Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576068 - <dev-ruby/rails-{3.2.22.2,4.1.14.2,4.2.5.2}: Various vulnerabilities (CVE-2016-{2097,2098})
Summary: <dev-ruby/rails-{3.2.22.2,4.1.14.2,4.2.5.2}: Various vulnerabilities (CVE-201...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2016/2/...
Whiteboard: ~1 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-01 05:14 UTC by Hans de Graaff
Modified: 2016-11-26 00:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2016-03-01 05:14:52 UTC
Possible Information Leak Vulnerability in Action View.

There is a possible directory traversal and information leak vulnerability in
Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering
all the scenarios. This vulnerability has been assigned the CVE identifier
CVE-2016-2097.

Versions Affected:  3.2.x, 4.0.x, 4.1.x
Not affected:       4.2+
Fixed Versions:     3.2.22.2, 4.1.14.2


There is a possible remote code execution vulnerability in Action Pack.
This vulnerability has been assigned the CVE identifier CVE-2016-2098.

Versions Affected:  3.2.x, 4.0.x, 4.1.x, 4.2.x
Not affected:       5.0+
Fixed Versions:     3.2.22.2, 4.1.14.2, 4.2.5.2
Comment 1 Hans de Graaff gentoo-dev Security 2016-03-01 07:04:05 UTC
Rails 3.2.22.2, 4.1.14.2, and 4.2.5.2 are now in the tree.

Given that the list of security issues now includes possible RCE, my intention is to mask Rails 4.0.x for removal, including any dependencies. A tentative package list:

dev-ruby/rails:4.0
dev-ruby/railties:4.0
dev-ruby/activerecord:4.0
dev-ruby/actionmailer:4.0
dev-ruby/actionpack:4.0
dev-ruby/activemodel:4.0
dev-ruby/activesupport:4.0

And affected packages that depend on Rails 4.0 (packages depending on these still to be checked):

dev-ruby/coffee-rails:4.0
dev-ruby/metasploit-concern
dev-ruby/metasploit-credential
dev-ruby/metasploit_data_models
dev-ruby/metasploit-model
net-analyzer/metasploit

My intention is to mask these for removal at the end of the week.
Comment 2 Hans de Graaff gentoo-dev Security 2016-08-13 06:44:50 UTC
Rails 4.0 has now been masked.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-11-26 00:27:17 UTC
CVE-2016-2098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2098):
  Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x
  before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by
  leveraging an application's unrestricted use of the render method.

CVE-2016-2097 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2097):
  Directory traversal vulnerability in Action View in Ruby on Rails before
  3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary
  files by leveraging an application's unrestricted use of the render method
  and providing a .. (dot dot) in a pathname.  NOTE: this vulnerability exists
  because of an incomplete fix for CVE-2016-0752.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-11-26 00:46:45 UTC
Not sure why I missed this is unstable...