From $URL: SQL Injection Vulnerability in Ruby on Rails There is a SQL injection vulnerability in Active Record in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-5664. Versions Affected: All. Not affected: NONE. Fixed Versions: 3.2.10, 3.1.9, 3.0.18 Impact ------ Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL. All users running an affected release should either upgrade or use one of the work arounds immediately. Impacted code passes user provided data to a dynamic finder like this: Post.find_by_id(params[:id]) Releases -------- The 3.2.10, 3.1.9 & 3.0.18 releases are available at the normal locations. Workarounds ----------- The issue can be mitigated by explicitly converting the parameter to an expected value. For example, change this: Post.find_by_id(params[:id]) to this: Post.find_by_id(params[:id].to_s) Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series and two unsupported versions. They are in git-am format and consist of a single changeset. * 3-2-dynamic_finder_injection.patch - Patch for 3.2 series * 3-1-dynamic_finder_injection.patch - Patch for 3.1 series * 3-0-dynamic_finder_injection.patch - Patch for 3.0 series * 2-3-dynamic_finder_injection.patch - Patch for 2.3 series Please note that only the 3.1.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Graaff said that this bug is invalid on gentoo
(In reply to comment #1) > Graaff said that this bug is invalid on gentoo No, I said that the bug you mentioned earlier was invalid on Gentoo, and we couldn't have done anything with that particular bug. This bug, however, contains actual fixes for a problem that was only a part of the original bug report, and we can fix those in Gentoo.
http://weblog.rubyonrails.org/2013/1/2/Rails-3-2-10--3-1-9--and-3-0-18-have-been-released/
dev-ruby/activerecord-2.3.14-r1 is now in the tree with this fix and it can be marked stable.
Rails 3.0.18, 3.1.9, and 3.2.10 are now also in the tree. These are all still marked 'testing', so no further security action needed for those versions.
CVE-2012-5664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5664): SQL injection vulnerability in the Authlogic gem for Ruby on Rails allows remote attackers to execute arbitrary SQL commands via a crafted parameter in conjunction with a secret_token value, related to certain behavior of find_by_id and other find_by_ methods.
(In reply to comment #6) > CVE-2012-5664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5664): > SQL injection vulnerability in the Authlogic gem for Ruby on Rails allows This is wrong. This bug has nothing to do with the Authlogic gem, but it is a generic rails framework issue, and all Rails applications that use dynamic finders are affected.
(In reply to comment #7) > (In reply to comment #6) > > CVE-2012-5664 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5664): > > SQL injection vulnerability in the Authlogic gem for Ruby on Rails allows > > This is wrong. This bug has nothing to do with the Authlogic gem, but it is > a generic rails framework issue, and all Rails applications that use dynamic > finders are affected. Yes, the CVE description is poorly worded as one person mentioned today on oss-security ML: http://www.openwall.com/lists/oss-security/2013/01/03/5 (In reply to comment #4) > dev-ruby/activerecord-2.3.14-r1 is now in the tree with this fix and it can > be marked stable. Arches, please test it and mark stable.
ppc stable
ppc64 stable
amd64 stable
x86 stable
CVE-2012-5664 will likely be rejected [1]. CVE-2012-6496 has been assigned for this issue: SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls. [1] http://www.openwall.com/lists/oss-security/2013/01/03/12 GLSA vote: yes.
GLSA request filed (I filed it earlier, guess I forgot to hit enter on my vote)
This issue was resolved and addressed in GLSA 201401-22 at http://security.gentoo.org/glsa/glsa-201401-22.xml by GLSA coordinator Chris Reffett (creffett).