diff --git a/SOURCES/rubygem-activerecord-4.1.14.1-CVE-2015-7577-fix-nested-attributes-rejection-proc-bypass-tests.patch b/SOURCES/rubygem-activerecord-4.1.14.1-CVE-2015-7577-fix-nested-attributes-rejection-proc-bypass-tests.patch new file mode 100644 index 0000000..4ee929c --- /dev/null +++ b/SOURCES/rubygem-activerecord-4.1.14.1-CVE-2015-7577-fix-nested-attributes-rejection-proc-bypass-tests.patch @@ -0,0 +1,47 @@ +From 5dc869dc73bcbe0b3dd415f257cf175015c4d014 Mon Sep 17 00:00:00 2001 +From: Andrew White +Date: Fri, 27 Nov 2015 13:46:46 +0000 +Subject: [PATCH] Don't short-circuit reject_if proc + +When updating an associated record via nested attribute hashes the +reject_if proc could be bypassed if the _destroy flag was set in the +attribute hash and allow_destroy was set to false. + +The fix is to only short-circuit if the _destroy flag is set and the +option allow_destroy is set to true. It also fixes an issue where +a new record wasn't created if _destroy was set and the option +allow_destroy was set to false. + +CVE-2015-7577 +--- + activerecord/lib/active_record/nested_attributes.rb | 14 ++++++++++++-- + activerecord/test/cases/nested_attributes_test.rb | 13 +++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/activerecord/test/cases/nested_attributes_test.rb b/activerecord/test/cases/nested_attributes_test.rb +index c87a837..e421600 100644 +--- a/activerecord/test/cases/nested_attributes_test.rb ++++ b/activerecord/test/cases/nested_attributes_test.rb +@@ -161,6 +161,19 @@ class TestNestedAttributesInGeneral < ActiveRecord::TestCase + assert man.reload.interests.empty? + end + ++ def test_reject_if_is_not_short_circuited_if_allow_destroy_is_false ++ Pirate.accepts_nested_attributes_for :ship, reject_if: ->(a) { a[:name] == "The Golden Hind" }, allow_destroy: false ++ ++ pirate = Pirate.create!(catchphrase: "Stop wastin' me time", ship_attributes: { name: "White Pearl", _destroy: "1" }) ++ assert_equal "White Pearl", pirate.reload.ship.name ++ ++ pirate.update!(ship_attributes: { id: pirate.ship.id, name: "The Golden Hind", _destroy: "1" }) ++ assert_equal "White Pearl", pirate.reload.ship.name ++ ++ pirate.update!(ship_attributes: { id: pirate.ship.id, name: "Black Pearl", _destroy: "1" }) ++ assert_equal "Black Pearl", pirate.reload.ship.name ++ end ++ + def test_has_many_association_updating_a_single_record + Man.accepts_nested_attributes_for(:interests) + man = Man.create(name: 'John') +-- +2.4.9 (Apple Git-60) + diff --git a/SOURCES/rubygem-activerecord-4.1.14.1-CVE-2015-7577-fix-nested-attributes-rejection-proc-bypass.patch b/SOURCES/rubygem-activerecord-4.1.14.1-CVE-2015-7577-fix-nested-attributes-rejection-proc-bypass.patch new file mode 100644 index 0000000..7d8b09f --- /dev/null +++ b/SOURCES/rubygem-activerecord-4.1.14.1-CVE-2015-7577-fix-nested-attributes-rejection-proc-bypass.patch @@ -0,0 +1,62 @@ +From 5dc869dc73bcbe0b3dd415f257cf175015c4d014 Mon Sep 17 00:00:00 2001 +From: Andrew White +Date: Fri, 27 Nov 2015 13:46:46 +0000 +Subject: [PATCH] Don't short-circuit reject_if proc + +When updating an associated record via nested attribute hashes the +reject_if proc could be bypassed if the _destroy flag was set in the +attribute hash and allow_destroy was set to false. + +The fix is to only short-circuit if the _destroy flag is set and the +option allow_destroy is set to true. It also fixes an issue where +a new record wasn't created if _destroy was set and the option +allow_destroy was set to false. + +CVE-2015-7577 +--- + activerecord/lib/active_record/nested_attributes.rb | 14 ++++++++++++-- + activerecord/test/cases/nested_attributes_test.rb | 13 +++++++++++++ + 2 files changed, 25 insertions(+), 2 deletions(-) + +diff --git a/activerecord/lib/active_record/nested_attributes.rb b/activerecord/lib/active_record/nested_attributes.rb +index 6df01b7..03a4009 100644 +--- a/activerecord/lib/active_record/nested_attributes.rb ++++ b/activerecord/lib/active_record/nested_attributes.rb +@@ -523,7 +523,7 @@ module ActiveRecord + # has_destroy_flag? or if a :reject_if proc exists for this + # association and evaluates to +true+. + def reject_new_record?(association_name, attributes) +- has_destroy_flag?(attributes) || call_reject_if(association_name, attributes) ++ will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes) + end + + # Determines if a record with the particular +attributes+ should be +@@ -532,7 +532,8 @@ module ActiveRecord + # + # Returns false if there is a +destroy_flag+ on the attributes. + def call_reject_if(association_name, attributes) +- return false if has_destroy_flag?(attributes) ++ return false if will_be_destroyed?(association_name, attributes) ++ + case callback = self.nested_attributes_options[association_name][:reject_if] + when Symbol + method(callback).arity == 0 ? send(callback) : send(callback, attributes) +@@ -541,6 +542,15 @@ module ActiveRecord + end + end + ++ # Only take into account the destroy flag if :allow_destroy is true ++ def will_be_destroyed?