Bug 143369 - dev-ruby/rails < 1.1.6 security issue
Bug#: 143369 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: vlad@hashbang.de
Component: Vulnerabilities
URL:  http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
Summary: dev-ruby/rails < 1.1.6 security issue
Keywords:  
Status Whiteboard: B1? [glsa] DerCorny
Opened: 2006-08-09 10:54 0000
Description:   Opened: 2006-08-09 10:54 0000 
A 'mandatory' security patch has been released. Ebuilds should be updated too.
More info:

http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-08-09 11:09:43 0000 ------- 
Ruby, please provide fixed ebuilds, thanks.

------- Comment #2 From Caleb Tennis 2006-08-09 11:37:29 0000 ------- 
It's in portage as rails-1.1.5

Also affects (and now in portage):

actionmailer-1.2.4
actionpack-1.12.4
actionwebservice-1.1.5
activerecord-1.14.4

does NOT affect:

activesupport-1.3.1


I suppose we need arches to mark stable sooner than later; I'd like them to
test and make sure the install goes okay for everyone (worked fine here). 
According to the site the differences between 1.1.4 and 1.1.5 are minimal save
for the security stuff.  I hope that's right.

------- Comment #3 From Stefan Cornelius (RETIRED) 2006-08-09 11:41:14 0000 ------- 
arches, please test and stable rails-1.1.5, thank you

------- Comment #4 From Stefan Cornelius (RETIRED) 2006-08-09 11:42:12 0000 ------- 
... and of course also the other packages as mentioned in comment #2

sorry

------- Comment #5 From Tobias Scherbaum 2006-08-09 12:52:48 0000 ------- 
ppc stable

------- Comment #6 From Michael Weyershäuser 2006-08-09 13:35:38 0000 ------- 
I get a digest failure on actionpack-1.12.4:

>>> checking actionpack-1.12.4.gem
!!! Digest verification failed:
!!! /usr/portage/distfiles/actionpack-1.12.4.gem
!!! Reason: Filesize does not match recorded size
!!! Got: 530432
!!! Expected: 529920

Other than that this is good to go on amd64.

emerge --info
Portage 2.1-r1 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4,
2.6.17-suspend2-r3-Dudebox-Edition x86_64)
=================================================================
System uname: 2.6.17-suspend2-r3-Dudebox-Edition x86_64 AMD Athlon(tm) 64
Processor 3200+
Gentoo Base System version 1.6.15
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer
multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv
usersandbox"
GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo
ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/
ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/"
LINGUAS="de"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://server/gentoo-portage"
USE="amd64 X alsa arts avi berkdb bitmap-fonts cli crypt cups dlloader dri eds
emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6
isdnlog jpeg kde kdeenablefinal lzw lzw-tiff mp3 mpeg ncurses nls nptl opengl
pam pcre pdflib perl png pppd python qt3 qt4 quicktime readline reflection sdl
session spell spl ssl tcpd tiff truetype-fonts type1-fonts unicode usb
userlocales xorg xpm xv zlib elibc_glibc input_devices_keyboard
input_devices_mouse input_devices_evdev kernel_linux linguas_de userland_GNU
video_cards_dummy"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

------- Comment #7 From Caleb Tennis 2006-08-09 13:38:32 0000 ------- 
of course, they changed the .gem after the announcement... argh

------- Comment #8 From Caleb Tennis 2006-08-09 13:39:47 0000 ------- 
I recommitted the new digest.  I hope mirroring doesn't cause major breakage.

------- Comment #9 From Thomas Cort (RETIRED) 2006-08-09 13:52:35 0000 ------- 
amd64 stable.

------- Comment #10 From Joshua Jackson 2006-08-09 20:58:43 0000 ------- 
x86 stable, I didnt' find any rubies..who stole them all ?

------- Comment #11 From Sune Kloppenborg Jeppesen 2006-08-10 00:36:41 0000 ------- 
Rerating as I doubt this will be more than a B1.

------- Comment #12 From Jakub Moc (RETIRED) 2006-08-10 02:18:48 0000 ------- 
Some real info on the problem (upstream-- for their security by obscurity
approach).

http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html

------- Comment #13 From Ferris McCormick 2006-08-10 05:03:27 0000 ------- 
All stable on sparc.  Notes:
1.  sparc tests used lighttpd;
2.  script/server (for testing connections from local & remote) generates a lot
of annoying 'method redefined' warnings;
3.  Test system is running ruby-1.8.4-r3

------- Comment #14 From Vlad Berditchevskiy 2006-08-10 11:56:39 0000 ------- 
BTW, 1.1.5 is now obsolete, 1.1.6 has been released today.

------- Comment #15 From Caleb Tennis 2006-08-10 12:03:36 0000 ------- 
yeah, but as of now I'm not able to download the gems so I can't do updates in
portage yet.

------- Comment #16 From Caleb Tennis 2006-08-10 13:19:45 0000 ------- 
ok, gems now available.  all have been bumped accordingly, and I left the
already stable arches alone since the diff between 1.1.5 and 1.1.6 was
basically trivial.

so we're waiting on ia64 and the bsd folks.

------- Comment #17 From Marco Matthies 2006-08-10 17:49:23 0000 ------- 
http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
says upgrade to 1.1.6 is security related.

According to
http://www.ruby-forum.com/topic/76671
calling urls such as
http://127.0.0.1:3000/builder/blankslate
http://127.0.0.1:3000/active_support/dependencies
on 1.1.5 will cause all subsequent requests to fail.

All of this was not tested by myself so YMMV.

------- Comment #18 From Sune Kloppenborg Jeppesen 2006-08-10 23:27:29 0000 ------- 
1.1.6 is the new fixed version. It is already in Portage and stable as per
comment #16.

------- Comment #19 From Caleb Tennis 2006-08-11 03:28:27 0000 ------- 
I will delete the offending versions from portage sometime today (that's 1.1.0
through 1.1.5)

------- Comment #20 From Raphael Marichez 2006-08-14 08:12:30 0000 ------- 
GLSA 200608-20 sent