Bug 237385 (CVE-2008-4094)

Comment 1 Hans de Graaff 2008-09-12 05:24:14 UTC

Note that the REXML security issue is already handled for all ruby software in ruby 1.8.6-P287-r1.

The first issue is a rails-specific security issue.

Comment 2 Hans de Graaff 2008-09-12 05:59:25 UTC

I've just added Rails 2.0.4 to CVS. I expect to add 2.1.1 later this weekend.

I propose to test these versions for a week and mark them stable regarding the first security issue unless regressions crop up.

Comment 3 Hans de Graaff 2008-09-13 09:10:21 UTC

Rails 2.1.1 is now also in CVS.

Comment 4 Robert Buchholz (RETIRED) 2008-09-13 18:13:22 UTC

issue (2) is not resolved by 2.0.4. There's no point in stabling that except for additional hardening of rails users on old ruby versions.

Comment 5 Robert Buchholz (RETIRED) 2008-09-13 18:13:51 UTC

Sorry, I meant issue (1) is not resolved by 2.0.4.

Comment 6 Hans de Graaff 2008-09-15 05:23:44 UTC

(In reply to comment #5)
> Sorry, I meant issue (1) is not resolved by 2.0.4.

Confirmed.

So how should we deal with this security bug, given that 2.0.4 doesn't fix the problem and 2.1.0 is currently not stable yet?

Comment 7 Robert Buchholz (RETIRED) 2008-09-15 14:25:20 UTC

(In reply to comment #6)
> So how should we deal with this security bug, given that 2.0.4 doesn't fix the
> problem and 2.1.0 is currently not stable yet?

That depends on how upstream handles it. If they'll release a 2.0.5 soon, we can bump, otherwise there is a backported patch to 2.X in the bug report.

(In reply to comment #7)
> That depends on how upstream handles it. If they'll release a 2.0.5 soon, we
> can bump, otherwise there is a backported patch to 2.X in the bug report.

Upstream issued two patches for 1.2.x and 2.0.x:
http://rails.lighthouseapp.com/projects/8994/tickets/964-fix-for-sql-injection-on-limit-and-offset-should-be-backported 

1.2.x:
http://rails.lighthouseapp.com/attachments/43792/offset_limit_fix_backport_1-2-stable.diff
2.0.x:
http://rails.lighthouseapp.com/attachments/43793/offset_limit_fix_backport_2-0-stable.diff

Comment 9 Alex Legler (RETIRED) 2008-09-26 11:41:40 UTC

(In reply to comment #8)
> Upstream issued two patches for 1.2.x and 2.0.x:
> http://rails.lighthouseapp.com/projects/8994/tickets/964-fix-for-sql-injection-on-limit-and-offset-should-be-backported 

I've put two ebuilds with these patches into the Ruby overlay.
Unfortunately the patching depends on new gem patching stuff which needs testing before it can be put into the main tree.

Comment 10 Robert Buchholz (RETIRED) 2008-10-04 15:46:23 UTC

*** Bug 239548 has been marked as a duplicate of this bug. ***

Comment 11 Hans de Graaff 2008-10-20 18:36:52 UTC

Rails 2.0.5 does have the fix for issue 1, limit and offset parameter SQL injection.

Comment 12 Hans de Graaff 2008-10-20 19:42:11 UTC

Rails 2.0.5 is now in CVS. I propose to test this version for at least a week before stabling it.

Rails 2.1.2 is now out which fixes this bug. http://weblog.rubyonrails.com/2008/10/23/rails-2-1-2-security-other-fixes

Comment 14 Hans de Graaff 2008-10-24 12:22:36 UTC

Rails 2.1.2 is now in CVS.

Comment 15 Robert Buchholz (RETIRED) 2008-10-31 00:23:08 UTC

Hans, is this ok for stable?

Comment 16 Hans de Graaff 2008-11-03 19:23:32 UTC

Yes, we are good to go for stabling.

Arches, please stabilize dev-ruby/rails-2.0.5 and dev-ruby/rails-2.1.2 and their dependencies.

In order of dependencies (each dependency has a -2.0.5 and a -2.1.2 version):

dev-ruby/activesupport
dev-ruby/activeresource
dev-ruby/actionpack
dev-ruby/actionmailer
dev-ruby/activerecord
dev-ruby/rails

Note that we do not have a 2.1.x version stable, however, Rails 2.1.1 was already due for being marked stable, and 2.1.2 contains only this security fix and minor bug fixes.

Comment 17 Ferris McCormick (RETIRED) 2008-11-03 19:44:55 UTC

All stable for sparc, but do not forget that we need:

>=app-admin/eselect-rails-0.12

for rails-2.1.2 as well.

Comment 18 Markus Meier 2008-11-03 22:29:47 UTC

amd64/x86 stable

Comment 19 Brent Baude (RETIRED) 2008-11-04 17:50:21 UTC

ppc64 done

Comment 20 Hans de Graaff 2008-11-04 18:56:06 UTC

Adding back amd64 and x86. Markus, it looks like you only did the Rails 2.1.2 version. We'd also like Rails 2.0.5 and its dependencies stable, so that we can keep the 2.0.x SLOT around for a bit longer. Let me know if you want me to do the stabling (I'm using this on amd64 and x86 myself).

Comment 21 Markus Meier 2008-11-05 19:53:55 UTC

amd64/x86 stable

Comment 22 Raúl Porcel (RETIRED) 2008-11-06 09:13:02 UTC

ia64 stable

Comment 23 Tobias Scherbaum (RETIRED) 2008-11-15 18:18:31 UTC

ppc stable

Arch stable exept ia64 for 2.0.5. What we waiting for? :)

Comment 25 Robert Buchholz (RETIRED) 2008-11-26 23:28:32 UTC

(In reply to comment #24)
> Arch stable exept ia64 for 2.0.5. What we waiting for? :)

Nothing, glsa decision now. I vote YES.

Comment 26 Tobias Heinlein (RETIRED) 2008-11-30 18:12:03 UTC

YES too, request filed.

Comment 27 Alex Legler (RETIRED) 2009-12-20 12:11:55 UTC

GLSA 200912-02