Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 200159

Summary: dev-ruby/rails < 1.2.6 Session fixation vulnerability (CVE-2007-6077)
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ruby
Priority: High Keywords: SECURITY
Version: unspecified   
Hardware: All   
OS: All   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6077
Whiteboard: B3 [glsa errata] rbu
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2007-11-24 08:49:25 UTC
[lifted from Rails core mailing list]


1.2.6 is out : http://dev.rubyonrails.org/changeset/8197

There's a fix for a regression in AR :

http://dev.rubyonrails.org/ticket/8713

and a security fix, see :

http://dev.rubyonrails.org/ticket/10048
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6077

Official announce : [no link for the moment, put it here]
Comment 1 Hans de Graaff gentoo-dev Security 2007-11-24 08:50:14 UTC
I have ebuilds pending for rails 1.2.6 but am currently waiting for them to show up on the ruby gem mirrors. They should be available later today.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-24 13:03:33 UTC
Thanks for the report. Please ping us when the ebuilds are ready or add the arches if you think it's ready for stabling.
Comment 3 Hans de Graaff gentoo-dev Security 2007-11-25 09:00:13 UTC
The new ebuilds have been added to the tree. My suggestion would be to wait until tomorrow before asking them to be stabled, so that we may be able to pick up any regressions in this release.
Comment 4 Hans de Graaff gentoo-dev Security 2007-11-26 20:42:55 UTC
@arches, please stabilize dev-ruby/rails-1.2.6 and its dependencies. It only contains the security fix and a fix for a regression in rails 1.2.5, and my initial testing has shown no regressions.

The packages need to be stabilized in the following order to account for dependencies:

dev-ruby/activerecord-1.15.6
dev-ruby/actionpack-1.13.6
dev-ruby/actionmailer-1.3.6
dev-ruby/actionwebservice-1.2.6
dev-ruby/rails-1.2.6

@ppc64: you don't have rails itself keyworded, but most of its dependencies are keyworded, and the actual fixes are in the dependencies, so stabilize those packages you have keyworded.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-26 21:15:59 UTC
x86 stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2007-11-26 23:27:37 UTC
ppc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2007-11-27 02:40:48 UTC
OK, I keyworded the deps for ppc64.  I need a decent way to test rails before I can mark it ~ppc64.  When I runu rake it pukes with errors.  If someone can describe a decent rake test that is known to be reliable, even outside portage, I can test and keyword.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2007-11-27 14:59:28 UTC
ia64/sparc stable
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2007-11-27 17:10:30 UTC
(In reply to comment #7)
> OK, I keyworded the deps for ppc64.  I need a decent way to test rails before I
> can mark it ~ppc64.  When I runu rake it pukes with errors.  If someone can
> describe a decent rake test that is known to be reliable, even outside portage,
> I can test and keyword.
> 

marked it ~ppc64. (they have good tutorials!)
Comment 10 Hans de Graaff gentoo-dev Security 2007-12-01 09:11:09 UTC
Adding back ppc64: it looks like you forgot to mark dev-ruby/activesupport-1.4.4 stable. This dependency is not listed on the bug because no new version was introduced and other arches already had it marked stable. I'm currently removing the vulnerable versions of rails which means that I'll have to drop your currently stable version 1.4.2. Doing so because the current version of rails won't install for anyone without package.keywords magic anyway.
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2007-12-01 09:13:24 UTC
dev-ruby/activesupport-1.4.4 stable on ppc64
Comment 12 Christoph Mende (RETIRED) gentoo-dev 2007-12-01 22:48:34 UTC
amd64 stable
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2007-12-02 12:14:44 UTC
Setting B3, ready for GLSA decision.

CVE-2007-6077:
  The session fixation protection mechanism in cgi_process.rb in Rails
  1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute
  from the DEFAULT_SESSION_OPTIONS constant, which effectively causes
  cookie_only to be applied only to the first instantiation of
  CgiRequest, which allows remote attackers to conduct session
  fixation attacks. NOTE: this is due to an incomplete fix for
  CVE-2007-5380.

We handled CVE-2007-5380 in bug 195315, which resulted in a GLSA. This bug should therefore result in an errata. Voting YES.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-12-30 18:53:33 UTC
TODO: draft errata.
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 10:54:05 UTC
This bug does not affect 2008.0 release snapshot, removing release@ from CC.
Comment 16 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-20 12:11:52 UTC
GLSA 200912-02