Summary: | <dev-ruby/rails-{3.0.18,3.1.9,3.2.10}, <dev-ruby/activerecord-2.3.14-r1: SQL Injection (CVE-2012-6496) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sean Amoss (RETIRED) <ackle> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/01/02/3 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Sean Amoss (RETIRED)
2013-01-02 21:29:16 UTC
Graaff said that this bug is invalid on gentoo (In reply to comment #1) > Graaff said that this bug is invalid on gentoo No, I said that the bug you mentioned earlier was invalid on Gentoo, and we couldn't have done anything with that particular bug. This bug, however, contains actual fixes for a problem that was only a part of the original bug report, and we can fix those in Gentoo. dev-ruby/activerecord-2.3.14-r1 is now in the tree with this fix and it can be marked stable. Rails 3.0.18, 3.1.9, and 3.2.10 are now also in the tree. These are all still marked 'testing', so no further security action needed for those versions. CVE-2012-5664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5664): SQL injection vulnerability in the Authlogic gem for Ruby on Rails allows remote attackers to execute arbitrary SQL commands via a crafted parameter in conjunction with a secret_token value, related to certain behavior of find_by_id and other find_by_ methods. (In reply to comment #6) > CVE-2012-5664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5664): > SQL injection vulnerability in the Authlogic gem for Ruby on Rails allows This is wrong. This bug has nothing to do with the Authlogic gem, but it is a generic rails framework issue, and all Rails applications that use dynamic finders are affected. (In reply to comment #7) > (In reply to comment #6) > > CVE-2012-5664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5664): > > SQL injection vulnerability in the Authlogic gem for Ruby on Rails allows > > This is wrong. This bug has nothing to do with the Authlogic gem, but it is > a generic rails framework issue, and all Rails applications that use dynamic > finders are affected. Yes, the CVE description is poorly worded as one person mentioned today on oss-security ML: http://www.openwall.com/lists/oss-security/2013/01/03/5 (In reply to comment #4) > dev-ruby/activerecord-2.3.14-r1 is now in the tree with this fix and it can > be marked stable. Arches, please test it and mark stable. ppc stable ppc64 stable amd64 stable x86 stable CVE-2012-5664 will likely be rejected [1]. CVE-2012-6496 has been assigned for this issue: SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. [1] http://www.openwall.com/lists/oss-security/2013/01/03/12 GLSA vote: yes. GLSA request filed (I filed it earlier, guess I forgot to hit enter on my vote) This issue was resolved and addressed in GLSA 201401-22 at http://security.gentoo.org/glsa/glsa-201401-22.xml by GLSA coordinator Chris Reffett (creffett). |