Fri Feb 15 13:51:53 2013 UTC ()
Pullup ticket #4073 - requested by taca
databases/ruby-activerecord3: security patch
devel/ruby-activemodel: security patch
Revisions pulled up:
- databases/ruby-activerecord3/Makefile 1.9
- databases/ruby-activerecord3/distinfo 1.19-1.20
- databases/ruby-activerecord3/patches/patch-lib_active__record_attribute__methods_write.rb 1.1-1.2
- devel/ruby-activemodel/Makefile 1.12
- devel/ruby-activemodel/distinfo 1.19-1.20
- devel/ruby-activemodel/patches/patch-lib_active__model_attribute__methods.rb 1.1-1.2
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Feb 12 13:23:20 UTC 2013
Modified Files:
pkgsrc/databases/ruby-activerecord3: Makefile distinfo
Added Files:
pkgsrc/databases/ruby-activerecord3/patches:
patch-lib_active__record_attribute__methods_write.rb
Log Message:
Add fix for Fix for CVE-2013-0277.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Feb 13 14:08:07 UTC 2013
Modified Files:
pkgsrc/databases/ruby-activerecord3: distinfo
pkgsrc/databases/ruby-activerecord3/patches:
patch-lib_active__record_attribute__methods_write.rb
Log Message:
Correct comment in a patch file.
This change dosen't fix CVE-2013-0276 but give workaround for it.
No PKGREVISION bump.
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Feb 12 15:30:42 UTC 2013
Modified Files:
pkgsrc/devel/ruby-activemodel: Makefile distinfo
Added Files:
pkgsrc/devel/ruby-activemodel/patches:
patch-lib_active__model_attribute__methods.rb
Log Message:
Add fix for CVE-2013-0276.
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Wed Feb 13 14:07:31 UTC 2013
Modified Files:
pkgsrc/devel/ruby-activemodel: distinfo
pkgsrc/devel/ruby-activemodel/patches:
patch-lib_active__model_attribute__methods.rb
Log Message:
Correct comment in a patch file.
This change dosen't fix CVE-2013-0276 but give workaround for it.
No PKGREVISION bump.
(tron)
diff -r1.8 -r1.8.6.1 pkgsrc/databases/ruby-activerecord3/Makefile
diff -r1.15.4.3 -r1.15.4.4 pkgsrc/databases/ruby-activerecord3/distinfo
diff -r0 -r1.2.2.2 pkgsrc/databases/ruby-activerecord3/patches/patch-lib_active__record_attribute__methods_write.rb
diff -r1.11 -r1.11.6.1 pkgsrc/devel/ruby-activemodel/Makefile
diff -r1.15.4.3 -r1.15.4.4 pkgsrc/devel/ruby-activemodel/distinfo
diff -r0 -r1.2.2.2 pkgsrc/devel/ruby-activemodel/patches/patch-lib_active__model_attribute__methods.rb
--- pkgsrc/databases/ruby-activerecord3/Attic/Makefile 2012/06/14 14:50:06 1.8
+++ pkgsrc/databases/ruby-activerecord3/Attic/Makefile 2013/02/15 13:51:53 1.8.6.1
| @@ -1,16 +1,17 @@ | | | @@ -1,16 +1,17 @@ |
1 | # $NetBSD: Makefile,v 1.8 2012/06/14 14:50:06 taca Exp $ | | 1 | # $NetBSD: Makefile,v 1.8.6.1 2013/02/15 13:51:53 tron Exp $ |
2 | | | 2 | |
