Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 449826 (CVE-2012-6496) - <dev-ruby/rails-{3.0.18,3.1.9,3.2.10}, <dev-ruby/activerecord-2.3.14-r1: SQL Injection (CVE-2012-6496)
Summary: <dev-ruby/rails-{3.0.18,3.1.9,3.2.10}, <dev-ruby/activerecord-2.3.14-r1: SQL ...
Status: RESOLVED FIXED
Alias: CVE-2012-6496
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-02 21:29 UTC by Sean Amoss (RETIRED)
Modified: 2014-01-21 20:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss (RETIRED) gentoo-dev Security 2013-01-02 21:29:16 UTC
From $URL:

SQL Injection Vulnerability in Ruby on Rails

There is a SQL injection vulnerability in Active Record in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-5664.

Versions Affected:  All.
Not affected:       NONE.
Fixed Versions:     3.2.10, 3.1.9, 3.0.18

Impact 
------ 
Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope.  Carefully crafted requests can use the scope to inject arbitrary SQL.

All users running an affected release should either upgrade or use one of the work arounds immediately. 

Impacted code passes user provided data to a dynamic finder like this:

  Post.find_by_id(params[:id])

Releases 
-------- 
The  3.2.10, 3.1.9 & 3.0.18 releases are available at the normal locations. 

Workarounds 
----------- 
The issue can be mitigated by explicitly converting the parameter to an expected value.  For example, change this:

  Post.find_by_id(params[:id])

to this:

  Post.find_by_id(params[:id].to_s)


Patches 
------- 
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series and two unsupported versions.  They are in git-am format and consist of a single changeset. 

* 3-2-dynamic_finder_injection.patch - Patch for 3.2 series
* 3-1-dynamic_finder_injection.patch - Patch for 3.1 series
* 3-0-dynamic_finder_injection.patch - Patch for 3.0 series
* 2-3-dynamic_finder_injection.patch - Patch for 2.3 series

Please note that only the 3.1.x and 3.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Comment 1 Agostino Sarubbo gentoo-dev 2013-01-02 21:42:26 UTC
Graaff said that this bug is invalid on gentoo
Comment 2 Hans de Graaff gentoo-dev Security 2013-01-03 05:53:58 UTC
(In reply to comment #1)
> Graaff said that this bug is invalid on gentoo

No, I said that the bug you mentioned earlier was invalid on Gentoo, and we couldn't have done anything with that particular bug. This bug, however, contains actual fixes for a problem that was only a part of the original bug report, and we can fix those in Gentoo.
Comment 4 Hans de Graaff gentoo-dev Security 2013-01-03 06:19:09 UTC
dev-ruby/activerecord-2.3.14-r1 is now in the tree with this fix and it can be marked stable.
Comment 5 Hans de Graaff gentoo-dev Security 2013-01-03 08:08:05 UTC
Rails 3.0.18, 3.1.9, and 3.2.10 are now also in the tree. These are all still marked 'testing', so no further security action needed for those versions.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-01-03 11:24:55 UTC
CVE-2012-5664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5664):
  SQL injection vulnerability in the Authlogic gem for Ruby on Rails allows
  remote attackers to execute arbitrary SQL commands via a crafted parameter
  in conjunction with a secret_token value, related to certain behavior of
  find_by_id and other find_by_ methods.
Comment 7 Hans de Graaff gentoo-dev Security 2013-01-03 12:08:09 UTC
(In reply to comment #6)
> CVE-2012-5664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5664):
>   SQL injection vulnerability in the Authlogic gem for Ruby on Rails allows

This is wrong. This bug has nothing to do with the Authlogic gem, but it is a generic rails framework issue, and all Rails applications that use dynamic finders are affected.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-03 20:48:07 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > CVE-2012-5664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5664):
> >   SQL injection vulnerability in the Authlogic gem for Ruby on Rails allows
> 
> This is wrong. This bug has nothing to do with the Authlogic gem, but it is
> a generic rails framework issue, and all Rails applications that use dynamic
> finders are affected.

Yes, the CVE description is poorly worded as one person mentioned today on oss-security ML:

http://www.openwall.com/lists/oss-security/2013/01/03/5


(In reply to comment #4)
> dev-ruby/activerecord-2.3.14-r1 is now in the tree with this fix and it can
> be marked stable.

Arches, please test it and mark stable.
Comment 9 Agostino Sarubbo gentoo-dev 2013-01-04 12:57:26 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-01-04 13:12:03 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-01-04 21:53:48 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-01-04 22:00:21 UTC
x86 stable
Comment 13 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-06 13:21:48 UTC
CVE-2012-5664 will likely be rejected [1]. CVE-2012-6496 has been assigned for this issue:

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.


[1] http://www.openwall.com/lists/oss-security/2013/01/03/12


GLSA vote: yes.
Comment 14 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-05 03:25:46 UTC
GLSA request filed (I filed it earlier, guess I forgot to hit enter on my vote)
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-01-21 20:49:21 UTC
This issue was resolved and addressed in
 GLSA 201401-22 at http://security.gentoo.org/glsa/glsa-201401-22.xml
by GLSA coordinator Chris Reffett (creffett).