Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 456840 (CVE-2013-0276) - <dev-ruby/rails-{2.3.17,3.1.11,3.2.12}: Circumvention of attr_protected (CVE-2013-{0276,0277})
Summary: <dev-ruby/rails-{2.3.17,3.1.11,3.2.12}: Circumvention of attr_protected (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2013-0276
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-11 19:39 UTC by Hans de Graaff
Modified: 2014-12-14 20:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2013-02-11 19:39:36 UTC
Circumvention of attr_protected

There is a vulnerability in the attr_protected method in ActiveRecord. This vulnerability has been assigned the CVE identifier CVE-2013-0276.

Versions Affected:  All.
Not affected:       Applications using attr_accessible
Fixed Versions:     3.2.12, 3.1.11, 2.3.17

Impact 
------
The attr_protected method allows developers to specify a blacklist of model attributes which users should not be allowed to assign to.  By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected.

All users running an affected release should either upgrade or use one of the work arounds immediately.  Users should also consider switching from attr_protected to the whitelist method attr_accessible which is not vulnerable to this attack.

Releases 
-------- 
The 3.2.12, 3.1.11, and 2.3.17 releases are available at the normal locations. 

Workarounds 
----------- 
The only feasible work around for this issue is to convert the application to use attr_accessible instead of attr_protected.
Comment 1 Hans de Graaff gentoo-dev Security 2013-02-11 21:25:31 UTC
rails 2.3.17, 3.1.11, and 3.2.12 have been added to the tree (3.0 is no longer supported and now masked for removal).

To be used as stable list:

=dev-ruby/rails-2.3.17
=dev-ruby/activerecord-2.3.17
=dev-ruby/actionmailer-2.3.17
=dev-ruby/actionpack-2.3.17
=dev-ruby/activeresource-2.3.17
=dev-ruby/activesupport-2.3.17
Comment 2 Hans de Graaff gentoo-dev Security 2013-02-11 21:26:21 UTC
Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0

There is a vulnerability in the serialized attribute handling code in Ruby on Rails 2.3 and 3.0, applications which allow users to directly assign to the serialized fields in their models are at risk of Denial of Service or Remote Code Execution vulnerabilities. This vulnerability has been assigned the CVE identifier CVE-2013-0277.

Versions Affected:  2.3.x, 3.0.x and all earlier versions
Not affected:       3.1.0 and Above
Fixed Versions:     2.3.17

Impact 
------ 
The +serialize+ helper in Active Record allows developers to store various objects serialized to a BLOB column in the database.  The objects are serialized and deserialized using YAML.  If developers allow their users to directly provide values for this attribute, an attacker could use a specially crafted request to cause the application to deserialize arbitrary YAML. 

Vulnerable applications will have models similar to this:

  class Post < ActiveRecord::Base
    serialize :tags
  end

and will allow foreign input to be directly assigned to the serialized column like this:

  post = Post.new
  post.tags = params[:tags]

All users running an affected release should either apply one of the patches or use one of the work arounds immediately. 

Releases 
-------- 
The 2.3.17 release is available in the normal locations.

In accordance with our maintenance policy, there will be no new release of Ruby on Rails 3.0 to address this vulnerability.  The patches included below have been pushed to the relevant branches in git.

Workarounds 
----------- 
To work around this issue, you must ensure that users cannot assign directly to the serialized column.  For example if you have a model Post which serializes an array of tags you should use attr_accessible to prevent attackers from changing these values directly:

  class Post < ActiveRecord::Base
    serialize :tags
    # because :tags isn't included in the accessible list, it will be protected from assignment by attackers.
    attr_accessible :title, :content
  end

Note: There are additional security concerns caused by allowing your users to directly provide values for a serialized attribute like this. You should consider making this change even if you apply the patches.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-24 12:53:41 UTC
(In reply to comment #1)
> rails 2.3.17, 3.1.11, and 3.2.12 have been added to the tree (3.0 is no
> longer supported and now masked for removal).
> 
> To be used as stable list:
> 
> =dev-ruby/rails-2.3.17
> =dev-ruby/activerecord-2.3.17
> =dev-ruby/actionmailer-2.3.17
> =dev-ruby/actionpack-2.3.17
> =dev-ruby/activeresource-2.3.17
> =dev-ruby/activesupport-2.3.17

Thanks, Hans.

Arches, please test and mark stable.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-02-24 12:54:08 UTC
CVE-2013-0277 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0277):
  Active Record in Ruby on Rails 3.x before 3.1.0 and 2.3.x before 2.3.17
  allows remote attackers to cause a denial of service or execute arbitrary
  code via crafted serialized attributes that cause the +serialize+ helper to
  deserialize arbitrary YAML.

CVE-2013-0276 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0276):
  ActiveRecord in Ruby on Rails 3.2.x before 3.2.12, 3.1.x before 3.1.11, and
  2.3.x before 2.3.17 allows remote attackers to bypass the attr_protected
  protection mechanism and modify protected model attributes via a crafted
  request.
Comment 5 Agostino Sarubbo gentoo-dev 2013-02-24 14:46:02 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-02-24 14:50:43 UTC
ppc64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-02-24 17:35:14 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-02-24 17:37:09 UTC
x86 stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 19:55:34 UTC
Added to existing draft.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-14 20:36:14 UTC
This issue was resolved and addressed in
 GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml
by GLSA coordinator Sean Amoss (ackle).