Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 237385 (CVE-2008-4094) - dev-ruby/rails <2.1.1 :limit and :offset SQL injection (CVE-2008-4094)
Summary: dev-ruby/rails <2.1.1 :limit and :offset SQL injection (CVE-2008-4094)
Status: RESOLVED FIXED
Alias: CVE-2008-4094
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2008/9/...
Whiteboard: B3 [glsa]
Keywords:
: 239548 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-09-11 07:16 UTC by Azamat H. Hackimov
Modified: 2009-12-20 12:11 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Azamat H. Hackimov 2008-09-11 07:16:55 UTC
rails-2.1.1 and rails-2.0.4 released. Probably GLSA-team should open issue. 

1st issue:

http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/ 

> An SQL Injection vulnerability has been found in Rails. The issue affects Rails < 2.1.1, namely the :limit and :offset parameters that are not correctly sanitized

2nd issue:

http://weblog.rubyonrails.org/2008/8/23/dos-vulnerabilities-in-rexml

> There is a DoS vulnerability in the REXML library included in the Ruby Standard Library. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML using REXML.
Comment 1 Hans de Graaff gentoo-dev 2008-09-12 05:24:14 UTC
Note that the REXML security issue is already handled for all ruby software in ruby 1.8.6-P287-r1.

The first issue is a rails-specific security issue.
Comment 2 Hans de Graaff gentoo-dev 2008-09-12 05:59:25 UTC
I've just added Rails 2.0.4 to CVS. I expect to add 2.1.1 later this weekend.

I propose to test these versions for a week and mark them stable regarding the first security issue unless regressions crop up.
Comment 3 Hans de Graaff gentoo-dev 2008-09-13 09:10:21 UTC
Rails 2.1.1 is now also in CVS.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-09-13 18:13:22 UTC
issue (2) is not resolved by 2.0.4. There's no point in stabling that except for additional hardening of rails users on old ruby versions.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-09-13 18:13:51 UTC
Sorry, I meant issue (1) is not resolved by 2.0.4.
Comment 6 Hans de Graaff gentoo-dev 2008-09-15 05:23:44 UTC
(In reply to comment #5)
> Sorry, I meant issue (1) is not resolved by 2.0.4.

Confirmed.

So how should we deal with this security bug, given that 2.0.4 doesn't fix the problem and 2.1.0 is currently not stable yet?



Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-09-15 14:25:20 UTC
(In reply to comment #6)
> So how should we deal with this security bug, given that 2.0.4 doesn't fix the
> problem and 2.1.0 is currently not stable yet?

That depends on how upstream handles it. If they'll release a 2.0.5 soon, we can bump, otherwise there is a backported patch to 2.X in the bug report.
Comment 8 Azamat H. Hackimov 2008-09-23 12:04:11 UTC
(In reply to comment #7)
> That depends on how upstream handles it. If they'll release a 2.0.5 soon, we
> can bump, otherwise there is a backported patch to 2.X in the bug report.

Upstream issued two patches for 1.2.x and 2.0.x:
http://rails.lighthouseapp.com/projects/8994/tickets/964-fix-for-sql-injection-on-limit-and-offset-should-be-backported 

1.2.x:
http://rails.lighthouseapp.com/attachments/43792/offset_limit_fix_backport_1-2-stable.diff
2.0.x:
http://rails.lighthouseapp.com/attachments/43793/offset_limit_fix_backport_2-0-stable.diff
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2008-09-26 11:41:40 UTC
(In reply to comment #8)
> Upstream issued two patches for 1.2.x and 2.0.x:
> http://rails.lighthouseapp.com/projects/8994/tickets/964-fix-for-sql-injection-on-limit-and-offset-should-be-backported 

I've put two ebuilds with these patches into the Ruby overlay.
Unfortunately the patching depends on new gem patching stuff which needs testing before it can be put into the main tree.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-10-04 15:46:23 UTC
*** Bug 239548 has been marked as a duplicate of this bug. ***
Comment 11 Hans de Graaff gentoo-dev 2008-10-20 18:36:52 UTC
Rails 2.0.5 does have the fix for issue 1, limit and offset parameter SQL injection.
Comment 12 Hans de Graaff gentoo-dev 2008-10-20 19:42:11 UTC
Rails 2.0.5 is now in CVS. I propose to test this version for at least a week before stabling it.
Comment 13 Mark Catley 2008-10-24 01:54:45 UTC
Rails 2.1.2 is now out which fixes this bug. http://weblog.rubyonrails.com/2008/10/23/rails-2-1-2-security-other-fixes
Comment 14 Hans de Graaff gentoo-dev 2008-10-24 12:22:36 UTC
Rails 2.1.2 is now in CVS.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-10-31 00:23:08 UTC
Hans, is this ok for stable?
Comment 16 Hans de Graaff gentoo-dev 2008-11-03 19:23:32 UTC
Yes, we are good to go for stabling.

Arches, please stabilize dev-ruby/rails-2.0.5 and dev-ruby/rails-2.1.2 and their dependencies.

In order of dependencies (each dependency has a -2.0.5 and a -2.1.2 version):

dev-ruby/activesupport
dev-ruby/activeresource
dev-ruby/actionpack
dev-ruby/actionmailer
dev-ruby/activerecord
dev-ruby/rails

Note that we do not have a 2.1.x version stable, however, Rails 2.1.1 was already due for being marked stable, and 2.1.2 contains only this security fix and minor bug fixes.
Comment 17 Ferris McCormick (RETIRED) gentoo-dev 2008-11-03 19:44:55 UTC
All stable for sparc, but do not forget that we need:

>=app-admin/eselect-rails-0.12

for rails-2.1.2 as well.
Comment 18 Markus Meier gentoo-dev 2008-11-03 22:29:47 UTC
amd64/x86 stable
Comment 19 Brent Baude (RETIRED) gentoo-dev 2008-11-04 17:50:21 UTC
ppc64 done
Comment 20 Hans de Graaff gentoo-dev 2008-11-04 18:56:06 UTC
Adding back amd64 and x86. Markus, it looks like you only did the Rails 2.1.2 version. We'd also like Rails 2.0.5 and its dependencies stable, so that we can keep the 2.0.x SLOT around for a bit longer. Let me know if you want me to do the stabling (I'm using this on amd64 and x86 myself).
Comment 21 Markus Meier gentoo-dev 2008-11-05 19:53:55 UTC
amd64/x86 stable
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2008-11-06 09:13:02 UTC
ia64 stable
Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-15 18:18:31 UTC
ppc stable
Comment 24 Azamat H. Hackimov 2008-11-24 06:44:13 UTC
Arch stable exept ia64 for 2.0.5. What we waiting for? :)
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2008-11-26 23:28:32 UTC
(In reply to comment #24)
> Arch stable exept ia64 for 2.0.5. What we waiting for? :)

Nothing, glsa decision now. I vote YES.
Comment 26 Tobias Heinlein (RETIRED) gentoo-dev 2008-11-30 18:12:03 UTC
YES too, request filed.
Comment 27 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-20 12:11:55 UTC
GLSA 200912-02