Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 520212 (CVE-2014-3514)

Summary: <dev-ruby/rails-{4.0.8, 4.1.5}: Security Permission Bypass Vulnerability (CVE-2014-3514)
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://weblog.rubyonrails.org/2014/8/18/Rails_4_0_9_and_4_1_5_have_been_released/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2014-08-18 21:25:22 UTC 
There is a vulnerability in the create_with method in Active Record. This vulnerability has been assigned the CVE identifier CVE-2014-3514.

Versions Affected:  4.0.0 and All Later Versions.
Not affected:       Versions earlier than 4.0.0
Fixed Versions:     4.0.9 4.1.5

Impact
------
The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection.  Applications which pass user-controlled values to create_with could allow attackers to set arbitrary attributes on models.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The 4.0.9 and 4.1.5 releases are available at the normal locations.

Workarounds
-----------
To avoid this vulnerability you will have to either remove all calls to create_with, or carefully audit your codebase to ensure it sanitizes the input first.  For example you should replace code like this:

  user.blog_posts.create_with(params[:blog_post]).create

with either:

  user.blog_posts.create(params[:blog_post])

or:

  user.blog_posts.create_with(params[:blog_post].permit(:title, :body, :etc)).create
Comment 1 Hans de Graaff gentoo-dev Security 2014-08-18 22:20:25 UTC 
Rails 4.0.9 and 4.1.5 are now available in the tree.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-08-19 01:22:30 UTC 
Are you ready to stabilize now, or do you need some time for testing?
Comment 3 Agostino Sarubbo gentoo-dev 2014-08-19 06:04:22 UTC 
(In reply to Yury German from comment #2)
> Are you ready to stabilize now, or do you need some time for testing?

No stable version(s). We don't need to stabilize.
Comment 4 Hans de Graaff gentoo-dev Security 2014-08-23 07:09:19 UTC 
Cleanup done.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-08-25 05:08:39 UTC 
CVE-2014-3514 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3514):
  activerecord/lib/active_record/relation/query_methods.rb in Active Record in
  Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote
  attackers to bypass the strong parameters protection mechanism via crafted
  input to an application that makes create_with calls.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 05:09:56 UTC 
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.