Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 529635 (CVE-2014-7829) - <dev-ruby/rails-{3.2.21,4.0.12,4.1.8}: Arbitrary file existence disclosure in Action Pack (CVE-2014-{7818,7829})
Summary: <dev-ruby/rails-{3.2.21,4.0.12,4.1.8}: Arbitrary file existence disclosure in...
Status: RESOLVED FIXED
Alias: CVE-2014-7829
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2014/11...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-17 19:14 UTC by Hans de Graaff
Modified: 2015-01-11 01:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2014-11-17 19:14:06 UTC 
Arbitrary file existence disclosure in Action Pack

There is an information leak vulnerability in Action Pack. This vulnerability
has been assigned the CVE identifier CVE-2014-7829.

Versions Affected:  >= 3.0.0
Not affected:       < 3.0.0, 4.2.0.beta4
Fixed Versions:     3.2.21, 4.0.12, 4.1.8

Impact
------
Specially crafted requests can be used to determine whether a file exists on
the filesystem that is outside the Rails application's root directory.  The
files will not be served, but attackers can determine whether or not the file
exists.  This vulnerability is very similar to CVE-2014-7818, but the
specially crafted string is slightly different.

This only impacts Rails applications that enable static file serving at
runtime.  For example, the application's production configuration will say:

  config.serve_static_assets = true

All users running an affected configuration should either upgrade or use one of the work arounds immediately.
Comment 1 Hans de Graaff gentoo-dev Security 2014-11-17 20:20:44 UTC 
Rails version 3.2.21, 4.0.12, and 4.1.8 are now in the tree.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-14 20:21:59 UTC 
(In reply to Hans de Graaff from comment #1)
> Rails version 3.2.21, 4.0.12, and 4.1.8 are now in the tree.

Thanks, Hans. Can you please drop the vulnerable versions and then we can call this bug resolved?
Comment 3 Hans de Graaff gentoo-dev Security 2014-12-20 07:32:43 UTC 
Vulnerable versions have now been removed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 01:31:01 UTC 
CVE-2014-7829 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7829):
  Directory traversal vulnerability in
  actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby
  on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and
  4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote
  attackers to determine the existence of files outside the application root
  via vectors involving a \ (backslash) character, a similar issue to
  CVE-2014-7818.

CVE-2014-7818 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7818):
  Directory traversal vulnerability in
  actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby
  on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and
  4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote
  attackers to determine the existence of files outside the application root
  via a /..%2F sequence.