Summary: | <dev-ruby/rails-{2.3.16,3.0.20}: JSON parsing ACE (CVE-2013-0333) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | graaff |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2013-01-24 15:12:36 UTC
Hans, do we wait for official packages to appear or do we patch and try to squeeze arches in in the remaining 4 days? The patch seems to be restricted to activesupport. dev-ruby/rails:2.3 and dependencies are now in the tree, so these can be marked stable. Rails 3.0 is now also in the tree. Opening this up as it is now public. Arches, please test and mark stable: =dev-ruby/activesupport-2.3.16 =dev-ruby/activeresource-2.3.16 =dev-ruby/actionpack-2.3.16 =dev-ruby/actionmailer-2.3.16 =dev-ruby/activerecord-2.3.16 =dev-ruby/rails-2.3.16 Target KEYWORDS: "amd64 ppc ppc64 x86" CVE-2013-0333 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0333): lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156. amd64 stable x86 stable ppc stable ppc64 stable Added on existing GLSA draft. This issue was resolved and addressed in GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml by GLSA coordinator Sean Amoss (ackle). |