Bug 6487 - ruby-rails and associated gem packages contain security issues
Summary: ruby-rails and associated gem packages contain security issues
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Funda Wang
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on: 9048 9050 9065 9227
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-17 02:13 CEST by David Walser
Modified: 2013-11-22 15:52 CET (History)
6 users (show)

See Also:
Source RPM: ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport
CVE:
Status comment:


Attachments

Description David Walser 2012-06-17 02:13:30 CEST
I don't know much about the ruby packages or gems, but I recently realized our package naming is different than Fedora, so I had been ignoring advisories for packages that we actually do have.  I went back and found the ones I had overlooked.  Our SRPM names for these packages are in the RPM field for this bug.

Here are the missed advisories:
http://lwn.net/Vulnerabilities/495491/
http://lwn.net/Vulnerabilities/475787/
http://lwn.net/Vulnerabilities/487174/
http://lwn.net/Vulnerabilities/502246/
http://lwn.net/Vulnerabilities/502245/
Comment 1 David Walser 2012-06-17 02:14:29 CEST
Also, we do have one package using Fedora's naming scheme, which doesn't match ours: rubygem-passenger.  That one should probably be renamed to ruby-passenger to fit with the rest of ours.

CC: (none) => shikamaru

David Walser 2012-06-17 02:14:42 CEST

CC: (none) => shlomif

David Walser 2012-06-17 02:14:52 CEST

CC: (none) => johnny

David Walser 2012-06-17 20:24:27 CEST

Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 2 David Walser 2012-06-18 17:40:56 CEST
ruby-rails is also affected by new security issues.  There are updated versions of rails 3.x with fixes [1], but I don't see any updates to 2.3.x available.  According to secunia, 2.3.x is vulnerable [2].

[1] - http://weblog.rubyonrails.org/
[2] - http://secunia.com/advisories/49457/

Source RPM: ruby-RubyGems, ruby-rack, ruby-actionpack, ruby-activerecord => ruby-RubyGems, ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails

Comment 4 David Walser 2012-07-30 23:56:47 CEST
Some more from earlier this year:
http://lwn.net/Vulnerabilities/477430/
http://lwn.net/Vulnerabilities/475787/
Comment 5 Shlomi Fish 2012-08-06 20:02:00 CEST
Hi David,

sorry for the very late response: I am reluctant to update the Ruby Gem packages in Mageia 2, because it was very time-consuming to do that for Mageia Linux Cauldron and involved chasing a lot of dependencies. I don't want to go through this dependency hell again.

So I don't know what to do about these packages.

Regards,

-- Shlomi Fish
Comment 6 David Walser 2012-08-06 20:12:52 CEST
Hopefully there are patches for some of these things which will avoid chasing dependencies.  There's a lot of packages involved so it will take some time.

I'm going to put out another general call for help with security issues soon, but if nobody else wants to help, there's only so much we can do.
Comment 7 David Walser 2012-08-10 19:46:23 CEST
New one today for ruby-actionpack:
http://lwn.net/Vulnerabilities/510679/
Comment 8 David Walser 2012-08-14 21:54:03 CEST
Older ones for actionpack and activesupport:
http://lwn.net/Vulnerabilities/457934/
http://lwn.net/Vulnerabilities/457933/
Comment 9 David Walser 2012-08-14 21:57:21 CEST
More older ones for actionpack and activesupport:
http://lwn.net/Vulnerabilities/431840/
http://lwn.net/Vulnerabilities/449902/
http://lwn.net/Vulnerabilities/366096/
Comment 10 David Walser 2012-08-14 21:57:54 CEST
Older one for ruby-rails:
http://lwn.net/Vulnerabilities/457759/
Comment 11 David Walser 2012-08-23 22:41:47 CEST
New one today for rubygem-actionpack:
http://lwn.net/Vulnerabilities/513190/
David Walser 2012-09-08 06:56:42 CEST

CC: (none) => fundawang

David Walser 2012-10-10 00:46:29 CEST

CC: (none) => oe

Comment 12 Rémy CLOUARD (shikamaru) 2012-12-07 22:33:26 CET
ok, I will have a look, thanks a ton for the report

