Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 450974 (CVE-2013-0155) - <dev-ruby/rails-{2.3.15,3.0.19,3.1.10,3.2.11} params parsing vulnerabilities (CVE-2013-{0155,0156})
Summary: <dev-ruby/rails-{2.3.15,3.0.19,3.1.10,3.2.11} params parsing vulnerabilities ...
Alias: CVE-2013-0155
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on: 451034
  Show dependency tree
Reported: 2013-01-09 06:48 UTC by Hans de Graaff
Modified: 2014-12-14 20:35 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2013-01-09 06:48:49 UTC
Unsafe Query Generation Risk in Ruby on Rails

There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing. This vulnerability has been assigned the CVE identifier CVE-2013-0155.

Versions Affected:  3.x series
Not affected:       2.x series
Fixed Versions:     3.2.11, 3.1.10, 3.0.19 

Multiple vulnerabilities in parameter parsing in Action Pack

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.

Versions Affected:  ALL versions
Not affected:       NONE
Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15
Comment 1 Hans de Graaff gentoo-dev 2013-01-09 07:52:05 UTC
=dev-ruby/rails-2.3.15 and its dependencies are now in the tree and can be marked stable.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-01-09 08:10:10 UTC
Arches, please test and mark stable:


Target KEYWORDS: "amd64 ppc ppc64 x86"
Comment 3 Hans de Graaff gentoo-dev 2013-01-09 09:19:04 UTC
Rails 3.0.19, 3.1.10, and 3.2.11 are now also in the gentoo tree.
Comment 4 Wim van Ravesteijn 2013-01-09 13:57:38 UTC
Please undelete files/activesupport-2.3.5-mocha-0.9.5.patch from dev-ruby/activesupport, it is still referenced from the 2.3.15 ebuild.

Without this file, dev-ruby/activesupport-2.3.15 does not build (on amd64)
Comment 5 Agostino Sarubbo gentoo-dev 2013-01-09 15:01:20 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-01-09 15:03:11 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-01-09 15:06:16 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-01-09 15:14:17 UTC
ppc64 stable
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2013-01-09 20:08:42 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 10 Hans de Graaff gentoo-dev 2013-01-15 07:33:56 UTC
Contrary to earlier report "Unsafe Query Generation Risk in Ruby on Rails" also affects the 2.3.x series. The upstream advisory has been updated accordingly and issued a patch which has been applied in:

Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-01-16 00:20:46 UTC
CVE-2013-0156 (
  active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15,
  3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not
  properly restrict casts of string values, which allows remote attackers to
  conduct object-injection attacks and execute arbitrary code, or cause a
  denial of service (memory and CPU consumption) involving nested XML entity
  references, by leveraging Action Pack support for (1) YAML type conversion
  or (2) Symbol type conversion.

CVE-2013-0155 (
  Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before
  3.2.11 does not properly consider differences in parameter handling between
  the Active Record component and the JSON implementation, which allows remote
  attackers to bypass intended database-query restrictions and perform NULL
  checks or trigger missing WHERE clauses via a crafted request, as
  demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-12-14 20:35:58 UTC
This issue was resolved and addressed in
 GLSA 201412-28 at
by GLSA coordinator Sean Amoss (ackle).