Bug 12896 - ruby-activerecord and ruby-actionpack new security issues CVE-2014-0080 and CVE-2014-0081
Summary: ruby-activerecord and ruby-actionpack new security issues CVE-2014-0080 and C...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/590263/
Whiteboard: has_procedure advisory mga4-32-ok mga...
Keywords: validated_update
Depends on:
Blocks: 12044
  Show dependency treegraph
 
Reported: 2014-02-27 14:26 CET by David Walser
Modified: 2014-04-24 21:15 CEST (History)
5 users (show)

See Also:
Source RPM: ruby-actionpack
CVE:
Status comment:


Attachments

Description David Walser 2014-02-27 14:26:16 CET
OpenSuSE has issued an advisory on February 26:
http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html

CVE-2014-0080 and CVE-2014-0081 affect Mageia 4 and Cauldron.

CVE-2014-0081 and CVE-2014-0082 affect Mageia 3.

The issues are fixed upstream in 3.2.17 and 4.0.3.

Here is the upstream announcement:
http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-27 14:26:57 CET

CC: (none) => fundawang, pterjan
Blocks: (none) => 12044
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Pascal Terjan 2014-02-27 14:30:54 CET
Fixing Mageia 4 is more important than Mageia 3 as the packages (and a lot of ruby stack) were badly broken in Mageia 3 so no one can be using them.

I starting fixing things for Mageia 3 but that's quite intrusive.

On Mageia 4 rails is usable so it is important to quickly update it there.
Comment 2 David Walser 2014-02-27 14:39:38 CET
Thanks Pascal.  I've punted these issues to Bug 12044 for Mageia 3, so we can use this bug for the Mageia 4 update.

Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO

Comment 3 David Walser 2014-03-01 03:34:37 CET
Updating in Cauldron by Funda.

Version: Cauldron => 4
Whiteboard: MGA4TOO => (none)

Comment 4 David Walser 2014-03-11 14:24:06 CET
According to Fedora, CVE-2014-0080 is in activerecord and CVE-2014-0081 is in actionpack:
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129715.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129716.html

Summary: ruby-actionpack new security issues CVE-2014-0080, CVE-2014-0081, CVE-2014-0082 => ruby-activerecord and ruby-actionpack new security issues CVE-2014-0080 and CVE-2014-0081

David Walser 2014-03-11 17:32:35 CET

URL: (none) => http://lwn.net/Vulnerabilities/590263/

Comment 5 Pascal Terjan 2014-04-01 01:28:38 CEST
I have updated all packages as they require exact versions but most of them have no other change than the version number.
Installing ruby-rails-4.0.3-1.mga4 ill pull all the others.

Changes:

ruby-activerecord:
 Correctly escape PostgreSQL arrays.
ruby-actionpack:
 Escape format, negative_format and units options of number helpers

No change:

ruby-actionmailer
ruby-activemodel
ruby-activesupport
ruby-rails
ruby-railties
Comment 6 David Walser 2014-04-01 02:18:43 CEST
Thanks Pascal!

Advisory:
========================

Updated ruby-activerecord and ruby-actionpack packages fix security
vulnerabilities:

There is a data injection vulnerability in Active Record. Specially crafted
strings can be used to save data in PostgreSQL array columns that may not be
intended (CVE-2014-0080).

There is an XSS vulnerability in the number_to_currency, number_to_percentage
and number_to_human helpers in Ruby on Rails (CVE-2014-0081).

The associated packages have been updated to version 4.0.3 to fix these issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129715.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-March/129716.html
http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/
========================

Updated packages in core/updates_testing:
========================
ruby-actionmailer-4.0.3-1.mga4
ruby-actionmailer-doc-4.0.3-1.mga4
ruby-actionpack-4.0.3-1.mga4
ruby-actionpack-doc-4.0.3-1.mga4
ruby-activemodel-4.0.3-1.mga4
ruby-activemodel-doc-4.0.3-1.mga4
ruby-activerecord-4.0.3-1.mga4
ruby-activerecord-doc-4.0.3-1.mga4
ruby-activesupport-4.0.3-1.mga4
ruby-activesupport-doc-4.0.3-1.mga4
ruby-rails-4.0.3-1.mga4
ruby-rails-doc-4.0.3-1.mga4
ruby-railties-4.0.3-1.mga4
ruby-railties-doc-4.0.3-1.mga4

from SRPMS:
ruby-actionmailer-4.0.3-1.mga4.src.rpm
ruby-actionpack-4.0.3-1.mga4.src.rpm
ruby-activemodel-4.0.3-1.mga4.src.rpm
ruby-activerecord-4.0.3-1.mga4.src.rpm
ruby-activesupport-4.0.3-1.mga4.src.rpm
ruby-rails-4.0.3-1.mga4.src.rpm
ruby-railties-4.0.3-1.mga4.src.rpm

