Bug 354249 (CVE-2011-0446)

Summary:	Several security issues in rails 2.2.x, rails <2.3.11 and =3.0.3 (CVE-2011-{0446,0447,0448,0449})
Product:	Gentoo Security	Reporter:	Hans de Graaff <graaff>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ruby
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
Whiteboard:	B4 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	372391, 379511
Bug Blocks:

Description Hans de Graaff gentoo-dev

2011-02-09 15:18:43 UTC

Several security issues have been reported in Rails:

http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

Affecting 2.x.x and 3.0.x

    * XSS Risk in mail_to :encode=>:javascript CVE-2011-0446
    * CSRF Bypass Risk CVE-2011-0447

Affecting 3.0.x only

    * Filter Problems on Case Insensitive Filesystems CVE-2011-0449
    * Potential SQL Injection with limit() CVE-2011-0448

There is a vulnerability in Ruby on Rails which could allow an attacker to circumvent the CSRF protection provided. This vulnerability has been assigned the CVE Identifier CVE-2011-0447.

    * Versions Affected: 2.1.0 and above
    * Not affected: Applications which don’t use the built in CSRF protection.
    * Fixed Versions: 3.0.4, 2.3.11

Comment 1 Hans de Graaff gentoo-dev

2011-02-09 15:20:52 UTC

Planned steps by the ruby project:

- Mask Rails 2.2.x (vulnerable and no longer supported upstream)
- Fix Rails 2.3.x by patching our current stable 2.3.5 if possible
  (in order to avoid a nasty forced stabilization)
- Add Rails 2.3.11
- Add Rails 3.0.4

Comment 2 Hans de Graaff gentoo-dev

2011-02-09 19:18:22 UTC

Rails 2.2.x is now masked.

Comment 3 Hans de Graaff gentoo-dev

2011-02-21 20:14:22 UTC

Rails 2.3.11 is now in CVS.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2011-02-21 21:43:48 UTC

(In reply to comment #3)
> Rails 2.3.11 is now in CVS.
> 

Thank you.

Arches, please test and mark stable:
=dev-ruby/rails-2.3.11
Target keywords : "amd64 ia64 ppc ppc64 sparc x86"

Comment 5 Hans de Graaff gentoo-dev

2011-02-21 22:29:38 UTC

(In reply to comment #4)

> Arches, please test and mark stable:
> =dev-ruby/rails-2.3.11

Dropping arches: this stabilization path is not ready. We intend to backport the fix to stable 2.3.5 as mentioned in comment #1

Comment 6 Tim Sammut (RETIRED) gentoo-dev

2011-02-21 22:32:18 UTC

(In reply to comment #5)
> Dropping arches: this stabilization path is not ready. We intend to backport
> the fix to stable 2.3.5 as mentioned in comment #1
> 

Sorry, I missed that. Let me know if we can help somehow.

Comment 7 Hans de Graaff gentoo-dev

2011-02-22 07:12:54 UTC

(In reply to comment #6)

> Sorry, I missed that. Let me know if we can help somehow.

I had a look this morning at the patches, but they require active backporting to 2.3.5. They don't apply as-is.

I'll try to move ahead with the stabilization path as well but it may be 1-2 weeks before we have bugs filed and paths cleared for all dependencies.

Comment 8 Hans de Graaff gentoo-dev

2011-04-26 18:13:46 UTC

Rails 3.0.7 is now in the tree. That leaves the stabilization of Rails 2.3.11. We are almost there but a few minor issues need to be ironed out first.

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2011-08-17 20:51:18 UTC

Stabilization of more current version happening in bug 379511.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2014-12-14 20:35:33 UTC

This issue was resolved and addressed in
 GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml
by GLSA coordinator Sean Amoss (ackle).