Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 493284 (CVE-2013-4491) - <dev-ruby/rails-{3.2.16,4.0.2} : Multiple Vulnerabilities (CVE-2013-{4491,6414,6415,6416,6417})
Summary: <dev-ruby/rails-{3.2.16,4.0.2} : Multiple Vulnerabilities (CVE-2013-{4491,641...
Status: RESOLVED FIXED
Alias: CVE-2013-4491
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2013/12...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-04 07:26 UTC by Hans de Graaff
Modified: 2013-12-17 03:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2013-12-04 07:26:48 UTC
Rails 3.2.16 and 4.0.2 have been released!

These two releases contain important security fixes, so please upgrade as soon as possible! In order to make upgrading as smooth as possible, we've only included commits directly related to each security issue.

The security fixes in 3.2.16 are:

    CVE-2013-6417  Unsafe Query Generation Risk
    CVE-2013-4491  Reflective XSS Vulnerability in Ruby on Rails 
    CVE-2013-6415  XSS Vulnerability in number_to_currency 
    CVE-2013-6414  Denial of Service Vulnerability in Action View

The security fixes in 4.0.2 are:

    CVE-2013-6417  Unsafe Query Generation Risk
    CVE-2013-4491  Reflective XSS Vulnerability in Ruby on Rails 
    CVE-2013-6415  XSS Vulnerability in number_to_currency 
    CVE-2013-6414  Denial of Service Vulnerability in Action View
    CVE-2013-6416  XSS Vulnerability in simple_format helper
Comment 1 Hans de Graaff gentoo-dev Security 2013-12-04 08:21:59 UTC
dev-ruby/i18n-0.6.9 and rails-3.2.16 are now in the tree.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2013-12-04 13:57:31 UTC
Hans, 

is 4.0.2 on the way?
Comment 3 Hans de Graaff gentoo-dev Security 2013-12-04 19:26:36 UTC
(In reply to Yury German from comment #2)
> Hans, 
> 
> is 4.0.2 on the way?

It's here! Rails 4.0.2 now also in the tree.

None of these packages are currently stable, so from a maintainer/arch perspective we are done.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2013-12-04 21:08:25 UTC
Hans,

Just to confirm no ebuild for 4.0.2 for x86 is that correct? Want to make sure before asking for stabilization.
Comment 5 Hans de Graaff gentoo-dev Security 2013-12-05 07:48:44 UTC
(In reply to Yury German from comment #4)
> Hans,
> 
> Just to confirm no ebuild for 4.0.2 for x86 is that correct? Want to make
> sure before asking for stabilization.

Correct: bug 493356 has been filed in October for other arches.

There is also no need to ask for stabilization in this bug since we did not have any versions stable before.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 17:03:59 UTC
CVE-2013-4491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4491):
  Cross-site scripting (XSS) vulnerability in
  actionpack/lib/action_view/helpers/translation_helper.rb in the
  internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x
  before 4.0.2 allows remote attackers to inject arbitrary web script or HTML
  via a crafted string that triggers generation of a fallback string by the
  i18n gem.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 17:04:14 UTC
CVE-2013-6417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6417):
  actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before
  3.2.16 and 4.x before 4.0.2 does not properly consider differences in
  parameter handling between the Active Record component and the JSON
  implementation, which allows remote attackers to bypass intended
  database-query restrictions and perform NULL checks or trigger missing WHERE
  clauses via a crafted request that leverages (1) third-party Rack middleware
  or (2) custom Rack middleware.  NOTE: this vulnerability exists because of
  an incomplete fix for CVE-2013-0155.

CVE-2013-6416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6416):
  Cross-site scripting (XSS) vulnerability in the simple_format helper in
  actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x
  before 4.0.2 allows remote attackers to inject arbitrary web script or HTML
  via a crafted HTML attribute.

CVE-2013-6415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6415):
  Cross-site scripting (XSS) vulnerability in the number_to_currency helper in
  actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before
  3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web
  script or HTML via the unit parameter.

CVE-2013-6414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6414):
  actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails
  3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a
  denial of service (memory consumption) via a header containing an invalid
  MIME type that leads to excessive caching.
Comment 8 Hans de Graaff gentoo-dev Security 2013-12-16 20:12:15 UTC
Vulnerable versions have been removed from the tree.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2013-12-17 03:01:44 UTC
Hans thank you for correcting me on vulnerable version.

No GLSA required as current vulnerable version not stable.