Assignee: bugsquad => shikamaru

Rémy CLOUARD (shikamaru) 2012-12-07 22:33:37 CET

Status: NEW => ASSIGNED

Comment 13 David Walser 2013-01-07 21:14:59 CET
New one today for ruby-rails:
http://lwn.net/Vulnerabilities/531753/
David Walser 2013-01-10 03:51:20 CET

Source RPM: ruby-RubyGems, ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails => ruby-RubyGems, ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport

Comment 14 David Walser 2013-01-10 06:05:53 CET
CVE-2012-5664 for ruby-activerecord is fixed in Cauldron by Funda.
Comment 15 David Walser 2013-01-10 17:23:42 CET
Another new one for ruby-rails from upstream:
https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

Sounds pretty serious, according to this article:
http://arstechnica.com/security/2013/01/extremely-crtical-ruby-on-rails-bug-threatens-more-than-200000-sites/

We need to update to 2.3.15 in Mageia 2 and 3.2.11 in Cauldron.
Comment 16 David Walser 2013-01-10 18:30:50 CET
LWN reference for new rails vulnerability (since Debian issued an advisory):
http://lwn.net/Vulnerabilities/532292/
Comment 17 David Walser 2013-01-15 22:24:10 CET
New one today for ruby-activerecord:
http://lwn.net/Vulnerabilities/532670/
Comment 18 David Walser 2013-01-17 23:16:27 CET
New one today for ruby-rails or ruby-activerecord (not sure):
http://lwn.net/Vulnerabilities/533067/
Comment 19 David Walser 2013-01-29 01:04:57 CET
New one today for ruby-rack:
http://lwn.net/Vulnerabilities/534632/
Comment 20 David Walser 2013-01-29 20:58:35 CET
New one today for ruby-activesupport:
http://lwn.net/Vulnerabilities/534956/
David Walser 2013-02-12 19:28:03 CET

Depends on: (none) => 9050

Comment 21 David Walser 2013-02-12 19:47:53 CET
ruby-rack now has Bug 9050.

ruby-actionpack-2.3.15-1.mga2 and ruby-activesupport-2.3.15-1.mga2 are in updates_testing (from Funda), but no bug has been filed to send them to QA.

Nothing has been done for ruby-RubyGems, ruby-rails, or ruby-activerecord that I'm aware of.
Comment 22 David Walser 2013-02-13 15:53:58 CET
I think Funda has fixed all of these now except for ruby-RubyGems, which had CVEs in the original report here:
http://lwn.net/Vulnerabilities/495491/

That has these CVEs:
CVE-2012-2125 CVE-2012-2126

which are fixed upstream in 1.8.23, so Cauldron is OK.

Fedora has a patch for 1.7.2 (which we have in Mageia 2) here:
http://pkgs.fedoraproject.org/cgit/rubygems.git/plain/rubygems-1.x.x-ssl-connection-don_t-revert.patch?h=f15&id=47407a7661abf4a8d632fbc5150a7e65d9ef69a6
Comment 23 David Walser 2013-02-13 15:57:57 CET
Funda has also built updates for these in Mageia 2, but I don't know why:
ruby-json
ruby-activeresource
ruby-actionmailer

as they are not listed in this bug.  Hopefully Funda can tell us why those were updated so that we can have an advisory for them and send them to QA.
Comment 24 David Walser 2013-02-13 16:59:03 CET
Setting version to 2 as these should be fixed in Cauldron now.

Removing Mageia 1 from the whiteboard due to EOL.

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => (none)

David Walser 2013-02-13 17:13:15 CET

Depends on: (none) => 9065

Comment 25 David Walser 2013-02-13 17:15:10 CET
Bug 9065 filed for ruby-RubyGems.  Removing that from the RPM Package list for this bug.

ruby-json has nothing to do with the issues in this bug, so Funda will need to file a new bug for that one to push it to QA.

All of the other packages have been upgraded to version 2.3.17, so we can use this bug for those.

Source RPM: ruby-RubyGems, ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport => ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport

Comment 26 David Walser 2013-02-13 17:17:56 CET
Removing ruby-rack from the RPM Package list too as that's in Bug 9050.

