Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 143369 - dev-ruby/rails < 1.1.6 security issue
Summary: dev-ruby/rails < 1.1.6 security issue
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2006/8/...
Whiteboard: B1? [glsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2006-08-09 10:54 UTC by Vlad Berditchevskiy
Modified: 2006-09-02 14:48 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad Berditchevskiy 2006-08-09 10:54:12 UTC
A 'mandatory' security patch has been released. Ebuilds should be updated too. More info:

http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-08-09 11:09:43 UTC
Ruby, please provide fixed ebuilds, thanks.
Comment 2 Caleb Tennis (RETIRED) gentoo-dev 2006-08-09 11:37:29 UTC
It's in portage as rails-1.1.5

Also affects (and now in portage):

actionmailer-1.2.4
actionpack-1.12.4
actionwebservice-1.1.5
activerecord-1.14.4

does NOT affect:

activesupport-1.3.1


I suppose we need arches to mark stable sooner than later; I'd like them to test and make sure the install goes okay for everyone (worked fine here).  According to the site the differences between 1.1.4 and 1.1.5 are minimal save for the security stuff.  I hope that's right.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-08-09 11:41:14 UTC
arches, please test and stable rails-1.1.5, thank you
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-08-09 11:42:12 UTC
... and of course also the other packages as mentioned in comment #2

sorry
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2006-08-09 12:52:48 UTC
ppc stable
Comment 6 Michael Weyershäuser 2006-08-09 13:35:38 UTC
I get a digest failure on actionpack-1.12.4:

>>> checking actionpack-1.12.4.gem
!!! Digest verification failed:
!!! /usr/portage/distfiles/actionpack-1.12.4.gem
!!! Reason: Filesize does not match recorded size
!!! Got: 530432
!!! Expected: 529920

Other than that this is good to go on amd64.

emerge --info
Portage 2.1-r1 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-suspend2-r3-Dudebox-Edition x86_64)
=================================================================
System uname: 2.6.17-suspend2-r3-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.6.15
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/"
LINGUAS="de"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://server/gentoo-portage"
USE="amd64 X alsa arts avi berkdb bitmap-fonts cli crypt cups dlloader dri eds emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6 isdnlog jpeg kde kdeenablefinal lzw lzw-tiff mp3 mpeg ncurses nls nptl opengl pam pcre pdflib perl png pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd tiff truetype-fonts type1-fonts unicode usb userlocales xorg xpm xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux linguas_de userland_GNU video_cards_dummy"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2006-08-09 13:38:32 UTC
of course, they changed the .gem after the announcement... argh
Comment 8 Caleb Tennis (RETIRED) gentoo-dev 2006-08-09 13:39:47 UTC
I recommitted the new digest.  I hope mirroring doesn't cause major breakage.
Comment 9 Thomas Cort (RETIRED) gentoo-dev 2006-08-09 13:52:35 UTC
amd64 stable.
Comment 10 Joshua Jackson (RETIRED) gentoo-dev 2006-08-09 20:58:43 UTC
x86 stable, I didnt' find any rubies..who stole them all ?
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-10 00:36:41 UTC
Rerating as I doubt this will be more than a B1.
Comment 12 Jakub Moc (RETIRED) gentoo-dev 2006-08-10 02:18:48 UTC
Some real info on the problem (upstream-- for their security by obscurity approach).

http://blog.koehntopp.de/archives/1367-Ruby-On-Rails-Mandatory-Mystery-Patch.html
Comment 13 Ferris McCormick (RETIRED) gentoo-dev 2006-08-10 05:03:27 UTC
All stable on sparc.  Notes:
1.  sparc tests used lighttpd;
2.  script/server (for testing connections from local & remote) generates a lot of annoying 'method redefined' warnings;
3.  Test system is running ruby-1.8.4-r3
Comment 14 Vlad Berditchevskiy 2006-08-10 11:56:39 UTC
BTW, 1.1.5 is now obsolete, 1.1.6 has been released today.
Comment 15 Caleb Tennis (RETIRED) gentoo-dev 2006-08-10 12:03:36 UTC
yeah, but as of now I'm not able to download the gems so I can't do updates in portage yet.
Comment 16 Caleb Tennis (RETIRED) gentoo-dev 2006-08-10 13:19:45 UTC
ok, gems now available.  all have been bumped accordingly, and I left the already stable arches alone since the diff between 1.1.5 and 1.1.6 was basically trivial.

so we're waiting on ia64 and the bsd folks.
Comment 17 Marco Matthies 2006-08-10 17:49:23 UTC
http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
says upgrade to 1.1.6 is security related.

According to
http://www.ruby-forum.com/topic/76671
calling urls such as
http://127.0.0.1:3000/builder/blankslate
http://127.0.0.1:3000/active_support/dependencies
on 1.1.5 will cause all subsequent requests to fail.

All of this was not tested by myself so YMMV.
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-10 23:27:29 UTC
1.1.6 is the new fixed version. It is already in Portage and stable as per comment #16.
Comment 19 Caleb Tennis (RETIRED) gentoo-dev 2006-08-11 03:28:27 UTC
I will delete the offending versions from portage sometime today (that's 1.1.0 through 1.1.5)
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-14 08:12:30 UTC
GLSA 200608-20 sent