Assignee: bugsquad => qa-bugs

Comment 7 claire robinson 2014-04-02 17:31:47 CEST
Any ideas for testing these Pascal please?
Comment 8 David Walser 2014-04-02 17:36:21 CEST
That is a good question.  We do have chiliproject, redmine, and mageia-maintainers-database that depend on them, but hopefully there's another way to test rails stuff easily.
Comment 9 Pascal Terjan 2014-04-02 17:46:42 CEST
I had thought about it but not given any indication as I'm not sure :(

The first one will only impact some usages of PostgreSQL.
The second one will only impact stuff using number_to_currency, number_to_percentage or number_to_human.

I can't think of a way to make sure that nothing broke...

I think testing that the update install cleanly and basic rails usage still works (creating a sample app) is the best we can do.
Comment 10 claire robinson 2014-04-10 17:42:25 CEST
bug 2638 has some details for testing, mainly the later comments, using chiliproject/redmine seems to test everything necessary and there were at the time some testsuites which ran at build time.

Whiteboard: (none) => has_procedure

Comment 11 Shlomi Fish 2014-04-16 17:05:17 CEST
Hi all,

running the instructions from the README.urpmi gives me this error in the "rake generate_session_store":

rake aborted!
Bundler couldn't find some gems. Did you run `bundle install`?
/var/www/chiliproject/config/preinitializer.rb:32:in `rescue in <top (required)>'
/var/www/chiliproject/config/preinitializer.rb:27:in `<top (required)>'
/var/www/chiliproject/config/boot.rb:42:in `load'
/var/www/chiliproject/config/boot.rb:42:in `preinitialize'
/var/www/chiliproject/config/boot.rb:24:in `boot!'
/var/www/chiliproject/config/boot.rb:137:in `<top (required)>'
/var/www/chiliproject/Rakefile:4:in `<top (required)>'
(See full trace by running task with --trace)

Regards,

-- Shlomi Fish

CC: (none) => shlomif

Comment 12 Pascal Terjan 2014-04-16 17:08:59 CEST
(In reply to Shlomi Fish from comment #11)
> Hi all,
> 
> running the instructions from the README.urpmi gives me this error in the
> "rake generate_session_store":
> 
> rake aborted!
> Bundler couldn't find some gems. Did you run `bundle install`?

Then it seems to be missing some dependencies :(
Comment 13 Shlomi Fish 2014-04-16 17:26:22 CEST
(In reply to Shlomi Fish from comment #11)
> Hi all,
> 
> running the instructions from the README.urpmi gives me this error in the
> "rake generate_session_store":
> 
> rake aborted!
> Bundler couldn't find some gems. Did you run `bundle install`?
> /var/www/chiliproject/config/preinitializer.rb:32:in `rescue in <top
> (required)>'
> /var/www/chiliproject/config/preinitializer.rb:27:in `<top (required)>'
> /var/www/chiliproject/config/boot.rb:42:in `load'
> /var/www/chiliproject/config/boot.rb:42:in `preinitialize'
> /var/www/chiliproject/config/boot.rb:24:in `boot!'
> /var/www/chiliproject/config/boot.rb:137:in `<top (required)>'
> /var/www/chiliproject/Rakefile:4:in `<top (required)>'
> (See full trace by running task with --trace)
> 
> Regards,
> 
> -- Shlomi Fish

OK, for redmine, I was able to get the local webserver (on port localhost:3000) to run using the procedure, and browsed the site. However, I was unable to login ("Sign in") as "admin" with password "admin".

