Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 529635 (CVE-2014-7829)

Summary: <dev-ruby/rails-{3.2.21,4.0.12,4.1.8}: Arbitrary file existence disclosure in Action Pack (CVE-2014-{7818,7829})
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://weblog.rubyonrails.org/2014/11/17/Rails-3-2-21-4-0-12-and-4-1-8-have-been-released/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev 2014-11-17 19:14:06 UTC
Arbitrary file existence disclosure in Action Pack

There is an information leak vulnerability in Action Pack. This vulnerability
has been assigned the CVE identifier CVE-2014-7829.

Versions Affected:  >= 3.0.0
Not affected:       < 3.0.0, 4.2.0.beta4
Fixed Versions:     3.2.21, 4.0.12, 4.1.8

Impact
------
Specially crafted requests can be used to determine whether a file exists on
the filesystem that is outside the Rails application's root directory.  The
files will not be served, but attackers can determine whether or not the file
exists.  This vulnerability is very similar to CVE-2014-7818, but the
specially crafted string is slightly different.

This only impacts Rails applications that enable static file serving at
runtime.  For example, the application's production configuration will say:

  config.serve_static_assets = true

All users running an affected configuration should either upgrade or use one of the work arounds immediately.
Comment 1 Hans de Graaff gentoo-dev 2014-11-17 20:20:44 UTC
Rails version 3.2.21, 4.0.12, and 4.1.8 are now in the tree.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-14 20:21:59 UTC
(In reply to Hans de Graaff from comment #1)
> Rails version 3.2.21, 4.0.12, and 4.1.8 are now in the tree.

Thanks, Hans. Can you please drop the vulnerable versions and then we can call this bug resolved?
Comment 3 Hans de Graaff gentoo-dev 2014-12-20 07:32:43 UTC
Vulnerable versions have now been removed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 01:31:01 UTC
CVE-2014-7829 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7829):
  Directory traversal vulnerability in
  actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby
  on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and
  4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote
  attackers to determine the existence of files outside the application root
  via vectors involving a \ (backslash) character, a similar issue to
  CVE-2014-7818.

CVE-2014-7818 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7818):
  Directory traversal vulnerability in
  actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby
  on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and
  4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote
  attackers to determine the existence of files outside the application root
  via a /..%2F sequence.