Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 572958 (CVE-2016-0752)

Summary: <dev-ruby/actionview-4.{1.15,2.6},: Possible Information Leak Vulnerability
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2016/01/25/13
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-01-26 09:02:55 UTC
From ${URL} :

Possible Information Leak Vulnerability in Action View

There is a possible directory traversal and information leak vulnerability in
Action View. This vulnerability has been assigned the CVE identifier
CVE-2016-0752.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact
------
Applications that pass unverified user input to the `render` method in a
controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

```ruby
def index
  render params[:id]
end
```

Carefully crafted requests can cause the above code to render files from
unexpected places like outside the application's view directory, and can
possibly escalate this to a remote code execution attack.



@maintainer(s): since the fixed version is already in the tree, please remove the affected versions.
Comment 1 Hans de Graaff gentoo-dev 2016-02-07 17:53:11 UTC
Vulnerable versions for Rails 3.2, 4.1, and 4.2 have been removed.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-06-05 12:23:34 UTC
Cleanup complete per previous comments.