Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 453844 (CVE-2013-0333) - <dev-ruby/rails-{2.3.16,3.0.20}: JSON parsing ACE (CVE-2013-0333)
Summary: <dev-ruby/rails-{2.3.16,3.0.20}: JSON parsing ACE (CVE-2013-0333)
Status: RESOLVED FIXED
Alias: CVE-2013-0333
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-24 15:12 UTC by Alex Legler (RETIRED)
Modified: 2014-12-14 20:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2013-01-24 15:12:36 UTC
Michael Koziarski informed us about this issue via linux-distros:

There is a vulnerability in the JSON  code for Ruby on Rails which
allows attackers to bypass authentication systems, inject arbitrary SQL,
inject and execute arbitrary code, or perform a DoS attack on a Rails
application. This vulnerability has been assigned the CVE identifier
CVE-2013-0333.

Versions Affected:  2.3.x, 3.0.x
Not Affected:       3.1.x, 3.2.x
Fixed Versions:     3.0.20, 2.3.16

Impact
------
The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing
backends.  One of the backends involves transforming the JSON into YAML,
and passing that through the YAML parser.  Using a specially crafted
payload attackers can trick the backend into decoding a subset of YAML.

Note: This is a seperate vulnerability to CVE-2013-0156, if you are
running a 2.3 or 3.0 application you must still take action to protect
your application.

Releases
--------
The 3.0.20 and 2.3.16 releases are available at the normal locations.

Workarounds
-----------
To work around this vulnerability you need to switch backends to the
JsonGem backend.  Place this code in an application initializer:

  ActiveSupport::JSON.backend = "JSONGem"

If you are running Ruby 1.8 you will need to ensure that the json or
json_pure gems are installed and in your application's Gemfile.  Ruby
1.9 includes this code already.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2013-01-24 15:15:41 UTC
Hans, do we wait for official packages to appear or do we patch and try to squeeze arches in in the remaining 4 days? The patch seems to be restricted to activesupport.
Comment 2 Hans de Graaff gentoo-dev Security 2013-01-28 21:41:22 UTC
dev-ruby/rails:2.3 and dependencies are now in the tree, so these can be marked stable.
Comment 3 Hans de Graaff gentoo-dev Security 2013-01-28 22:25:33 UTC
Rails 3.0 is now also in the tree.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-31 13:39:08 UTC
Opening this up as it is now public. 

Arches, please test and mark stable:

=dev-ruby/activesupport-2.3.16
=dev-ruby/activeresource-2.3.16
=dev-ruby/actionpack-2.3.16
=dev-ruby/actionmailer-2.3.16
=dev-ruby/activerecord-2.3.16
=dev-ruby/rails-2.3.16

Target KEYWORDS: "amd64 ppc ppc64 x86"
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-01-31 13:39:23 UTC
CVE-2013-0333 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0333):
  lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before
  2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML
  data for processing by a YAML parser, which allows remote attackers to
  execute arbitrary code, conduct SQL injection attacks, or bypass
  authentication via crafted data that triggers unsafe decoding, a different
  vulnerability than CVE-2013-0156.
Comment 6 Agostino Sarubbo gentoo-dev 2013-01-31 17:44:08 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-01-31 17:45:21 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-01-31 17:46:32 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-01-31 17:47:43 UTC
ppc64 stable
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-31 18:50:09 UTC
Added on existing GLSA draft.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-12-14 20:36:06 UTC
This issue was resolved and addressed in
 GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml
by GLSA coordinator Sean Amoss (ackle).