278425d16deef87cefb Mon Sep 17 00:00:00 2001
+From: Aaron Patterson <aaron.patter...@gmail.com>
+Date: Fri, 4 Jan 2013 12:02:22 -0800
+Subject: [PATCH 1/2] * Strip nils from collections on JSON and XML posts.
+ [CVE-2013-0155] * dealing with empty hashes. Thanks
+ Damien Mathieu
+
+--- a/lib/action_dispatch/http/request.rb
++++ b/lib/action_dispatch/http/request.rb
+@@ -247,18 +247,14 @@ module ActionDispatch
+       LOCALHOST.any? { |local_ip| local_ip === remote_addr && local_ip === remote_ip }
+     end
+ 
+-    protected
+-
+     # Remove nils from the params hash
+     def deep_munge(hash)
+-      keys = hash.keys.find_all { |k| hash[k] == [nil] }
+-      keys.each { |k| hash[k] = nil }
+-
+-      hash.each_value do |v|
++      hash.each do |k, v|
+         case v
+         when Array
+           v.grep(Hash) { |x| deep_munge(x) }
+           v.compact!
++          hash[k] = nil if v.empty?
+         when Hash
+           deep_munge(v)
+         end
+@@ -267,6 +263,8 @@ module ActionDispatch
+       hash
+     end
+ 
++    protected
++
+     def parse_query(qs)
+       deep_munge(super)
+     end
+--- a/lib/action_dispatch/middleware/params_parser.rb
++++ b/lib/action_dispatch/middleware/params_parser.rb
+@@ -38,13 +38,13 @@ module ActionDispatch
+         when Proc
+           strategy.call(request.raw_post)
+         when :xml_simple, :xml_node
+-          data = Hash.from_xml(request.body.read) || {}
++          data = request.deep_munge(Hash.from_xml(request.body.read) || {})
+           request.body.rewind if request.body.respond_to?(:rewind)
+           data.with_indifferent_access
+         when :yaml
+           YAML.load(request.raw_post)
+         when :json
+-          data = ActiveSupport::JSON.decode(request.body)
++          data = request.deep_munge ActiveSupport::JSON.decode(request.body)
+           request.body.rewind if request.body.respond_to?(:rewind)
+           data = {:_json => data} unless data.is_a?(Hash)
+           data.with_indifferent_access
diff -Nru ruby-actionpack-3.2-3.2.6/debian/patches/series ruby-actionpack-3.2-3.2.6/debian/patches/series
--- ruby-actionpack-3.2-3.2.6/debian/patches/series	2012-08-10 13:29:41.000000000 -0300
+++ ruby-actionpack-3.2-3.2.6/debian/patches/series	2013-01-09 18:24:02.000000000 -0300
@@ -1,3 +1,4 @@
 CVE-2012-3424.patch
 CVE-2012-3463.patch
 CVE-2012-3465.patch
+CVE-2013-0155.patch

Attachment: signature.asc
Description: Digital signature

Reply via email to