3 | DISTNAME= activerecord-${RUBY_RAILS_VERSION} | | 3 | DISTNAME= activerecord-${RUBY_RAILS_VERSION} |
| | | 4 | PKGREVISION= 1 |
4 | CATEGORIES= databases | | 5 | CATEGORIES= databases |
5 | | | 6 | |
6 | MAINTAINER= pkgsrc-users@NetBSD.org | | 7 | MAINTAINER= pkgsrc-users@NetBSD.org |
7 | HOMEPAGE= http://www.rubyonrails.org/ | | 8 | HOMEPAGE= http://www.rubyonrails.org/ |
8 | COMMENT= Object-relational mapper framework (part of Rails 3.0) | | 9 | COMMENT= Object-relational mapper framework (part of Rails 3.0) |
9 | LICENSE= mit | | 10 | LICENSE= mit |
10 | | | 11 | |
11 | # Comment out dependency in gemspec but already depends indirectly one. | | 12 | # Comment out dependency in gemspec but already depends indirectly one. |
12 | #DEPENDS+= ${RUBY_ACTIVESUPPORT_DEPENDS} | | 13 | #DEPENDS+= ${RUBY_ACTIVESUPPORT_DEPENDS} |
13 | DEPENDS+= ${RUBY_ACTIVEMODEL_DEPENDS} | | 14 | DEPENDS+= ${RUBY_ACTIVEMODEL_DEPENDS} |
14 | DEPENDS+= ${RUBY_PKGPREFIX}-arel>=2.0.10<2.1:../../databases/ruby-arel20 | | 15 | DEPENDS+= ${RUBY_PKGPREFIX}-arel>=2.0.10<2.1:../../databases/ruby-arel20 |
15 | DEPENDS+= ${RUBY_PKGPREFIX}-tzinfo>=0.3.23<0.4:../../time/ruby-tzinfo | | 16 | DEPENDS+= ${RUBY_PKGPREFIX}-tzinfo>=0.3.23<0.4:../../time/ruby-tzinfo |
16 | | | 17 | |
--- pkgsrc/databases/ruby-activerecord3/Attic/distinfo 2013/02/02 10:39:59 1.15.4.3
+++ pkgsrc/databases/ruby-activerecord3/Attic/distinfo 2013/02/15 13:51:53 1.15.4.4
| @@ -1,5 +1,6 @@ | | | @@ -1,5 +1,6 @@ |
1 | $NetBSD: distinfo,v 1.15.4.3 2013/02/02 10:39:59 tron Exp $ | | 1 | $NetBSD: distinfo,v 1.15.4.4 2013/02/15 13:51:53 tron Exp $ |
2 | | | 2 | |
3 | SHA1 (activerecord-3.0.20.gem) = d8fc6e02bf46f9b5f86c3a954932d67da211302b | | 3 | SHA1 (activerecord-3.0.20.gem) = d8fc6e02bf46f9b5f86c3a954932d67da211302b |
4 | RMD160 (activerecord-3.0.20.gem) = d0b2375d461414bb3d54122fd8e4812a4e4edac8 | | 4 | RMD160 (activerecord-3.0.20.gem) = d0b2375d461414bb3d54122fd8e4812a4e4edac8 |
5 | Size (activerecord-3.0.20.gem) = 344576 bytes | | 5 | Size (activerecord-3.0.20.gem) = 344576 bytes |
| | | 6 | SHA1 (patch-lib_active__record_attribute__methods_write.rb) = 5bdbd60bd7bf7a24d8957d23316517c2b4858597 |
$NetBSD$
Workaround for CVE-2013-0277.
--- lib/active_record/attribute_methods/write.rb.orig 2013-02-12 00:08:22.000000000 +0000
+++ lib/active_record/attribute_methods/write.rb
@@ -10,7 +10,14 @@ module ActiveRecord
module ClassMethods
protected
def define_method_attribute=(attr_name)
- if attr_name =~ /^[a-zA-Z_]\w*[!?=]?$/
+ if self.serialized_attributes[attr_name]
+ generated_attribute_methods.send(:define_method, "#{attr_name}=") do |new_value|
+ if new_value.is_a?(String) and new_value =~ /^---/
+ raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues."