Source RPM: ruby-rack, ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport => ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport

Comment 27 David Walser 2013-02-13 18:58:03 CET
For http://lwn.net/Vulnerabilities/487174/, it looks like:
- CVE-2012-1098: 2.3.x not vulnerable, only 3.x is
- CVE-2012-1099: Fixed upstream in 2.3.14, which we already have in Mageia 2.

For http://lwn.net/Vulnerabilities/502246/, we have:
- CVE-2012-2660: vulnerable, fixed after 2.3.14

For http://lwn.net/Vulnerabilities/502245/, we have:
- CVE-2012-2661: Not clear if it was fixed before or after 2.3.14

For http://lwn.net/Vulnerabilities/477430/, we have:
- CVE-2011-4319: appears to only affect 3.x

For http://lwn.net/Vulnerabilities/513190/, we have:
- CVE-2012-3463: 2.3.x not vulnerable, only 3.x is
- CVE-2012-3464: vulnerable, fixed after 2.3.14
- CVE-2012-3465: vulnerable, fixed after 2.3.14

For http://lwn.net/Vulnerabilities/431840/, we have:
- CVE-2011-0446,CVE-2011-0447: not vulnerable, fixed in 2.3.11

For http://lwn.net/Vulnerabilities/449902/, we have:
- CVE-2011-2197: not vulnerable, fixed in 2.3.12

For http://lwn.net/Vulnerabilities/366096/, we have:
- CVE-2009-4214: not vulnerable, fixed in 2.3.5

For http://lwn.net/Vulnerabilities/510679/, we have:
- CVE-2012-3424: 2.3.x not vulnerable, only 3.x is

For http://lwn.net/Vulnerabilities/457934/, we have:
- CVE-2011-2932: not vulnerable, fixed in 2.3.13

For http://lwn.net/Vulnerabilities/457933/, we have:
- CVE-2011-2929: 2.3.x not vulnerable, only 3.x is

For http://lwn.net/Vulnerabilities/457759/, we have:
- CVE-2011-2930,CVE-2011-2931,CVE-2011-3186: not vulnerable, fixed in 2.3.13

For http://lwn.net/Vulnerabilities/531753/, we have:
- CVE-2012-5664: vulnerable, fixed after 2.3.14 (now CVE-2012-649[67])

For http://lwn.net/Vulnerabilities/532670/, we have:
- CVE-2012-6496: part of CVE-2012-5664 above

For http://lwn.net/Vulnerabilities/533067/, we have:
- CVE-2013-0155: 2.3.x not vulnerable, only 3.x is
(Debian did fix this in 2.3.5, but needed no action for 2.3.14)

For http://lwn.net/Vulnerabilities/532292/, we have:
- CVE-2013-0156: vulnerable, fixed in 2.3.15

For http://lwn.net/Vulnerabilities/534956/, we have:
- CVE-2013-0333: vulnerable, fixed in 2.3.16
Comment 28 David Walser 2013-02-13 18:58:59 CET
New one today for ruby-rails:
http://lwn.net/Vulnerabilities/537752/

This brings us:
- CVE-2013-0276 CVE-2013-0277: vulnerable, fixed in 2.3.17
Comment 29 David Walser 2013-02-13 19:12:09 CET
Advisory references.

CVE-2012-2660,CVE-2012-2694,CVE-2012-2695 (can't find an LWN reference for 269x)
http://lists.opensuse.org/opensuse-updates/2012-08/msg00020.html

CVE-2012-2661 (?)
http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html

CVE-2012-2695,CVE-2012-5664,CVE-2013-0155,CVE-2013-0156,CVE-2013-0333
http://lists.opensuse.org/opensuse-updates/2013-02/msg00032.html
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/

CVE-2012-3464 CVE-2012-3465
http://lists.opensuse.org/opensuse-updates/2012-09/msg00083.html

CVE-2012-5664 = CVE-2012-6496,CVE-2012-6497
http://www.debian.org/security/2013/dsa-2597
http://weblog.rubyonrails.org/2013/1/2/Rails-3-2-10--3-1-9--and-3-0-18-have-been-released/

CVE-2013-0276,CVE-2013-0277
http://www.debian.org/security/2013/dsa-2620
http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/

That last upstream advisory also mentions CVE-2013-0269 for ruby-json, so we can include that with the rest of these.

