Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 761960 (CVE-2015-9284)

Summary: <dev-ruby/omniauth-2.0.4: CSRF with Ruby on Rails (CVE-2015-9284)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ruby
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/omniauth/omniauth/pull/809
See Also: https://github.com/gentoo/gentoo/pull/21990
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-27 18:50:10 UTC
CVE-2015-9284:

The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.


There is an unmerged PR at $URL.
Comment 1 Hans de Graaff gentoo-dev Security 2020-12-28 08:36:41 UTC
Given the long discussion and history on that bug I think it is best if we wait for a new upstream version for this.
Comment 2 Larry the Git Cow gentoo-dev 2021-07-07 07:48:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6e7418ac708d533403b7fbf70b87c9502bcc3be

commit b6e7418ac708d533403b7fbf70b87c9502bcc3be
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-07-07 07:40:12 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-07-07 07:40:12 +0000

    profiles/package.mask: mask vulnerable omniauth slot
    
    Bug: https://bugs.gentoo.org/761960
    
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89bcc98ce7ba0cfe3de2910a9aa12c3f0847db94

commit 89bcc98ce7ba0cfe3de2910a9aa12c3f0847db94
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-07-07 07:36:31 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-07-07 07:37:35 +0000

    dev-ruby/omniauth: add 2.0.4
    
    Bug: https://bugs.gentoo.org/761960
    
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-ruby/omniauth/Manifest              |  1 +
 dev-ruby/omniauth/omniauth-2.0.4.ebuild | 46 +++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-08 00:25:45 UTC
Thanks!
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:24:51 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:33:23 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:41:15 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:49:24 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:05:19 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 18:13:38 UTC
Package list is empty or all packages have requested keywords.
Comment 10 Larry the Git Cow gentoo-dev 2021-08-19 11:14:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5424f4f5575040dab0ffa3f1d01148555faa5117

commit 5424f4f5575040dab0ffa3f1d01148555faa5117
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2021-08-19 11:14:11 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2021-08-19 11:14:11 +0000

    dev-ruby/omniauth: Remove last-rited version
    
    Bug: https://bugs.gentoo.org/761960
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Signed-off-by: David Seifert <soap@gentoo.org>

 dev-ruby/omniauth/Manifest              |  1 -
 dev-ruby/omniauth/omniauth-1.9.1.ebuild | 45 ---------------------------------
 profiles/package.mask                   |  5 ----
 3 files changed, 51 deletions(-)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-19 17:47:26 UTC
All done, thanks!