Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 450974 (CVE-2013-0155)

Summary: <dev-ruby/rails-{2.3.15,3.0.19,3.1.10,3.2.11} params parsing vulnerabilities (CVE-2013-{0155,0156})
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: lebarjack, ruby, s.hoogeveen
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 451034    
Bug Blocks:    

Description Hans de Graaff gentoo-dev 2013-01-09 06:48:49 UTC
Unsafe Query Generation Risk in Ruby on Rails

There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing. This vulnerability has been assigned the CVE identifier CVE-2013-0155.

Versions Affected:  3.x series
Not affected:       2.x series
Fixed Versions:     3.2.11, 3.1.10, 3.0.19 


Multiple vulnerabilities in parameter parsing in Action Pack

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.

Versions Affected:  ALL versions
Not affected:       NONE
Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15
Comment 1 Hans de Graaff gentoo-dev 2013-01-09 07:52:05 UTC
=dev-ruby/rails-2.3.15 and its dependencies are now in the tree and can be marked stable.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-01-09 08:10:10 UTC
Arches, please test and mark stable:

=dev-ruby/activesupport-2.3.15
=dev-ruby/activeresource-2.3.15
=dev-ruby/actionpack-2.3.15
=dev-ruby/actionmailer-2.3.15
=dev-ruby/activerecord-2.3.15
=dev-ruby/rails-2.3.15

Target KEYWORDS: "amd64 ppc ppc64 x86"
Comment 3 Hans de Graaff gentoo-dev 2013-01-09 09:19:04 UTC
Rails 3.0.19, 3.1.10, and 3.2.11 are now also in the gentoo tree.
Comment 4 Wim van Ravesteijn 2013-01-09 13:57:38 UTC
Please undelete files/activesupport-2.3.5-mocha-0.9.5.patch from dev-ruby/activesupport, it is still referenced from the 2.3.15 ebuild.

Without this file, dev-ruby/activesupport-2.3.15 does not build (on amd64)
Comment 5 Agostino Sarubbo gentoo-dev 2013-01-09 15:01:20 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-01-09 15:03:11 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-01-09 15:06:16 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-01-09 15:14:17 UTC
ppc64 stable
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2013-01-09 20:08:42 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 10 Hans de Graaff gentoo-dev 2013-01-15 07:33:56 UTC
Contrary to earlier report "Unsafe Query Generation Risk in Ruby on Rails" also affects the 2.3.x series. The upstream advisory has been updated accordingly and issued a patch which has been applied in:

=dev-ruby/activerecord-2.3.15-r1
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-01-16 00:20:46 UTC
CVE-2013-0156 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0156):
  active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15,
  3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not
  properly restrict casts of string values, which allows remote attackers to
  conduct object-injection attacks and execute arbitrary code, or cause a
  denial of service (memory and CPU consumption) involving nested XML entity
  references, by leveraging Action Pack support for (1) YAML type conversion
  or (2) Symbol type conversion.

CVE-2013-0155 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0155):
  Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before
  3.2.11 does not properly consider differences in parameter handling between
  the Active Record component and the JSON implementation, which allows remote
  attackers to bypass intended database-query restrictions and perform NULL
  checks or trigger missing WHERE clauses via a crafted request, as
  demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and
  CVE-2012-2694.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-12-14 20:35:58 UTC
This issue was resolved and addressed in
 GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml
by GLSA coordinator Sean Amoss (ackle).