Source RPM: ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport => ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport, ruby-json

Comment 30 David Walser 2013-02-13 19:13:05 CET
Nevermind, Funda has filed Bug 9048 for ruby-json.

Depends on: (none) => 9048
Source RPM: ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport, ruby-json => ruby-actionpack, ruby-activerecord, ruby-rails, ruby-activesupport

Comment 31 David Walser 2013-02-13 20:08:37 CET
Assigning to QA.

Advisory:
========================

Updated ruby-rails packages fix security vulnerabilities:

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails does not
properly consider differences in parameter handling between the Active Record
component and the Rack interface, which allows remote attackers to bypass
intended database-query restrictions and perform NULL checks via a crafted
request, as demonstrated by certain "[nil]" values (CVE-2012-2660).

The Active Record component in Ruby on Rails does not properly implement the
passing of request data to a where method in an ActiveRecord class, which
allows remote attackers to conduct certain SQL injection attacks via nested
query parameters that leverage unintended recursion (CVE-2012-2661).

Cross-site scripting (XSS) vulnerability in
activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on
Rails might allow remote attackers to inject arbitrary web script or HTML via
vectors involving a ' (quote) character (CVE-2012-3464).

Cross-site scripting (XSS) vulnerability in
actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags
helper in Ruby on Rails allows remote attackers to inject arbitrary web
script or HTML via malformed HTML markup (CVE-2012-3465).

SQL injection vulnerability in the Active Record component in Ruby on Rails
allows remote attackers to execute arbitrary SQL commands via a crafted
request that leverages incorrect behavior of dynamic finders in applications
that can use unexpected data types in certain find_by_ method calls
(CVE-2012-6496).

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15
does not properly restrict casts of string values, which allows remote
attackers to conduct object-injection attacks and execute arbitrary code, or
cause a denial of service (memory and CPU consumption) involving nested XML
entity references, by leveraging Action Pack support for (1) YAML type
conversion or (2) Symbol type conversion (CVE-2013-0156).

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16
does not properly convert JSON data to YAML data for processing by a YAML
parser, which allows remote attackers to execute arbitrary code, conduct SQL
injection attacks, or bypass authentication via crafted data that triggers
unsafe decoding (CVE-2013-0333).

ActiveRecord in Ruby on Rails 2.3.x before 2.3.17 allows remote attackers to
bypass the attr_protected protection mechanism and modify protected model
attributes via a crafted request (CVE-2013-0276).

Active Record in Ruby on Rails 2.3.x before 2.3.17 allows remote attackers to
cause a denial of service or execute arbitrary code via crafted serialized
attributes that cause the +serialize+ helper to deserialize arbitrary YAML
(CVE-2013-0277).

The ruby-rails, ruby-actionmailer, ruby-actionpack, ruby-activerecord,
ruby-activeresource, and ruby-activesupport packages have been upgraded to
version 2.3.17 to fix these issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2661
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6496
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277
http://weblog.rubyonrails.org/2013/1/2/Rails-3-2-10--3-1-9--and-3-0-18-have-been-released/
http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/
http://lists.opensuse.org/opensuse-updates/2012-08/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00032.html
http://lists.opensuse.org/opensuse-updates/2012-09/msg00083.html
http://www.debian.org/security/2013/dsa-2597
http://www.debian.org/security/2013/dsa-2620
========================

Updated packages in core/updates_testing:
========================
ruby-actionmailer-2.3.17-1.mga2
ruby-actionmailer-doc-2.3.17-1.mga2
ruby-actionpack-2.3.17-1.mga2
ruby-actionpack-doc-2.3.17-1.mga2
ruby-activerecord-2.3.17-1.mga2
ruby-activerecord-doc-2.3.17-1.mga2
ruby-activeresource-2.3.17-1.mga2
ruby-activeresource-doc-2.3.17-1.mga2
ruby-activesupport-2.3.17-1.mga2
ruby-activesupport-doc-2.3.17-1.mga2
ruby-rails-2.3.17-1.mga2
ruby-rails-devel-2.3.17-1.mga2
ruby-rails-doc-2.3.17-1.mga2

from SRPMS:
ruby-actionmailer-2.3.17-1.mga2.src.rpm
ruby-actionpack-2.3.17-1.mga2.src.rpm
ruby-activerecord-2.3.17-1.mga2.src.rpm
ruby-activeresource-2.3.17-1.mga2.src.rpm
ruby-activesupport-2.3.17-1.mga2.src.rpm
ruby-rails-2.3.17-1.mga2.src.rpm

Assignee: shikamaru => qa-bugs
Severity: normal => critical

David Walser 2013-02-13 20:09:47 CET

Summary: ruby gem packages possibly contain security issues => ruby-rails and associated gem packages contain security issues

Comment 32 claire robinson 2013-02-15 11:00:17 CET
Does chiliproject need updating too?

