Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 520212 (CVE-2014-3514) - <dev-ruby/rails-{4.0.8, 4.1.5}: Security Permission Bypass Vulnerability (CVE-2014-3514)
Summary: <dev-ruby/rails-{4.0.8, 4.1.5}: Security Permission Bypass Vulnerability (CVE...
Status: RESOLVED FIXED
Alias: CVE-2014-3514
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2014/8/...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-08-18 21:25 UTC by Hans de Graaff
Modified: 2014-08-25 05:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2014-08-18 21:25:22 UTC
There is a vulnerability in the create_with method in Active Record. This vulnerability has been assigned the CVE identifier CVE-2014-3514.

Versions Affected:  4.0.0 and All Later Versions.
Not affected:       Versions earlier than 4.0.0
Fixed Versions:     4.0.9 4.1.5

Impact
------
The create_with functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection.  Applications which pass user-controlled values to create_with could allow attackers to set arbitrary attributes on models.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases
--------
The 4.0.9 and 4.1.5 releases are available at the normal locations.

Workarounds
-----------
To avoid this vulnerability you will have to either remove all calls to create_with, or carefully audit your codebase to ensure it sanitizes the input first.  For example you should replace code like this:

  user.blog_posts.create_with(params[:blog_post]).create

with either:

  user.blog_posts.create(params[:blog_post])

or:

  user.blog_posts.create_with(params[:blog_post].permit(:title, :body, :etc)).create
Comment 1 Hans de Graaff gentoo-dev 2014-08-18 22:20:25 UTC
Rails 4.0.9 and 4.1.5 are now available in the tree.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-08-19 01:22:30 UTC
Are you ready to stabilize now, or do you need some time for testing?
Comment 3 Agostino Sarubbo gentoo-dev 2014-08-19 06:04:22 UTC
(In reply to Yury German from comment #2)
> Are you ready to stabilize now, or do you need some time for testing?

No stable version(s). We don't need to stabilize.
Comment 4 Hans de Graaff gentoo-dev 2014-08-23 07:09:19 UTC
Cleanup done.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-08-25 05:08:39 UTC
CVE-2014-3514 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3514):
  activerecord/lib/active_record/relation/query_methods.rb in Active Record in
  Ruby on Rails 4.0.x before 4.0.9 and 4.1.x before 4.1.5 allows remote
  attackers to bypass the strong parameters protection mechanism via crafted
  input to an application that makes create_with calls.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-08-25 05:09:56 UTC
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.