(association_name, attributes) ++ allow_destroy?(association_name) && has_destroy_flag?(attributes) ++ end ++ ++ def allow_destroy?(association_name) ++ self.nested_attributes_options[association_name][:allow_destroy] ++ end ++ + def raise_nested_attributes_record_not_found!(association_name, record_id) + raise RecordNotFound, "Couldn't find #{self.class._reflect_on_association(association_name).klass.name} with ID=#{record_id} for #{self.class.name} with ID=#{id}" + end +-- +2.4.9 (Apple Git-60) + diff --git a/SOURCES/rubygem-activerecord-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch b/SOURCES/rubygem-activerecord-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch new file mode 100644 index 0000000..1c74420 --- /dev/null +++ b/SOURCES/rubygem-activerecord-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch @@ -0,0 +1,54 @@ +From 7a01874b75fdd62ab3626490cdf1c65c0ba659d0 Mon Sep 17 00:00:00 2001 +From: Aaron Patterson +Date: Mon, 18 Jan 2016 13:51:02 -0800 +Subject: [PATCH] Eliminate instance level writers for class accessors + +Instance level writers can have an impact on how the Active Model / +Record objects are saved. Specifically, they can be used to bypass +validations. This is a problem if mass assignment protection is +disabled and specific attributes are passed to the constructor. + +Conflicts: + activerecord/lib/active_record/scoping/default.rb + activesupport/lib/active_support/callbacks.rb + +CVE-2016-0753 +--- + activemodel/lib/active_model/serializers/json.rb | 2 +- + activemodel/lib/active_model/validations.rb | 3 ++- + activerecord/lib/active_record/enum.rb | 2 +- + activerecord/lib/active_record/reflection.rb | 4 ++-- + activesupport/lib/active_support/callbacks.rb | 2 +- + 5 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/activerecord/lib/active_record/enum.rb b/activerecord/lib/active_record/enum.rb +index fba7747..c99941e 100644 +--- a/activerecord/lib/active_record/enum.rb ++++ b/activerecord/lib/active_record/enum.rb +@@ -68,7 +68,7 @@ module ActiveRecord + # Where conditions on an enum attribute must use the ordinal value of an enum. + module Enum + def self.extended(base) +- base.class_attribute(:defined_enums) ++ base.class_attribute(:defined_enums, instance_writer: false) + base.defined_enums = {} + end + +diff --git a/activerecord/lib/active_record/reflection.rb b/activerecord/lib/active_record/reflection.rb +index 824e005..82b0123 100644 +--- a/activerecord/lib/active_record/reflection.rb ++++ b/activerecord/lib/active_record/reflection.rb +@@ -4,8 +4,8 @@ module ActiveRecord + extend ActiveSupport::Concern + + included do +- class_attribute :_reflections +- class_attribute :aggregate_reflections ++ class_attribute :_reflections, instance_writer: false ++ class_attribute :aggregate_reflections, instance_writer: false + self._reflections = {} + self.aggregate_reflections = {} + end +-- +2.2.1 + diff --git a/SPECS/rubygem-activerecord.spec b/SPECS/rubygem-activerecord.spec index 23ffe3a..06164e3 100644 --- a/SPECS/rubygem-activerecord.spec +++ b/SPECS/rubygem-activerecord.spec @@ -8,7 +8,7 @@ Summary: Implements the ActiveRecord pattern for ORM Name: %{?scl_prefix}rubygem-%{gem_name} Epoch: 1 Version: 4.1.5 -Release: 1%{?dist} +Release: 2%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -18,6 +18,15 @@ Source0: http://rubygems.org/downloads/activerecord-%{version}.gem # git checkout v4.1,5 # tar czvf activerecord-4.1.5-tests.tgz test/ Source1: activerecord-%{version}-tests.tgz + +# Fix CVE-2016-0753 Possible Input Validation Circumvention +# https://bugzilla.redhat.com/show_bug.cgi?id=1301973 +Patch0: rubygem-activerecord-4.1.14.1-CVE-2016-0753-fix-possible-input-validation-circumvention.patch +# Fix CVE-2015-7577 Nested attributes rejection proc bypass +# https://bugzilla.redhat.com/show_bug.cgi?id=1301957 +Patch1: rubygem-activerecord-4.1.14.1-CVE-2015-7577-fix-nested-attributes-rejection-proc-bypass.patch +Patch2: rubygem-activerecord-4.1.14.1-CVE-2015-7577-fix-nested-attributes-rejection-proc-bypass-tests.patch + Requires: %{?scl_prefix_ruby}ruby(release) Requires: %{?scl_prefix_ruby}ruby(rubygems) Requires: %{?scl_prefix}rubygem(activesupport) = %{version} @@ -60,6 +69,9 @@ Documentation for %{pkg_name} pushd .%{gem_instdir} tar xzvf %{SOURCE1} +%patch0 -p2 +%patch1 -p2 +%patch2 -p2 popd %build @@ -111,6 +123,12 @@ popd %{gem_instdir}/test %changelog +* Wed Feb 10 2016 Pavel Valena - 1:4.1.5-2 +- Fix possible input validation circumvention - rhbz#1301973 + - Resolves: CVE-2016-0753 +- Nested attributes rejection proc bypass - rhbz#1301957 + - Resolves: CVE-2015-7577 + * Thu Jan 22 2015 Josef Stribny - 1:4.1.5-1 - Update to 4.1.5