Unsafe Query Generation Risk in Ruby on Rails There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing. This vulnerability has been assigned the CVE identifier CVE-2013-0155. Versions Affected: 3.x series Not affected: 2.x series Fixed Versions: 3.2.11, 3.1.10, 3.0.19 Multiple vulnerabilities in parameter parsing in Action Pack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156. Versions Affected: ALL versions Not affected: NONE Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15
=dev-ruby/rails-2.3.15 and its dependencies are now in the tree and can be marked stable.
Arches, please test and mark stable: =dev-ruby/activesupport-2.3.15 =dev-ruby/activeresource-2.3.15 =dev-ruby/actionpack-2.3.15 =dev-ruby/actionmailer-2.3.15 =dev-ruby/activerecord-2.3.15 =dev-ruby/rails-2.3.15 Target KEYWORDS: "amd64 ppc ppc64 x86"
Rails 3.0.19, 3.1.10, and 3.2.11 are now also in the gentoo tree.
Please undelete files/activesupport-2.3.5-mocha-0.9.5.patch from dev-ruby/activesupport, it is still referenced from the 2.3.15 ebuild. Without this file, dev-ruby/activesupport-2.3.15 does not build (on amd64)
amd64 stable
x86 stable
ppc stable
ppc64 stable
Thanks, everyone. Added to existing GLSA request.
Contrary to earlier report "Unsafe Query Generation Risk in Ruby on Rails" also affects the 2.3.x series. The upstream advisory has been updated accordingly and issued a patch which has been applied in: =dev-ruby/activerecord-2.3.15-r1
CVE-2013-0156 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0156): active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion. CVE-2013-0155 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0155): Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
This issue was resolved and addressed in GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml by GLSA coordinator Sean Amoss (ackle).
