!5 fix CVE-2021-22880

From: @wang_yue111 Reviewed-by: @zhanghua1831,@small_leek Signed-off-by: @small_leek
2021-03-17 14:09:51 +08:00 · 2021-03-17 14:09:51 +08:00 · 4b2f06d67d
commit 4b2f06d67d
parent 3ac2662132 0800bd5b3d
3 changed files with 79 additions and 4 deletions
--- a/CVE-2021-22880-1.patch
+++ b/CVE-2021-22880-1.patch
@ -0,0 +1,35 @@
+From 63e8026805ae9e78ef44efd72e07aeca5c2244fe Mon Sep 17 00:00:00 2001
+From: wang_yue111 <648774160@qq.com>
+Date: Mon, 15 Mar 2021 11:14:45 +0800
+Subject: [PATCH] Fix possible DoS vector in PostgreSQL money type
+
+Carefully crafted input can cause a DoS via the regular expressions used
+for validating the money format in the PostgreSQL adapter.  This patch
+fixes the regexp.
+
+Thanks to @dee-see from Hackerone for this patch!
+
+[CVE-2021-22880]
+---
+ lib/active_record/connection_adapters/postgresql/oid/money.rb | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/active_record/connection_adapters/postgresql/oid/money.rb b/lib/active_record/connection_adapters/postgresql/oid/money.rb
+index 6434377..3703e9a 100644
+--- a/lib/active_record/connection_adapters/postgresql/oid/money.rb
+++ b/lib/active_record/connection_adapters/postgresql/oid/money.rb
+@@ -26,9 +26,9 @@ module ActiveRecord
+ 
+             value = value.sub(/^\((.+)\)$/, '-\1') # (4)
+             case value
+-            when /^-?\D+[\d,]+\.\d{2}$/  # (1)
+            when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
+               value.gsub!(/[^-\d.]/, "")
+-            when /^-?\D+[\d.]+,\d{2}$/  # (2)
+            when /^-?\D*+[\d.]+,\d{2}$/  # (2)
+               value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
+             end
+ 
+-- 
+2.23.0
+
--- a/CVE-2021-22880-2.patch
+++ b/CVE-2021-22880-2.patch
@ -0,0 +1,31 @@
+From 13b0efd97b9ec1b755d011ea2d0eceee70c5ae37 Mon Sep 17 00:00:00 2001
+From: wang_yue111 <648774160@qq.com>
+Date: Tue, 16 Mar 2021 10:46:45 +0800
+Subject: [PATCH] test CVE-2021-22880
+
+---
+ .../test/cases/adapters/postgresql/money_test.rb          | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb b/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb
+index 61e75e7..cb31413 100644
+--- a/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb
+++ b/rails-5.2.4.4/activerecord/test/cases/adapters/postgresql/money_test.rb
+@@ -58,6 +58,14 @@ def test_money_type_cast
+     assert_equal(-2.25, type.cast("($2.25)".dup))
+   end
+ 
+  def test_money_regex_backtracking
+    type = PostgresqlMoney.type_for_attribute("wealth")
+    Timeout.timeout(0.1) do
+      assert_equal(0.0, type.cast("$" + "," * 100000 + ".11!"))
+      assert_equal(0.0, type.cast("$" + "." * 100000 + ",11!"))
+    end
+  end
+
+   def test_schema_dumping
+     output = dump_table_schema("postgresql_moneys")
+     assert_match %r{t\.money\s+"wealth",\s+scale: 2$}, output
+-- 
+2.23.0
+
--- a/rubygem-activerecord.spec
+++ b/rubygem-activerecord.spec
@ -2,12 +2,15 @@
 Name:                rubygem-%{gem_name}
 Epoch:               1
 Version:             5.2.4.4
-Release:             1
+Release:             2
 Summary:             Object-relational mapper framework (part of Rails)
 License:             MIT
 URL:                 http://rubyonrails.org
 Source0:             https://rubygems.org/gems/activerecord-5.2.4.4.gem
 Source1:             https://github.com/rails/rails/archive/v5.2.4.4.tar.gz
+Patch0:              CVE-2021-22880-1.patch 
+Patch1:              CVE-2021-22880-2.patch
+
 Suggests:            %{_bindir}/sqlite3
 BuildRequires:       rubygems-devel rubygem(bcrypt) rubygem(activesupport) = %{version}
 BuildRequires:       rubygem(activemodel) = %{version} rubygem(builder) rubygem(sqlite3)
@ -27,7 +30,11 @@ BuildArch:           noarch
 Documentation for %{name}.

 %prep
-%setup -q -n %{gem_name}-%{version}
+%setup -q -n %{gem_name}-%{version} -b 1
+%patch0 -p1
+pushd %{_builddir}
+%patch1 -p1
+popd

 %build
 gem build ../%{gem_name}-%{version}.gemspec
@ -40,8 +47,7 @@ cp -a .%{gem_dir}/* \

 %check
 pushd .%{gem_instdir}
-tar xzvf %{SOURCE1}
-cd rails-%{version}/%{gem_name}
+cp -a %{_builddir}/rails-%{version}/%{gem_name}/test test
 sed -i '/^\s*def test_too_many_binds$/ a skip' \
  test/cases/bind_parameter_test.rb
 sed -i '/^\s*def test_preloading_has_many_through_with_implicit_source$/ a skip' \
@ -71,6 +77,9 @@ popd
 %{gem_instdir}/examples

 %changelog
+* Tue Mar 16 2021 wangyue <wangyue92@huawei.com> - 5.2.4.4-2
+- fix CVE-2021-22880
+ 
 * Mon Feb  8 2021 sunguoshuai<sunguoshuai@huawei.com>- 5.2.4.4-1
 - Upgrade to 5.2.4.4