Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package ruby-activerecord-2.3 This release fixes a SQL injection vulnerability (CVE-2012-5664). Attached is the debdiff between this version and the one in testing. unblock ruby-activerecord-2.3/2.3.14-3 -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.utf8, LC_CTYPE=pt_BR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Antonio Terceiro <terce...@debian.org>
diff -Nru ruby-activerecord-2.3-2.3.14/debian/changelog ruby-activerecord-2.3-2.3.14/debian/changelog --- ruby-activerecord-2.3-2.3.14/debian/changelog 2012-06-29 14:37:30.000000000 -0300 +++ ruby-activerecord-2.3-2.3.14/debian/changelog 2013-01-03 11:48:18.000000000 -0300 @@ -1,3 +1,11 @@ +ruby-activerecord-2.3 (2.3.14-3) unstable; urgency=high + + * Team upload. + * debian/patches/2-3-dynamic_finder_injection.patch: fix SQL injection + vulnerability (CVE-2012-5664). + + -- Antonio Terceiro <terce...@debian.org> Thu, 03 Jan 2013 11:43:56 -0300 + ruby-activerecord-2.3 (2.3.14-2) unstable; urgency=low * Team upload. diff -Nru ruby-activerecord-2.3-2.3.14/debian/control ruby-activerecord-2.3-2.3.14/debian/control --- ruby-activerecord-2.3-2.3.14/debian/control 2012-06-29 14:45:22.000000000 -0300 +++ ruby-activerecord-2.3-2.3.14/debian/control 2012-09-01 17:37:56.000000000 -0300 @@ -2,7 +2,6 @@ Section: ruby Priority: optional Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> -Uploaders: Ondřej Surý <ond...@debian.org> DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.3.0~), diff -Nru ruby-activerecord-2.3-2.3.14/debian/control.in ruby-activerecord-2.3-2.3.14/debian/control.in --- ruby-activerecord-2.3-2.3.14/debian/control.in 2012-06-29 14:45:14.000000000 -0300 +++ ruby-activerecord-2.3-2.3.14/debian/control.in 2012-09-01 17:37:56.000000000 -0300 @@ -2,7 +2,6 @@ Section: ruby Priority: optional Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> -Uploaders: Ondřej Surý <ond...@debian.org> DM-Upload-Allowed: yes Build-Depends: debhelper (>= 7.0.50~), gem2deb (>= 0.3.0~), diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch --- ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch 1969-12-31 21:00:00.000000000 -0300 +++ ruby-activerecord-2.3-2.3.14/debian/patches/2-3-dynamic_finder_injection.patch 2013-01-03 11:31:43.000000000 -0300 @@ -0,0 +1,54 @@ +From 9de9b359d0d24f70f0f6c5c58a7ad8750684d456 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson <aaron.patter...@gmail.com> +Date: Sun, 23 Dec 2012 11:07:07 -0800 +Subject: [PATCH] CVE-2012-5664 options hashes should only be extracted if + there are extra parameters + +--- + lib/active_record/base.rb | 6 +++++- + test/cases/finder_test.rb | 12 ++++++++++++ + 2 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/lib/active_record/base.rb b/glib/active_record/base.rb +index 461007f..809a38c 100755 +--- a/lib/active_record/base.rb ++++ b/lib/active_record/base.rb +@@ -1897,7 +1897,11 @@ module ActiveRecord #:nodoc: + # end + self.class_eval <<-EOS, __FILE__, __LINE__ + 1 + def self.#{method_id}(*args) +- options = args.extract_options! ++ options = if args.length > #{attribute_names.size} ++ args.extract_options! ++ else ++ {} ++ end + attributes = construct_attributes_from_arguments( + [:#{attribute_names.join(',:')}], + args +diff --git a/test/cases/finder_test.rb b/gtest/cases/finder_test.rb +index c779a69..9e3ab92 100644 +--- a/test/cases/finder_test.rb ++++ b/test/cases/finder_test.rb +@@ -66,6 +66,18 @@ end + class FinderTest < ActiveRecord::TestCase + fixtures :companies, :topics, :entrants, :developers, :developers_projects, :posts, :comments, :accounts, :authors, :customers + ++ def test_find_by_id_with_hash ++ assert_raises(ActiveRecord::StatementInvalid) do ++ Post.find_by_id(:limit => 1) ++ end ++ end ++ ++ def test_find_by_title_and_id_with_hash ++ assert_raises(ActiveRecord::StatementInvalid) do ++ Post.find_by_title_and_id('foo', :limit => 1) ++ end ++ end ++ + def test_find + assert_equal(topics(:first).title, Topic.find(1).title) + end +-- +1.7.10.2 (Apple Git-33) + diff -Nru ruby-activerecord-2.3-2.3.14/debian/patches/series ruby-activerecord-2.3-2.3.14/debian/patches/series --- ruby-activerecord-2.3-2.3.14/debian/patches/series 2012-02-02 20:56:24.000000000 -0200 +++ ruby-activerecord-2.3-2.3.14/debian/patches/series 2013-01-03 11:23:52.000000000 -0300 @@ -1,2 +1,3 @@ 0001-remove_require_rubygems.patch activerecord-2.3.5-1.patch +2-3-dynamic_finder_injection.patch
signature.asc
Description: Digital signature