diff --git a/SOURCES/rubygem-activerecord-4.2.7.1-CVE-2016-6317-unsafe-query.patch b/SOURCES/rubygem-activerecord-4.2.7.1-CVE-2016-6317-unsafe-query.patch new file mode 100644 index 0000000..65a4461 --- /dev/null +++ b/SOURCES/rubygem-activerecord-4.2.7.1-CVE-2016-6317-unsafe-query.patch @@ -0,0 +1,14 @@ +diff --git a/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb b/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb +index fb08326..d4e74eb 100644 +--- a/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb ++++ b/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb +@@ -14,7 +14,8 @@ def call(attribute, value) + it for 'IN' conditions. + MSG + +- values = values.flatten ++ flat_values = values.flatten ++ values = flat_values unless flat_values.include?(nil) + end + + return attribute.in([]) if values.empty? && nils.empty? diff --git a/SPECS/rubygem-activerecord.spec b/SPECS/rubygem-activerecord.spec index 273d209..19eb184 100755 --- a/SPECS/rubygem-activerecord.spec +++ b/SPECS/rubygem-activerecord.spec @@ -8,7 +8,7 @@ Summary: Implements the ActiveRecord pattern for ORM Name: %{?scl_prefix}rubygem-%{gem_name} Epoch: 1 Version: 4.2.6 -Release: 2%{?dist} +Release: 3%{?dist} Group: Development/Languages License: MIT URL: http://www.rubyonrails.org @@ -18,6 +18,9 @@ Source0: http://rubygems.org/downloads/activerecord-%{version}.gem # git checkout v4.2.6 # tar czvf activerecord-4.2.6-tests.tgz test/ Source1: activerecord-%{version}-tests.tgz +# Fix CVE-2016-6317 unsafe query generation in Active Record +# https://bugzilla.redhat.com/show_bug.cgi?id=1365017 +Patch0: rubygem-activerecord-4.2.7.1-CVE-2016-6317-unsafe-query.patch Requires: %{?scl_prefix_ruby}ruby(release) Requires: %{?scl_prefix_ruby}ruby(rubygems) @@ -64,6 +67,8 @@ gem unpack %{SOURCE0} gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec %{?scl:EOF} +%patch0 -p2 + %build %{?scl:scl enable %{scl} - << \EOF} gem build %{gem_name}.gemspec @@ -86,10 +91,25 @@ sed -i '1,2d' test/cases/helper.rb # Fail with any test set -e -# There is one more or N failures when requiring the tests in the following order. -# Running them in complete isolation solves the problem but takes too much time. -# So accepting up to 2 failures. -ruby -I.:test:lib < - 1:4.2.6-3 +- Fix for CVE-2016-6317 + Resolves: rhbz#1365017 +- Improve tests not to accept the failures + * Fri Apr 08 2016 Pavel Valena - 1:4.2.6-2 - Make build fail on tests failure - Lower accepted test failures to 2