Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 283396 (CVE-2009-3009)

Summary: <dev-ruby/rails-{2.2.3, 2.3.4} XSS, Timing issue (CVE-2009-{3009,3086})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ruby
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://weblog.rubyonrails.org/2009/9/4/ruby-on-rails-2-3-4
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-01 11:19:19 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Michael Koziarski informed us about the following issue:

There is a vulnerability in the escaping code for the form helpers in
Ruby on Rails.  Attackers who can inject deliberately malformed unicode
strings into the form helpers can defeat the escaping checks and inject
arbitrary HTML.

Versions Affected:  2.0.0 and *all* subsequent versions.
Not affected:       Applications running on ruby 1.9
Fixed Versions:     2.3.4, 2.2.3

Impact
Due to the way that most databases either don't accept or actively
cleanse malformed unicode strings this vulnerability is most likely to
be exploited by non-persistent attacks however persistent attacks may
still be possible in some configurations.

*All* users of affected versions are advised to upgrade to a fixed versions.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-01 11:22:50 UTC
I'd say we wait until the official release, prepare for a 0-day bump and call arches after that. 

It's "just" XSS and we only have a little over two days. Prestabling would be an overkill imo. Hans?
Comment 2 Hans de Graaff gentoo-dev Security 2009-09-01 17:19:08 UTC
Sounds good to me in principle, yes.

My two worries based on past upstream performance are: a) whether they will actually have new releases ready in time (last time took weeks after the announcement), and b) whether the new releases contain only the security fix. Last time their release also included a lot of other changed code which caused issues.

I agree with Alex's strategy. If it turns out on the day itself that we don't trust the new release or it isn't ready we can create a bump at that time ourselves.
Comment 3 Hans de Graaff gentoo-dev Security 2009-09-04 06:45:56 UTC
I've just added Rails 2.3.4 to the tree. I've run the specs and features with it for our two major applications and both seem to work as expected.

As far as I can tell Rails 2.2.3 has not been released yet.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-04 08:33:00 UTC
This is now public per $URL.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-10 09:53:09 UTC
CVE-2009-3086 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3086):
  A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x
  before 2.3.4, leaks information about the complexity of
  message-digest signature verification in the cookie store, which
  might allow remote attackers to forge a digest via multiple attempts.

Comment 6 Hans de Graaff gentoo-dev Security 2009-09-12 08:03:31 UTC
My testing hasn't resulted in any issues, so as far as I'm concerned we are good to go here with stabilization.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-14 10:04:02 UTC
Arches, please test and mark stable:
=dev-ruby/rails-2.3.4
=dev-ruby/activerecord-2.3.4
=dev-ruby/activeresource-2.3.4
=dev-ruby/activesupport-2.3.4
=dev-ruby/actionmailer-2.3.4
=dev-ruby/actionpack-2.3.4

Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-14 11:54:28 UTC
We also need a newer rubygems stable, stabling of that via bug 284911.
Comment 9 Markus Meier gentoo-dev 2009-09-14 21:55:28 UTC
amd64/x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-09-19 17:28:17 UTC
ia64/sparc stable
Comment 11 nixnut (RETIRED) gentoo-dev 2009-09-20 19:17:24 UTC
ppc stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2009-09-25 18:21:02 UTC
ppc64 done
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-03 12:39:20 UTC
Arches, please test and mark stable:
=dev-ruby/rails-2.2.3
=dev-ruby/activerecord-2.2.3
=dev-ruby/activeresource-2.2.3
=dev-ruby/activesupport-2.2.3
=dev-ruby/actionmailer-2.2.3
=dev-ruby/actionpack-2.2.3"

Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-04 17:15:58 UTC
x86 stable
Comment 15 Markus Meier gentoo-dev 2009-10-07 19:06:47 UTC
amd64 stable
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-10-08 18:00:26 UTC
ia64/sparc stable
Comment 17 Brent Baude (RETIRED) gentoo-dev 2009-10-18 14:37:05 UTC
ppc64 done
Comment 18 nixnut (RETIRED) gentoo-dev 2009-10-18 17:24:47 UTC
ppc stable
Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-18 17:50:49 UTC
GLSA together with bug 237385.
Comment 20 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-20 12:12:03 UTC
GLSA 200912-02