Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 354249 (CVE-2011-0446) - Several security issues in rails 2.2.x, rails <2.3.11 and =3.0.3 (CVE-2011-{0446,0447,0448,0449})
Summary: Several security issues in rails 2.2.x, rails <2.3.11 and =3.0.3 (CVE-2011-{0...
Status: RESOLVED FIXED
Alias: CVE-2011-0446
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa]
Keywords:
Depends on: 372391 379511
Blocks:
  Show dependency tree
 
Reported: 2011-02-09 15:18 UTC by Hans de Graaff
Modified: 2014-12-14 20:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2011-02-09 15:18:43 UTC
Several security issues have been reported in Rails:

http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4

Affecting 2.x.x and 3.0.x

    * XSS Risk in mail_to :encode=>:javascript CVE-2011-0446
    * CSRF Bypass Risk CVE-2011-0447

Affecting 3.0.x only

    * Filter Problems on Case Insensitive Filesystems CVE-2011-0449
    * Potential SQL Injection with limit() CVE-2011-0448

There is a vulnerability in Ruby on Rails which could allow an attacker to circumvent the CSRF protection provided. This vulnerability has been assigned the CVE Identifier CVE-2011-0447.

    * Versions Affected: 2.1.0 and above
    * Not affected: Applications which don’t use the built in CSRF protection.
    * Fixed Versions: 3.0.4, 2.3.11
Comment 1 Hans de Graaff gentoo-dev 2011-02-09 15:20:52 UTC
Planned steps by the ruby project:

- Mask Rails 2.2.x (vulnerable and no longer supported upstream)
- Fix Rails 2.3.x by patching our current stable 2.3.5 if possible
  (in order to avoid a nasty forced stabilization)
- Add Rails 2.3.11
- Add Rails 3.0.4
Comment 2 Hans de Graaff gentoo-dev 2011-02-09 19:18:22 UTC
Rails 2.2.x is now masked.
Comment 3 Hans de Graaff gentoo-dev 2011-02-21 20:14:22 UTC
Rails 2.3.11 is now in CVS.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-02-21 21:43:48 UTC
(In reply to comment #3)
> Rails 2.3.11 is now in CVS.
> 

Thank you.

Arches, please test and mark stable:
=dev-ruby/rails-2.3.11
Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
Comment 5 Hans de Graaff gentoo-dev 2011-02-21 22:29:38 UTC
(In reply to comment #4)

> Arches, please test and mark stable:
> =dev-ruby/rails-2.3.11

Dropping arches: this stabilization path is not ready. We intend to backport the fix to stable 2.3.5 as mentioned in comment #1
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-02-21 22:32:18 UTC
(In reply to comment #5)
> Dropping arches: this stabilization path is not ready. We intend to backport
> the fix to stable 2.3.5 as mentioned in comment #1
> 

Sorry, I missed that. Let me know if we can help somehow.
Comment 7 Hans de Graaff gentoo-dev 2011-02-22 07:12:54 UTC
(In reply to comment #6)

> Sorry, I missed that. Let me know if we can help somehow.

I had a look this morning at the patches, but they require active backporting to 2.3.5. They don't apply as-is.

I'll try to move ahead with the stabilization path as well but it may be 1-2 weeks before we have bugs filed and paths cleared for all dependencies.

Comment 8 Hans de Graaff gentoo-dev 2011-04-26 18:13:46 UTC
Rails 3.0.7 is now in the tree. That leaves the stabilization of Rails 2.3.11. We are almost there but a few minor issues need to be ironed out first.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 20:51:18 UTC
Stabilization of more current version happening in bug 379511.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-14 20:35:33 UTC
This issue was resolved and addressed in
 GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml
by GLSA coordinator Sean Amoss (ackle).