Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 195315 - dev-ruby/rails <1.2.5 Multiple vulnerabilities (CVE-2007-{3227,5379,5380})
Summary: dev-ruby/rails <1.2.5 Multiple vulnerabilities (CVE-2007-{3227,5379,5380})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2007/10...
Whiteboard: B3 [glsa]
Keywords:
: 177209 (view as bug list)
Depends on:
Blocks: 182223
  Show dependency tree
 
Reported: 2007-10-10 01:45 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2007-11-14 21:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-10-10 01:45:13 UTC
Security Enhancements

1.2.4 fixes several potential security issues:

    * Session fixation attacks are mitigated by removing support for URL-based sessions
    * Changed the JSON encoding algorithms to avoid otential XSS issues when using ActiveRecord::Base#to_json
    * Potential Security and performance problems with XmlSimple have been fixed by disabling certain dangerous options by default.

-------------------------------

From: 	  michael@koziarski.com
Subject: 	Ruby on Rails 1.2.4
Date: 	October 9, 2007 9:33:45 PM EDT
To: 	  rubyonrails-security@googlegroups.com
Reply-To: 	  rubyonrails-security@googlegroups.com


The release of Ruby on Rails 1.2.4 addresses some potential security
issues, all users of earlier versions are advised to upgrade to 1.2.4:

The particular issues are:

# Potential Information Disclosure or DoS with Hash#from_xml

Maliciously crafted requests to a rails application could cause the
XML parser to read files from the server's disk or the network.  1.2.4
removes this functionality entirely.

# Session Fixation attacks.

The session functionality in rails allowed users to provide their
session_id in the URL as well as cookies.  The functionality could be
exploited by a malicious user to obtain an authenticated session.

Users who rely on URL based sessions can re-enable them as follows:

config.action_controller.session_options[:session_secure] = true

-- 
Cheers

Koz
Comment 1 Hans de Graaff gentoo-dev 2007-10-10 05:37:02 UTC
The JSON problem, although not mentioned in the security announcement, is being addressed in bug #182223. Rails 1.2.4 is already in the tree and if no regressions are found we'll ask for it to become stable this weekend.
Comment 2 Hans de Graaff gentoo-dev 2007-10-11 05:47:25 UTC
So it seems that Rails 1.2.5 is forthcoming shortly to address the problem with JSON encoding once more. I propose we wait until Rails 1.2.5 is out and stabilize that once it is in the tree.
Comment 3 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-10-12 16:56:29 UTC
http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release


From: DHH <david.heinemeier@gmail.com>
To: "Ruby on Rails: Security" <rubyonrails-security@googlegroups.com>
Date: Fri, 12 Oct 2007 16:50:53 -0000
Subject: Rails 1.2.5: Closes JSON XSS vulnerability
Reply-To: rubyonrails-security@googlegroups.com


This release closes a JSON XSS vulnerability, fixes a couple of minor
regressions introduced in 1.2.4, and backports a handful of features
and fixes from the 2.0 preview release.

All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5,
though it isn't strictly necessary if you aren't working with JSON.
For more information the JSON vulnerability, see CVE-2007-3227.

Comment 4 Hans de Graaff gentoo-dev 2007-10-13 06:38:43 UTC
Rails 1.2.5 and friends just got added to CVS. Since upstream in all its wisdom decided to also include a few features that are backported from the forthcoming 2.0 branch, I'd like to test this a bit more before we start to stable it. Let's aim for a call to stable this on Monday.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-10-15 23:52:30 UTC
(In reply to comment #4)
> ... I'd like to test this a bit more before we start to stable it.
> Let's aim for a call to stable this on Monday.

Did you experience any regressions, is it ok to go?
Comment 6 Hans de Graaff gentoo-dev 2007-10-16 05:32:40 UTC
We should be good to go. No reports of any issues and I've also not noticed any regressions or problems in my own tests. 

Arches, please stabilize dev-ruby/rails-1.2.5 and its dependencies. Both Rails 1.2.4 and 1.2.5 contain security fixes compared to Rails 1.2.3-r1. The following packages need to be stabilized in this order to avoid dependency issues:

eselect-rails-0.10 (already stable on arches that have marked rails 1.2.3-r1 as stable)
activesupport-1.4.4
activerecord-1.15.5
actionpack-1.13.5
actionmailer-1.3.5
actionwebservice-1.2.5
rails-1.2.5

Note that this bug supersedes bug #177209, calling for the stabilization of rails-1.2.3-r1
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-16 06:01:32 UTC

*** This bug has been marked as a duplicate of bug 177209 ***
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-16 06:13:16 UTC
Of course it should be the other way round
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-16 06:13:33 UTC
*** Bug 177209 has been marked as a duplicate of this bug. ***
Comment 10 Hans de Graaff gentoo-dev 2007-10-16 06:57:35 UTC
*** Bug 182223 has been marked as a duplicate of this bug. ***
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2007-10-16 07:16:56 UTC
x86 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-10-16 13:31:01 UTC
ia64/sparc stable
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-18 17:16:21 UTC
ppc stable
Comment 14 Steve Dibb (RETIRED) gentoo-dev 2007-10-21 15:24:36 UTC
amd64 stable
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2007-10-21 15:42:34 UTC
Proposing B3. Please vote!

Together with bug #182223, we have these these issues:

CVE-2007-5380:
         Session fixation vulnerability in Rails before 1.2.4, as used for Ruby
         on Rails, allows remote attackers to hijack web sessions via
         unspecified vectors related to "URL-based sessions."
CVE-2007-5379:
         Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers
         and ActiveResource servers to determine the existence of arbitrary
         files and read arbitrary XML files via the Hash.from_xml
         (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely,
         as demonstrated by reading passwords from the Pidgin (Gaim)
         .purple/accounts.xml file.
CVE-2007-3227:
         Cross-site scripting (XSS) vulnerability in the to_json function in
         Ruby on Rails before edge 9606 allows remote attackers to inject
         arbitrary web script via the input values.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-21 17:48:04 UTC
I tend to vote YES.
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-25 20:11:48 UTC
(In reply to comment #15)
> CVE-2007-5380:
>          Session fixation vulnerability 

perhaps...


> CVE-2007-5379:
>          files and read arbitrary XML files via the Hash.from_xml
>          (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely,
>          as demonstrated by reading passwords from the Pidgin (Gaim)

mmm


> CVE-2007-3227:
>          Cross-site scripting (XSS) vulnerability in the to_json function in

non-persistent XSS, i would vote no for this CVE.



Globally i vote nothing, sorry...
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2007-10-25 23:21:02 UTC
(In reply to comment #15)
>      ... read arbitrary XML files via the Hash.from_xml
>          (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely,
>          as demonstrated by reading passwords from the Pidgin (Gaim)
>          .purple/accounts.xml file.

I would vote yes for this issue. XML might not be the dominant way to save configurations and passwords, but I would not call it uncommon, so reading those files could be quite a breach for users.
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-07 08:25:03 UTC
voting yes too, glsa request filed.
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-14 21:23:23 UTC
GLSA 200711-17