diff --git a/SOURCES/rubygem-activemodel-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch b/SOURCES/rubygem-activemodel-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch new file mode 100644 index 0000000..0539b76 --- /dev/null +++ b/SOURCES/rubygem-activemodel-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch @@ -0,0 +1,55 @@ +From 7a01874b75fdd62ab3626490cdf1c65c0ba659d0 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Mon, 18 Jan 2016 13:51:02 -0800 +Subject: [PATCH] Eliminate instance level writers for class accessors + +Instance level writers can have an impact on how the Active Model / +Record objects are saved. Specifically, they can be used to bypass +validations. This is a problem if mass assignment protection is +disabled and specific attributes are passed to the constructor. + +Conflicts: + activerecord/lib/active_record/scoping/default.rb + activesupport/lib/active_support/callbacks.rb + +CVE-2016-0753 +--- + activemodel/lib/active_model/serializers/json.rb | 2 +- + activemodel/lib/active_model/validations.rb | 3 ++- + activerecord/lib/active_record/enum.rb | 2 +- + activerecord/lib/active_record/reflection.rb | 4 ++-- + activesupport/lib/active_support/callbacks.rb | 2 +- + 5 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/activemodel/lib/active_model/serializers/json.rb b/activemodel/lib/active_model/serializers/json.rb +index c58e73f..fd405ff 100644 +--- a/activemodel/lib/active_model/serializers/json.rb ++++ b/activemodel/lib/active_model/serializers/json.rb +@@ -10,7 +10,7 @@ module ActiveModel + included do + extend ActiveModel::Naming + +- class_attribute :include_root_in_json ++ class_attribute :include_root_in_json, instance_writer: false + self.include_root_in_json = false + end + +diff --git a/activemodel/lib/active_model/validations.rb b/activemodel/lib/active_model/validations.rb +index e9674d5..7451da0 100644 +--- a/activemodel/lib/active_model/validations.rb ++++ b/activemodel/lib/active_model/validations.rb +@@ -46,9 +46,10 @@ module ActiveModel + include HelperMethods + + attr_accessor :validation_context ++ private :validation_context= + define_callbacks :validate, scope: :name + +- class_attribute :_validators ++ class_attribute :_validators, instance_writer: false + self._validators = Hash.new { |h,k| h[k] = [] } + end + +-- +2.2.1 + diff --git a/SPECS/rubygem-activemodel.spec b/SPECS/rubygem-activemodel.spec index dd5dbcf..b6953e8 100644 --- a/SPECS/rubygem-activemodel.spec +++ b/SPECS/rubygem-activemodel.spec @@ -8,7 +8,7 @@ Summary: A toolkit for building modeling frameworks Name: %{?scl_prefix}rubygem-%{gem_name} Version: 4.1.5 -Release: 1%{?dist} +Release: 2%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -17,6 +17,11 @@ Source0: http://rubygems.org/gems/%{gem_name}-%{version}.gem # tar czvf activemodel-4.1.5-tests.tgz test/ Source1: %{gem_name}-%{version}-tests.tgz # Let's keep Requires and BuildRequires sorted alphabeticaly + +# Fix CVE-2016-0753 Possible Input Validation Circumvention +# https://bugzilla.redhat.com/show_bug.cgi?id=1301973 +Patch0: rubygem-activemodel-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch + Requires: %{?scl_prefix_ruby}ruby(release) Requires: %{?scl_prefix_ruby}ruby(rubygems) Requires: %{?scl_prefix}rubygem(activesupport) = %{version} @@ -48,12 +53,20 @@ Requires:%{?scl_prefix}%{pkg_name} = %{version}-%{release} Documentation for %{pkg_name} %prep -%setup -q -c -T %{?scl:scl enable %{scl} - << \EOF} -%gem_install -n %{SOURCE0} +gem unpack %{SOURCE0} +%setup -q -D -T -n %{gem_name}-%{version} + +gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec + +%patch0 -p2 %{?scl:EOF} %build +%{?scl:scl enable %{scl} - << \EOF} +gem build %{gem_name}.gemspec +%gem_install +%{?scl:EOF} %install mkdir -p %{buildroot}%{gem_dir} @@ -94,6 +107,10 @@ rm -rf %{testdir} %doc %{gem_docdir} %changelog +* Wed Feb 10 2016 Pavel Valena - 4.1.5-2 +- Fix possible input validation circumvention - rhbz#1301973 + - Resolves: CVE-2016-0753 + * Tue Jan 20 2015 Josef Stribny - 4.1.5-1 - Update to 4.1.5