Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 428254 (CVE-2012-3424)

Summary: <dev-ruby/rails-{3.0.16,3.1.7.3.2.7} DoS Vulnerability (CVE-2012-3424)
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://weblog.rubyonrails.org/2012/7/26/ann-rails-3-2-7-has-been-released/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2012-07-27 05:13:09 UTC 
DoS Vulnerability in authenticate_or_request_with_http_digest

There is a DoS vulnerability in Action Pack digest authentication handling in Rails.
This vulnerability has been assigned the CVE identifier CVE-2012-3424.

Versions Affected:  3.x.
Not affected:       2.3.5 - 2.3.14
Fixed Versions:     3.0.16, 3.1.7, 3.2.7

Impact
------

All users using Digest Authentication support in Rails should upgrade
immediately.  Impacted code uses any of the `with_http_digest` controller
helper methods.  For example:

    class MyController < ApplicationController
      def index
        authenticate_or_request_with_http_digest(REALM) do |uname|
          # ...
        end
      end
    end

Releases
--------
The 3.0.16, 3.1.7 & 3.2.7 releases are available at the normal locations.


Workarounds
-----------
There are no feasible workarounds for this issue.
Comment 1 Hans de Graaff gentoo-dev Security 2012-07-27 06:21:52 UTC 
Rails 3.2.7 is in the tree. I hope to get to the older slots during the weekend.
Comment 2 Hans de Graaff gentoo-dev Security 2012-07-28 07:41:20 UTC 
Rails 3.1.7 is now also in the tree.
Comment 3 Hans de Graaff gentoo-dev Security 2012-07-28 08:21:25 UTC 
Rails 3.0.16 now also in the tree.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-28 11:50:52 UTC 
Thanks, Hans! Please also punt the vulnerable versions.

Closing noglsa for ~arch only issue.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-08-08 20:18:48 UTC 
CVE-2012-3424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3424):
  The decode_credentials method in
  actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on
  Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts
  Digest Authentication strings to symbols, which allows remote attackers to
  cause a denial of service by leveraging access to an application that uses a
  with_http_digest helper method, as demonstrated by the
  authenticate_or_request_with_http_digest method.