Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 379511

Summary: <dev-ruby/rails-{2.3.14,3.0.10}: Several security bugs in Rails (CVE-2011-{2929,2930,2931,2932,3186})
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: chewi, ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://weblog.rubyonrails.org/2011/8/16/ann-rails-2-3-14
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 354249    

Description Hans de Graaff gentoo-dev Security 2011-08-17 05:58:03 UTC 
Several security issues have been found and fixed in Rails 2.3.12 and 3.0.9. 

http://weblog.rubyonrails.org/2011/8/16/ann-rails-2-3-14
http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-0-10
Comment 1 James Le Cuirot gentoo-dev 2011-08-17 08:47:18 UTC 
Note that this isn't specific to these exact versions. It affects 2.3.x and 3.0.x. This sucks because I have to update all my sites but the good news is you have an excuse to not support the earlier versions.
Comment 2 Hans de Graaff gentoo-dev Security 2011-08-17 08:57:08 UTC 
Rails 2.3.14 is now in the tree. Rails 3.0.9 isn't stable yet so it should not impact GLSA handling.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 20:16:00 UTC 
(In reply to comment #2)
> Rails 2.3.14 is now in the tree. Rails 3.0.9 isn't stable yet so it should not
> impact GLSA handling.

Great, thanks. Would it be possible to add 3.0.10 to the tree as ~arch please? We don't need to stabilize it, but our policy would have it added to the tree.

Arches, please test and mark stable:
=dev-ruby/rails-2.3.14
Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
Comment 4 Agostino Sarubbo gentoo-dev 2011-08-17 23:41:22 UTC 
Packages that need the keyword:

=dev-ruby/rails-2.3.14
=dev-ruby/activerecord-2.3.14
=dev-ruby/activesupport-2.3.14
=dev-ruby/actionpack-2.3.14
=dev-ruby/activeresource-2.3.14
=dev-ruby/actionmailer-2.3.14

All packages pass tests. 

amd64 ok
Comment 5 Hans de Graaff gentoo-dev Security 2011-08-18 05:54:11 UTC 
(In reply to comment #3)

> Great, thanks. Would it be possible to add 3.0.10 to the tree as ~arch please?
> We don't need to stabilize it, but our policy would have it added to the tree.

Yes, but as usual with these newer versions there are again test issues with 3.0.10 that should be resolved, and I gave priority to the stable version. I expect to add 3.0.10 this weekend at the latest.
Comment 6 Tony Vroon (RETIRED) gentoo-dev 2011-08-18 10:08:13 UTC 
+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> activerecord-2.3.14.ebuild:
+  Marked stable as a dependency of dev-ruby/rails based on arch testing by
+  Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> activesupport-2.3.14.ebuild:
+  Marked stable as a dependency of dev-ruby/rails based on arch testing by
+  Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> actionpack-2.3.14.ebuild:
+  Marked stable as a dependency of dev-ruby/rails based on arch testing by
+  Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> activeresource-2.3.14.ebuild:
+  Marked stable as a dependency of dev-ruby/rails based on arch testing by
+  Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> actionmailer-2.3.14.ebuild:
+  Marked stable as a dependency of dev-ruby/rails based on arch testing by
+  Agostino "ago" Sarubbo in security bug #379511 filed by Hans de Graaff.

+  18 Aug 2011; Tony Vroon <chainsaw@gentoo.org> rails-2.3.14.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Saurbbo in
+  security bug #379511 filed by Hans de Graaff.
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2011-08-18 16:20:01 UTC 
(In reply to comment #5)
> (In reply to comment #3)
> 
> > Great, thanks. Would it be possible to add 3.0.10 to the tree as ~arch please?
> > We don't need to stabilize it, but our policy would have it added to the tree.
> 
> Yes, but as usual with these newer versions there are again test issues with
> 3.0.10 that should be resolved, and I gave priority to the stable version. I
> expect to add 3.0.10 this weekend at the latest.

Understood, and thank you for that. We'll do stabilization for 2.3.14 now and hold this bug open until 3.0.10 is in the tree.
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-18 17:45:17 UTC 
ppc/ppc64 stable
Comment 9 Markus Meier gentoo-dev 2011-08-24 19:21:09 UTC 
x86 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-08-27 19:11:18 UTC 
ia64/sparc stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-08-28 02:01:24 UTC 
Thanks, folks. GLSA Vote: yes.
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-08-28 14:49:14 UTC 
Actually, we need 3.0.10 in the tree before this can be closed too.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-09-02 17:29:53 UTC 
CVE-2011-3186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3186):
  CRLF injection vulnerability in actionpack/lib/action_controller/response.rb
  in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject
  arbitrary HTTP headers and conduct HTTP response splitting attacks via the
  Content-Type header.

CVE-2011-2932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2932):
  Cross-site scripting (XSS) vulnerability in
  activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on
  Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5
  allows remote attackers to inject arbitrary web script or HTML via a
  malformed Unicode string, related to a "UTF-8 escaping vulnerability."

CVE-2011-2931 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2931):
  Cross-site scripting (XSS) vulnerability in the strip_tags helper in
  actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on
  Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows
  remote attackers to inject arbitrary web script or HTML via a tag with an
  invalid name.

CVE-2011-2930 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2930):
  Multiple SQL injection vulnerabilities in the quote_table_name method in the
  ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/
  in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before
  3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a
  crafted column name.

CVE-2011-2929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2929):
  The template selection functionality in
  actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x
  before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob
  characters, which allows remote attackers to render arbitrary views via a
  crafted URL, related to a "filter skipping vulnerability."
Comment 14 Hans de Graaff gentoo-dev Security 2011-09-28 07:36:52 UTC 
Rails 3.0.10 is now also in CVS.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:28:09 UTC 
Vote: YES. Added to pending GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-12-14 20:35:40 UTC 
This issue was resolved and addressed in
 GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml
by GLSA coordinator Sean Amoss (ackle).