See https://bugs.mageia.org/show_bug.cgi?id=2638#c24
Comment 33 claire robinson 2013-02-15 11:33:54 CET
$ urpmq --whatrequires ruby-rails | sort -u
chiliproject
mageia-maintainers-database
redmine
rubygem-passenger
ruby-rails
ruby-rails-devel
ruby-rails-doc
teambox


Confirmed chiliproject, redmine and mageia-maintainers-database have strict versioned requires on at least rails==2.3.14 so will also probably need a rebuild.
claire robinson 2013-02-15 11:34:09 CET

Whiteboard: (none) => feedback

Comment 34 Funda Wang 2013-02-15 19:15:21 CET
Ping shikamaru as he/she is the maintainer of chiliproject.
Comment 35 claire robinson 2013-02-16 15:24:07 CET
Remy could you please see previous comments.

Thanks
Comment 36 Funda Wang 2013-02-17 08:47:40 CET
The problem is, chiliproject and redmine does not build in cauldron :( So if we push updates to 2, then it will be impossible upgrading 2 -> 3.
Comment 37 claire robinson 2013-02-17 09:45:14 CET
Can the ruby packages be patched for the CVE's so they keep the same version? That would prevent the version bump which is causing the problem at the moment.
David Walser 2013-03-01 16:56:57 CET

Depends on: (none) => 9227

Comment 38 Rémy CLOUARD (shikamaru) 2013-03-18 23:07:19 CET
Hello,

Chiliproject can be dropped, as well as teambox and rubygem-passenger.

For Redmine I remember seeing a rails 3 branch but it might be experimental.

In general, I have difficulties in packaging rails 3 apps due to the use of bundler, I donât know how to handle Gemfile and Gemfile.lock files. I tried to fix it when chiliproject got updated but itâs still in a broken state from the day it was updated to 2.0.
Rubygem-passenger does not respect our policy, and upstream uses its own patched libboost. It shouldnât have been imported in the first place.
Teambox should be dropped because itâs not open-source anymore. v4 isnât available, v3 should work with rails3 but Iâm not sure it is still maintained
see http://help.teambox.com/forums/86927-ideas-and-suggestions/suggestions/2566661-update-your-github-repo-with-teambox-4-code- (http://teambox.com/open-source returns err404)

I donât know much about mageia-maintdb

Regards,
Comment 39 claire robinson 2013-03-20 12:17:55 CET
Assigning Funda until this is ready.

Please reassign to QA when you've had a chance to take a look.

Thanks :)

Assignee: qa-bugs => fundawang
Whiteboard: feedback => (none)

claire robinson 2013-03-20 12:18:23 CET

CC: (none) => qa-bugs

Comment 40 David Walser 2013-03-24 22:07:32 CET
Funda reported on the mageia-dev list that there's now also CVE-2013-185[4-7] fixed in 2.3.18.
Comment 41 David Walser 2013-03-29 17:03:24 CET
(In reply to David Walser from comment #40)
> Funda reported on the mageia-dev list that there's now also
> CVE-2013-185[4-7] fixed in 2.3.18.

Debian has issued an advisory for these on March 28:
http://www.debian.org/security/2013/dsa-2655

from http://lwn.net/Vulnerabilities/545190/
Comment 42 David Walser 2013-11-22 15:52:50 CET
Closing this now due to Mageia 2 EOL.

http://blog.mageia.org/en/2013/11/21/farewell-mageia-2/

Status: ASSIGNED => RESOLVED
Resolution: (none) => OLD
QA Contact: (none) => security


Note You need to log in before you can comment on or make changes to this bug.