From 0800bd5b3df103f23cb80ec916fe037fb701ccad Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Mon, 15 Mar 2021 11:44:32 +0800 Subject: [PATCH] fix CVE-2021-22880 --- CVE-2021-22880-1.patch | 35 +++++++++++++++++++++++++++++++++++ CVE-2021-22880-2.patch | 31 +++++++++++++++++++++++++++++++ rubygem-activerecord.spec | 17 +++++++++++++---- 3 files changed, 79 insertions(+), 4 deletions(-) create mode 100644 CVE-2021-22880-1.patch create mode 100644 CVE-2021-22880-2.patch diff --git a/CVE-2021-22880-1.patch b/CVE-2021-22880-1.patch new file mode 100644 index 0000000..2292343 --- /dev/null +++ b/CVE-2021-22880-1.patch @@ -0,0 +1,35 @@ +From 63e8026805ae9e78ef44efd72e07aeca5c2244fe Mon Sep 17 00:00:00 2001 +From: wang_yue111 <648774160@qq.com> +Date: Mon, 15 Mar 2021 11:14:45 +0800 +Subject: [PATCH] Fix possible DoS vector in PostgreSQL money type + +Carefully crafted input can cause a DoS via the regular expressions used +for validating the money format in the PostgreSQL adapter. This patch +fixes the regexp. + +Thanks to @dee-see from Hackerone for this patch! + +[CVE-2021-22880] +--- + lib/active_record/connection_adapters/postgresql/oid/money.rb | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/active_record/connection_adapters/postgresql/oid/money.rb b/lib/active_record/connection_adapters/postgresql/oid/money.rb +index 6434377..3703e9a 100644 +--- a/lib/active_record/connection_adapters/postgresql/oid/money.rb ++++ b/lib/active_record/connection_adapters/postgresql/oid/money.rb +@@ -26,9 +26,9 @@ module ActiveRecord + + value = value.sub(/^\((.+)\)$/, '-\1') # (4) + case value +- when /^-?\D+[\d,]+\.\d{2}$/ # (1) ++ when /^-?\D*+[\d,]+\.\d{2}$/ # (1) + value.gsub!(/[^-\d.]/, "") +- when /^-?\D+[\d.]+,\d{2}$/ # (2) ++ when /^-?\D*+[\d.]+,\d{2}$/ # (2) + value.gsub!(/[^-\d,]/, "").sub!(/,/, ".") + end + +-- +2.23.0 + diff --git a/CVE-2021-22880-2.patch b/CVE-2021-22880-2.patch new file mode 100644 index 0000000..94b75b7 --- /dev/null +++ b/CVE-2021-22880-2.patch @@ -0,0 +1,31 @@ +From 13b0efd97b9ec1b755d011ea2d0eceee70c5ae37 Mon Sep 17 00:00:00 2001 +From: wang_yue111 <648774160@qq.com> +Date: Tue, 16 Mar 2021 10:46:45 +0800 +Subject: [PATCH] test CVE-2021-22880 + +--- + .../test/cases/adapters/postgresql/money_test.rb | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb b/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb +index 61e75e7..cb31413 100644 +--- a/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb ++++ b/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb +@@ -58,6 +58,14 @@ def test_money_type_cast + assert_equal(-2.25, type.cast("($2.25)".dup)) + end + ++ def test_money_regex_backtracking ++ type = PostgresqlMoney.type_for_attribute("wealth") ++ Timeout.timeout(0.1) do ++ assert_equal(0.0, type.cast("$" + "," * 100000 + ".11!")) ++ assert_equal(0.0, type.cast("$" + "." * 100000 + ",11!")) ++ end ++ end ++ + def test_schema_dumping + output = dump_table_schema("postgresql_moneys") + assert_match %r{t\.money\s+"wealth",\s+scale: 2$}, output +-- +2.23.0 + diff --git a/rubygem-activerecord.spec b/rubygem-activerecord.spec index 37d54ed..98db0ed 100644 --- a/rubygem-activerecord.spec +++ b/rubygem-activerecord.spec @@ -2,12 +2,15 @@ Name: rubygem-%{gem_name} Epoch: 1 Version: 5.2.4.4 -Release: 1 +Release: 2 Summary: Object-relational mapper framework (part of Rails) License: MIT URL: http://rubyonrails.org Source0: https://rubygems.org/gems/activerecord-5.2.4.4.gem Source1: https://github.com/rails/rails/archive/v5.2.4.4.tar.gz +Patch0: CVE-2021-22880-1.patch +Patch1: CVE-2021-22880-2.patch + Suggests: %{_bindir}/sqlite3 BuildRequires: rubygems-devel rubygem(bcrypt) rubygem(activesupport) = %{version} BuildRequires: rubygem(activemodel) = %{version} rubygem(builder) rubygem(sqlite3) @@ -27,7 +30,11 @@ BuildArch: noarch Documentation for %{name}. %prep -%setup -q -n %{gem_name}-%{version} +%setup -q -n %{gem_name}-%{version} -b 1 +%patch0 -p1 +pushd %{_builddir} +%patch1 -p1 +popd %build gem build ../%{gem_name}-%{version}.gemspec @@ -40,8 +47,7 @@ cp -a .%{gem_dir}/* \ %check pushd .%{gem_instdir} -tar xzvf %{SOURCE1} -cd rails-%{version}/%{gem_name} +cp -a %{_builddir}/rails-%{version}/%{gem_name}/test test sed -i '/^\s*def test_too_many_binds$/ a skip' \ test/cases/bind_parameter_test.rb sed -i '/^\s*def test_preloading_has_many_through_with_implicit_source$/ a skip' \ @@ -71,6 +77,9 @@ popd %{gem_instdir}/examples %changelog +* Tue Mar 16 2021 wangyue - 5.2.4.4-2 +- fix CVE-2021-22880 + * Mon Feb 8 2021 sunguoshuai- 5.2.4.4-1 - Upgrade to 5.2.4.4