Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 428254 (CVE-2012-3424) - <dev-ruby/rails-{3.0.16,} DoS Vulnerability (CVE-2012-3424)
Summary: <dev-ruby/rails-{3.0.16,} DoS Vulnerability (CVE-2012-3424)
Alias: CVE-2012-3424
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~3 [noglsa]
Depends on:
Reported: 2012-07-27 05:13 UTC by Hans de Graaff
Modified: 2012-08-08 20:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2012-07-27 05:13:09 UTC
DoS Vulnerability in authenticate_or_request_with_http_digest

There is a DoS vulnerability in Action Pack digest authentication handling in Rails.
This vulnerability has been assigned the CVE identifier CVE-2012-3424.

Versions Affected:  3.x.
Not affected:       2.3.5 - 2.3.14
Fixed Versions:     3.0.16, 3.1.7, 3.2.7


All users using Digest Authentication support in Rails should upgrade
immediately.  Impacted code uses any of the `with_http_digest` controller
helper methods.  For example:

    class MyController < ApplicationController
      def index
        authenticate_or_request_with_http_digest(REALM) do |uname|
          # ...

The 3.0.16, 3.1.7 & 3.2.7 releases are available at the normal locations.

There are no feasible workarounds for this issue.
Comment 1 Hans de Graaff gentoo-dev Security 2012-07-27 06:21:52 UTC
Rails 3.2.7 is in the tree. I hope to get to the older slots during the weekend.
Comment 2 Hans de Graaff gentoo-dev Security 2012-07-28 07:41:20 UTC
Rails 3.1.7 is now also in the tree.
Comment 3 Hans de Graaff gentoo-dev Security 2012-07-28 08:21:25 UTC
Rails 3.0.16 now also in the tree.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-28 11:50:52 UTC
Thanks, Hans! Please also punt the vulnerable versions.

Closing noglsa for ~arch only issue.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-08-08 20:18:48 UTC
CVE-2012-3424 (
  The decode_credentials method in
  actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on
  Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts
  Digest Authentication strings to symbols, which allows remote attackers to
  cause a denial of service by leveraging access to an application that uses a
  with_http_digest helper method, as demonstrated by the
  authenticate_or_request_with_http_digest method.