+ end
+ write_attribute(attr_name, new_value)
+ end
+ elsif attr_name =~ /^[a-zA-Z_]\w*[!?=]?$/
generated_attribute_methods.module_eval("def #{attr_name}=(new_value); write_attribute('#{attr_name}', new_value); end", __FILE__, __LINE__)
else
generated_attribute_methods.send(:define_method, "#{attr_name}=") do |new_value|
--- pkgsrc/devel/ruby-activemodel/Attic/Makefile 2012/06/14 14:48:35 1.11
+++ pkgsrc/devel/ruby-activemodel/Attic/Makefile 2013/02/15 13:51:53 1.11.6.1
| @@ -1,16 +1,17 @@ | | | @@ -1,16 +1,17 @@ |
1 | # $NetBSD: Makefile,v 1.11 2012/06/14 14:48:35 taca Exp $ | | 1 | # $NetBSD: Makefile,v 1.11.6.1 2013/02/15 13:51:53 tron Exp $ |
2 | | | 2 | |
3 | DISTNAME= activemodel-${RUBY_RAILS_VERSION} | | 3 | DISTNAME= activemodel-${RUBY_RAILS_VERSION} |
| | | 4 | PKGREVISION= 1 |
4 | CATEGORIES= devel | | 5 | CATEGORIES= devel |
5 | | | 6 | |
6 | MAINTAINER= pkgsrc-users@NetBSD.org | | 7 | MAINTAINER= pkgsrc-users@NetBSD.org |
7 | HOMEPAGE= http://www.rubyonrails.org/ | | 8 | HOMEPAGE= http://www.rubyonrails.org/ |
8 | COMMENT= Toolkit for building modeling frameworks (part of Rails 3.0) | | 9 | COMMENT= Toolkit for building modeling frameworks (part of Rails 3.0) |
9 | LICENSE= mit | | 10 | LICENSE= mit |
10 | | | 11 | |
11 | DEPENDS+= ${RUBY_ACTIVESUPPORT_DEPENDS} | | 12 | DEPENDS+= ${RUBY_ACTIVESUPPORT_DEPENDS} |
12 | DEPENDS+= ${RUBY_PKGPREFIX}-builder>=2.1.2:../../textproc/ruby-builder | | 13 | DEPENDS+= ${RUBY_PKGPREFIX}-builder>=2.1.2:../../textproc/ruby-builder |
13 | DEPENDS+= ${RUBY_PKGPREFIX}-i18n>=0.5.0<0.6:../../devel/ruby-i18n_05 | | 14 | DEPENDS+= ${RUBY_PKGPREFIX}-i18n>=0.5.0<0.6:../../devel/ruby-i18n_05 |
14 | | | 15 | |
15 | RUBY_RAILS_SUPPORTED= 3 | | 16 | RUBY_RAILS_SUPPORTED= 3 |
16 | RUBY_RAILS_STRICT_DEP= yes | | 17 | RUBY_RAILS_STRICT_DEP= yes |
--- pkgsrc/devel/ruby-activemodel/Attic/distinfo 2013/02/02 10:40:00 1.15.4.3
+++ pkgsrc/devel/ruby-activemodel/Attic/distinfo 2013/02/15 13:51:53 1.15.4.4
| @@ -1,5 +1,6 @@ | | | @@ -1,5 +1,6 @@ |
1 | $NetBSD: distinfo,v 1.15.4.3 2013/02/02 10:40:00 tron Exp $ | | 1 | $NetBSD: distinfo,v 1.15.4.4 2013/02/15 13:51:53 tron Exp $ |
2 | | | 2 | |
3 | SHA1 (activemodel-3.0.20.gem) = 80c7d881ed64ed7a66f4d82b12c2b98b43f6fbde | | 3 | SHA1 (activemodel-3.0.20.gem) = 80c7d881ed64ed7a66f4d82b12c2b98b43f6fbde |
4 | RMD160 (activemodel-3.0.20.gem) = 20c74da6d7a173a5d5a252a138afa5b132f9a7b9 | | 4 | RMD160 (activemodel-3.0.20.gem) = 20c74da6d7a173a5d5a252a138afa5b132f9a7b9 |
5 | Size (activemodel-3.0.20.gem) = 38912 bytes | | 5 | Size (activemodel-3.0.20.gem) = 38912 bytes |
| | | 6 | SHA1 (patch-lib_active__model_attribute__methods.rb) = bd38ac936bc8777473c1a02685156207661344fb |
$NetBSD$
Workaround for CVE-2013-0276.
--- lib/active_model/attribute_methods.rb.orig 2013-02-12 15:27:17.000000000 +0000
+++ lib/active_model/attribute_methods.rb
@@ -347,7 +347,7 @@ module ActiveModel
def initialize(options = {})
options.symbolize_keys!
@prefix, @suffix = options[:prefix] || '', options[:suffix] || ''
- @regex = /^(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})$/
+ @regex = /\A(#{Regexp.escape(@prefix)})(.+?)(#{Regexp.escape(@suffix)})\z/
end
def match(method_name)