Hello community,
here is the log from the commit of package rubygem-activerecord-3_2 for
openSUSE:Factory checked in at 2014-07-21 21:39:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-activerecord-3_2 (Old)
and /work/SRC/openSUSE:Factory/.rubygem-activerecord-3_2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-activerecord-3_2"
Changes:
--------
---
/work/SRC/openSUSE:Factory/rubygem-activerecord-3_2/rubygem-activerecord-3_2.changes
2014-04-17 14:09:20.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-activerecord-3_2.new/rubygem-activerecord-3_2.changes
2014-07-21 22:34:24.000000000 +0200
@@ -1,0 +2,8 @@
+Thu Jul 17 18:12:39 UTC 2014 - [email protected]
+
+- fix CVE-2014-3482: SQL injection vulnerability in 'bitstring' quoting
+ (bnc#885636)
+
+ CVE-2014-3482.patch: patch that fixes the vulnerability
+
+-------------------------------------------------------------------
New:
----
CVE-2014-3482.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-activerecord-3_2.spec ++++++
--- /var/tmp/diff_new_pack.8MeCRo/_old 2014-07-21 22:34:25.000000000 +0200
+++ /var/tmp/diff_new_pack.8MeCRo/_new 2014-07-21 22:34:25.000000000 +0200
@@ -29,6 +29,7 @@
BuildRequires: rubygem(rdoc) > 3.10
Url: http://www.rubyonrails.org
Source: http://rubygems.org/gems/%{mod_full_name}.gem
+Source1: CVE-2014-3482.patch
Summary: Object-relational mapper framework (part of Rails)
License: MIT
Group: Development/Languages/Ruby
@@ -48,9 +49,13 @@
Usually in RDoc and RI formats.
%prep
-#gem_unpack
-#if you need patches, apply them here and replace the # with a % sign in the
surrounding lines
-#gem_build
+gem unpack --verbose %{S:0}
+pushd %{mod_full_name}
+ chmod -R go-w .
+ gem spec --ruby %{S:0} > %{mod_full_name}.gemspec
+ patch -p2 < %{S:1}
+ gem build %{mod_full_name}.gemspec
+popd
%build
++++++ CVE-2014-3482.patch ++++++
--- a/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
+++ b/activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb
@@ -442,8 +442,8 @@ module ActiveRecord
when 'xml' then "xml '#{quote_string(value)}'"
when /^bit/
case value
- when /^[01]*$/ then "B'#{value}'" # Bit-string notation
- when /^[0-9A-F]*$/i then "X'#{value}'" # Hexadecimal notation
+ when /\A[01]*\Z/ then "B'#{value}'" # Bit-string notation
+ when /\A[0-9A-F]*\Z/i then "X'#{value}'" # Hexadecimal notation
end
else
super
@@ -1160,7 +1160,7 @@ module ActiveRecord
FEATURE_NOT_SUPPORTED = "0A000" # :nodoc:
def exec_no_cache(sql, binds)
- @connection.async_exec(sql)
+ @connection.async_exec(sql, [])
end
def exec_cache(sql, binds)
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