Regards,

-- Shlomi Fish
Comment 14 claire robinson 2014-04-23 18:08:21 CEST
Pascal what do you make of Shlomi's findings with redmine please, is it likely to be caused by activerecord?
Comment 15 Pascal Terjan 2014-04-23 18:17:00 CEST
The error is missing the list of missing gems, but I would expect it to be some missing dependencies in the redmine package, unrelated to activerecord.
Comment 16 claire robinson 2014-04-23 18:27:43 CEST
That was chilliproject, he tried redmine too after that (comment 13) but was unable to log in to it.
Comment 17 Pascal Terjan 2014-04-23 18:31:37 CEST
Ah yes sorry, shouldn't reply while working :(
I have never used or installed any of them but will have a look tonight.
Comment 18 Pascal Terjan 2014-04-23 22:43:30 CEST
Tried redmine (without the update):

urpmi redmine
cd /var/www/redmine/
cat >config/database.yml <<EOF
production:
  adapter: sqlite3
  database: db/redmine.sqlite3
EOF
rake generate_secret_token
rake db:migrate RAILS_ENV="production"
ruby script/rails server -e production

And it indeed reject the admin/admin login.

Looking into the db, there is no such account.

on redmine website they list an additional step:

RAILS_ENV=production rake redmine:load_default_data

But it is broken:

Select language: ar, az, bg, bs, ca, cs, da, de, el, en, en-GB, es, et, eu, fa, fi, fr, gl, he, hr, hu, id, it, ja, ko, lt, lv, mk, mn, nl, no, pl, pt, pt-BR, ro, ru, sk, sl, sq, sr, sr-YU, sv, th, tr, uk, vi, zh, zh-TW [en] en
====================================
Error: Validation failed: Name can't be blank
Default configuration data was not loaded.
Comment 19 Pascal Terjan 2014-04-23 22:54:19 CEST
It seems it should be created during db:migrate:
db/migrate/001_setup.rb:    user = User.create :login => "admin",
Comment 20 Pascal Terjan 2014-04-24 00:43:56 CEST
Regarding chiliproject it wants liquid but the dependency is missing in the package.
It also wants acts-as-taggable-on and gravatarify that we don't have in the distribution...
Comment 21 claire robinson 2014-04-24 11:07:51 CEST
(In reply to Pascal Terjan from comment #19)
> It seems it should be created during db:migrate:
> db/migrate/001_setup.rb:    user = User.create :login => "admin",

Does this indicate a possible issue with activerecord Pascal or an issue with redmine itself, just trying to judge whether it's OK to validate this one.
Comment 22 Pascal Terjan 2014-04-24 11:46:18 CEST
I am not sure where the problem is, what is sure is that it was already broken before the update and can't be related to it. The update only touches some postgresql code and the problem happens without postgresql being used.
Comment 23 claire robinson 2014-04-24 12:12:36 CEST
Thanks Pascal, I think we can go with this one then.

Shlomi, would you mind creating new bugs for chilliproject and redmine. Also, which arch did you test with previously? We can add an OK for that one.

Thanks
Comment 24 Shlomi Fish 2014-04-24 12:17:29 CEST
(In reply to claire robinson from comment #23)
> Thanks Pascal, I think we can go with this one then.
> 
> Shlomi, would you mind creating new bugs for chilliproject and redmine.

OK, I will.

> Also, which arch did you test with previously? We can add an OK for that one.
> 

I think I tested with Mageia 4 x86-64 (which is the first VM I test with).

Regards,

-- Shlomi Fish
Comment 25 claire robinson 2014-04-24 12:20:16 CEST
Thankyou Shlomi. Pascal we can take your testing into account too if you like, which arch was your testing performed on please?

Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 26 Pascal Terjan 2014-04-24 12:21:31 CEST
Mageia 4 x86-64 too
Comment 27 Shlomi Fish 2014-04-24 12:24:02 CEST
(In reply to Shlomi Fish from comment #24)
> (In reply to claire robinson from comment #23)
> > Thanks Pascal, I think we can go with this one then.
> > 
> > Shlomi, would you mind creating new bugs for chilliproject and redmine.
> 
> OK, I will.

Here:

* https://bugs.mageia.org/show_bug.cgi?id=13260

* https://bugs.mageia.org/show_bug.cgi?id=13259
Comment 28 claire robinson 2014-04-24 12:47:23 CEST
Thanks guys, so we still need a test on mga4 32. I'll do that this afternoon if nobody beats me to it.
Comment 29 claire robinson 2014-04-24 17:38:42 CEST
Tested mga4 32 with redmine as far as http://localhost:3000 and confirmed the login failure.

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-32-ok mga4-64-ok

Comment 30 claire robinson 2014-04-24 18:02:51 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 31 Thomas Backlund 2014-04-24 21:15:03 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0191.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.