354249 – (CVE-2011-0446) Several security issues in rails 2.2.x, rails <2.3.11 and =3.0.3 (CVE-2011-{0446,0447,0448,0449})

Bug 354249 (CVE-2011-0446) - Several security issues in rails 2.2.x, rails <2.3.11 and =3.0.3 (CVE-2011-{0446,0447,0448,0449})

Summary: Several security issues in rails 2.2.x, rails <2.3.11 and =3.0.3 (CVE-2011-{0...

Status:	RESOLVED FIXED

Alias:	CVE-2011-0446

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa]
Keywords:

Depends on:	372391 379511
Blocks:
	Show dependency tree

Reported:	2011-02-09 15:18 UTC by Hans de Graaff
Modified:	2014-12-14 20:35 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hans de Graaff gentoo-dev

2011-02-09 15:18:43 UTC

Several security issues have been reported in Rails:

http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

Affecting 2.x.x and 3.0.x

    * XSS Risk in mail_to :encode=>:javascript CVE-2011-0446
    * CSRF Bypass Risk CVE-2011-0447

Affecting 3.0.x only

    * Filter Problems on Case Insensitive Filesystems CVE-2011-0449
    * Potential SQL Injection with limit() CVE-2011-0448

There is a vulnerability in Ruby on Rails which could allow an attacker to circumvent the CSRF protection provided. This vulnerability has been assigned the CVE Identifier CVE-2011-0447.

    * Versions Affected: 2.1.0 and above
    * Not affected: Applications which don’t use the built in CSRF protection.
    * Fixed Versions: 3.0.4, 2.3.11

Comment 1 Hans de Graaff gentoo-dev

2011-02-09 15:20:52 UTC

Planned steps by the ruby project:

- Mask Rails 2.2.x (vulnerable and no longer supported upstream)
- Fix Rails 2.3.x by patching our current stable 2.3.5 if possible
  (in order to avoid a nasty forced stabilization)
- Add Rails 2.3.11
- Add Rails 3.0.4

Comment 2 Hans de Graaff gentoo-dev

2011-02-09 19:18:22 UTC

Rails 2.2.x is now masked.

Comment 3 Hans de Graaff gentoo-dev

2011-02-21 20:14:22 UTC

Rails 2.3.11 is now in CVS.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2011-02-21 21:43:48 UTC

(In reply to comment #3)
> Rails 2.3.11 is now in CVS.
> 

Thank you.

Arches, please test and mark stable:
=dev-ruby/rails-2.3.11
Target keywords : "amd64 ia64 ppc ppc64 sparc x86"

Comment 5 Hans de Graaff gentoo-dev

2011-02-21 22:29:38 UTC

(In reply to comment #4)

> Arches, please test and mark stable:
> =dev-ruby/rails-2.3.11

Dropping arches: this stabilization path is not ready. We intend to backport the fix to stable 2.3.5 as mentioned in comment #1

Comment 6 Tim Sammut (RETIRED) gentoo-dev

2011-02-21 22:32:18 UTC

(In reply to comment #5)
> Dropping arches: this stabilization path is not ready. We intend to backport
> the fix to stable 2.3.5 as mentioned in comment #1
> 

Sorry, I missed that. Let me know if we can help somehow.

Comment 7 Hans de Graaff gentoo-dev

2011-02-22 07:12:54 UTC

(In reply to comment #6)

> Sorry, I missed that. Let me know if we can help somehow.

I had a look this morning at the patches, but they require active backporting to 2.3.5. They don't apply as-is.

I'll try to move ahead with the stabilization path as well but it may be 1-2 weeks before we have bugs filed and paths cleared for all dependencies.

Comment 8 Hans de Graaff gentoo-dev

2011-04-26 18:13:46 UTC

Rails 3.0.7 is now in the tree. That leaves the stabilization of Rails 2.3.11. We are almost there but a few minor issues need to be ironed out first.

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2011-08-17 20:51:18 UTC

Stabilization of more current version happening in bug 379511.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2014-12-14 20:35:33 UTC

This issue was resolved and addressed in
 GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml
by GLSA coordinator Sean Amoss (ackle).