Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 576068

Summary: <dev-ruby/rails-{3.2.22.2,4.1.14.2,4.2.5.2}: Various vulnerabilities (CVE-2016-{2097,2098})
Product: Gentoo Security Reporter: Hans de Graaff <graaff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ruby, zerochaos
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://weblog.rubyonrails.org/2016/2/29/Rails-4-2-5-2-4-1-14-2-3-2-22-2-have-been-released/
Whiteboard: ~1 [noglsa cve]
Package list:
Runtime testing required: ---

Description Hans de Graaff gentoo-dev Security 2016-03-01 05:14:52 UTC 
Possible Information Leak Vulnerability in Action View.

There is a possible directory traversal and information leak vulnerability in
Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering
all the scenarios. This vulnerability has been assigned the CVE identifier
CVE-2016-2097.

Versions Affected:  3.2.x, 4.0.x, 4.1.x
Not affected:       4.2+
Fixed Versions:     3.2.22.2, 4.1.14.2


There is a possible remote code execution vulnerability in Action Pack.
This vulnerability has been assigned the CVE identifier CVE-2016-2098.

Versions Affected:  3.2.x, 4.0.x, 4.1.x, 4.2.x
Not affected:       5.0+
Fixed Versions:     3.2.22.2, 4.1.14.2, 4.2.5.2
Comment 1 Hans de Graaff gentoo-dev Security 2016-03-01 07:04:05 UTC 
Rails 3.2.22.2, 4.1.14.2, and 4.2.5.2 are now in the tree.

Given that the list of security issues now includes possible RCE, my intention is to mask Rails 4.0.x for removal, including any dependencies. A tentative package list:

dev-ruby/rails:4.0
dev-ruby/railties:4.0
dev-ruby/activerecord:4.0
dev-ruby/actionmailer:4.0
dev-ruby/actionpack:4.0
dev-ruby/activemodel:4.0
dev-ruby/activesupport:4.0

And affected packages that depend on Rails 4.0 (packages depending on these still to be checked):

dev-ruby/coffee-rails:4.0
dev-ruby/metasploit-concern
dev-ruby/metasploit-credential
dev-ruby/metasploit_data_models
dev-ruby/metasploit-model
net-analyzer/metasploit

My intention is to mask these for removal at the end of the week.
Comment 2 Hans de Graaff gentoo-dev Security 2016-08-13 06:44:50 UTC 
Rails 4.0 has now been masked.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-11-26 00:27:17 UTC 
CVE-2016-2098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2098):
  Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x
  before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by
  leveraging an application's unrestricted use of the render method.

CVE-2016-2097 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2097):
  Directory traversal vulnerability in Action View in Ruby on Rails before
  3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary
  files by leveraging an application's unrestricted use of the render method
  and providing a .. (dot dot) in a pathname.  NOTE: this vulnerability exists
  because of an incomplete fix for CVE-2016-0752.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-11-26 00:46:45 UTC 
Not sure why I missed this is unstable...