automated patching against SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

Suppose you have a server with multiple rubies, rvms, gemsets, etc…

Manually finding and patching all affected activerecord-gems would be pretty cumbersome.

The following script does the job for you:


#!/usr/bin/env ruby

SEARCH_DIR = "/" # by default search the entire filesystem
ACTIVERECORD_GEM_VERSIONS = ['2.3','3.0','3.1','3.2']
PATCHES = {
'2.3' => 'https://bugzilla.redhat.com/attachment.cgi?id=672189',
'3.0' => 'https://bugzilla.redhat.com/attachment.cgi?id=672190',
'3.1' => 'https://bugzilla.redhat.com/attachment.cgi?id=672191',
'3.2' => 'https://bugzilla.redhat.com/attachment.cgi?id=672192',
}

#1. Find all activerecord 2.3.x, 3.0.x, 3.1.x, 3.2.x gems on this machine
gem_paths = {}
puts "Searching for activerecord gems inside #{SEARCH_DIR} ... "
ACTIVERECORD_GEM_VERSIONS.each do |version|
gem_paths[version] = `find #{SEARCH_DIR} -path '*/gems/activerecord*' -name 'activerecord-#{version}.*' -type d`.split("\n")
puts "Found the following activerecord gems for version #{version}:"
puts gem_paths[version]
end

#2. Download the 4 patches here
puts "Downloading the patches ... "
ACTIVERECORD_GEM_VERSIONS.each do |version|
`wget -O patch-#{version}.patch --no-check-certificate #{PATCHES[version]}`
end
puts " ... done"

#3. Apply the patches
ACTIVERECORD_GEM_VERSIONS.each do |version|
gem_paths[version].each do |gem|
puts "--------------------------\nApplying patch for gem #{gem}"
puts `cd '#{gem}'; patch -tN -p2 < '#{File.expand_path(File.dirname(__FILE__))+"/patch-"+version+".patch"}'` end end

This script searches for affected activerecord gems, downloads the required patches and applies them individually.

You might need to run it as root, and it could take a while searching your entire filesystem...
If you know where all your gems are located change the
SEARCH_DIR = "/yougemrepository"

Tested on linux, freebsd

Leave a Reply

Your email address will not be published. Required fields are marked *