Unsafe Query Generation Risk in Ruby on Rails

Bug #1100188 reported by Christian Kuersteiner
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rails (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
Raring
Invalid
Undecided
Unassigned
ruby-actionpack-2.3 (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
Raring
Invalid
Undecided
Unassigned
ruby-actionpack-3.2 (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Fix Released
Undecided
Christian Kuersteiner
Raring
Fix Released
Undecided
Unassigned
ruby-activerecord-2.3 (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Oneiric
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned
ruby-activerecord-3.2 (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Invalid
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned
Precise
Invalid
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned

Bug Description

There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing.

See also: http://www.openwall.com/lists/oss-security/2013/01/08/13

information type: Private Security → Public Security
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Debian published http://www.debian.org/security/2013/dsa-2609 for this. Interestingly, they patched squeeze (2.3.5-1.2+squeeze5) so this might not actually be just for 3.x.

Revision history for this message
Christian Kuersteiner (ckuerste) wrote :
Revision history for this message
Christian Kuersteiner (ckuerste) wrote :

Patch for quantal 3.2.x serie

Changed in ruby-activerecord-3.2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Per Debian, ruby-actionpack-2.3 not-affected.

Changed in rails (Ubuntu Lucid):
status: New → Triaged
Changed in ruby-actionpack-2.3 (Ubuntu Lucid):
status: New → Invalid
Changed in ruby-actionpack-3.2 (Ubuntu Lucid):
status: New → Invalid
Changed in ruby-activerecord-2.3 (Ubuntu Lucid):
status: New → Invalid
Changed in ruby-activerecord-3.2 (Ubuntu Lucid):
status: New → Invalid
Changed in rails (Ubuntu Oneiric):
status: New → Invalid
Changed in rails (Ubuntu Precise):
status: New → Invalid
Changed in rails (Ubuntu Quantal):
status: New → Invalid
Changed in rails (Ubuntu Raring):
status: New → Invalid
Changed in ruby-actionpack-2.3 (Ubuntu Oneiric):
status: New → Invalid
Changed in ruby-actionpack-2.3 (Ubuntu Precise):
status: New → Invalid
Changed in ruby-actionpack-2.3 (Ubuntu Quantal):
status: New → Invalid
Changed in ruby-actionpack-2.3 (Ubuntu Raring):
status: New → Invalid
Changed in ruby-actionpack-3.2 (Ubuntu Oneiric):
status: New → Triaged
Changed in ruby-actionpack-3.2 (Ubuntu Precise):
status: New → Triaged
Changed in ruby-actionpack-3.2 (Ubuntu Quantal):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Raring ruby-actionpack-3.2 fixed in 3.2.6-5

Changed in ruby-actionpack-3.2 (Ubuntu Raring):
status: New → Fix Released
description: updated
Changed in ruby-activerecord-2.3 (Ubuntu Oneiric):
status: New → Triaged
Changed in ruby-activerecord-2.3 (Ubuntu Precise):
status: New → Triaged
Changed in ruby-activerecord-2.3 (Ubuntu Quantal):
status: New → Triaged
Changed in ruby-activerecord-2.3 (Ubuntu Raring):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

ruby-activerecord-2.3 is fixed in Debian's 2.3.14-4. Raring just needs a sync.

Changed in ruby-actionpack-3.2 (Ubuntu Oneiric):
status: Triaged → Invalid
Changed in ruby-actionpack-3.2 (Ubuntu Precise):
status: Triaged → Invalid
Changed in ruby-activerecord-3.2 (Ubuntu Oneiric):
status: New → Invalid
Changed in ruby-activerecord-3.2 (Ubuntu Precise):
status: New → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Raring ruby-activerecord-3.2 was fixed in 3.2.6-4.

Changed in ruby-activerecord-3.2 (Ubuntu Raring):
status: Confirmed → Fix Released
Changed in ruby-activerecord-3.2 (Ubuntu Quantal):
status: New → Triaged
Changed in ruby-activerecord-2.3 (Ubuntu Quantal):
assignee: nobody → Christian Kuersteiner (ckuerste)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This should now be triaged for our packages based on Debian's https://security-tracker.debian.org/tracker/CVE-2013-0155. As Marc said, since the packages referred to in this bug is in universe or multiverse, it is community maintained. When a debdiffs are available, members of the security team will review them and publish the packages. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

Since I added so many tasks, I went ahead and assigned Christian to ruby-activerecord-3.2 on Quantal since that is what the supplied debdiff was for.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Raring has ruby-activerecord-2.3 2.3.14-4 now

Changed in ruby-activerecord-2.3 (Ubuntu Raring):
status: Triaged → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Note, people helping out with this bug may want to also look at bug #1098357.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Attaching the patch from duplicate bug #1100162 on Christian's behalf. I have not reviewed it.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Assigning Christian to ruby-actionpack-3.2 on quantal since he submitted a debdiff.

Changed in ruby-actionpack-3.2 (Ubuntu Quantal):
assignee: nobody → Christian Kuersteiner (ckuerste)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs in comments 3 and 11. Packages are building now and will be released shortly. Thanks!

Changed in ruby-activerecord-3.2 (Ubuntu Quantal):
status: Triaged → Fix Committed
Changed in ruby-actionpack-3.2 (Ubuntu Quantal):
status: Triaged → Fix Committed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I've also uploaded fixed packages for ruby-activerecord-2.3. They will be released shortly.

Changed in ruby-activerecord-2.3 (Ubuntu Oneiric):
status: Triaged → Fix Committed
Changed in ruby-activerecord-2.3 (Ubuntu Precise):
status: Triaged → Fix Committed
Changed in ruby-activerecord-2.3 (Ubuntu Quantal):
assignee: Christian Kuersteiner (ckuerste) → nobody
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby-activerecord-2.3 - 2.3.14-1ubuntu0.12.04.1

---------------
ruby-activerecord-2.3 (2.3.14-1ubuntu0.12.04.1) precise-security; urgency=low

  * SECURITY UPDATE: unsafe query generation risk (LP: #1100188)
    - debian/patches/CVE-2013-0155.patch: added patch from Debian 2.3.14-4.
    - CVE-2013-0155
 -- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 08:33:13 -0500

Changed in ruby-activerecord-2.3 (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby-activerecord-2.3 - 2.3.14-2ubuntu0.1

---------------
ruby-activerecord-2.3 (2.3.14-2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: unsafe query generation risk (LP: #1100188)
    - debian/patches/CVE-2013-0155.patch: added patch from Debian 2.3.14-4.
    - CVE-2013-0155
 -- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 08:28:45 -0500

Changed in ruby-activerecord-2.3 (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby-activerecord-3.2 - 3.2.6-2ubuntu0.1

---------------
ruby-activerecord-3.2 (3.2.6-2ubuntu0.1) quantal-security; urgency=low

  * SECURITY UPDATE: Unsafe Query Generation Risk in Ruby on Rails
    (LP: #1100188)
    - debian/patches/CVE-2013-0155: Strip nils from collections on JSON and
      XML posts. Based on upstream patch.
    - CVE-2013-0155
 -- Christian Kuersteiner <email address hidden> Wed, 16 Jan 2013 16:14:08 +0700

Changed in ruby-activerecord-3.2 (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ruby-activerecord-2.3 - 2.3.14-1ubuntu0.11.10.1

---------------
ruby-activerecord-2.3 (2.3.14-1ubuntu0.11.10.1) oneiric-security; urgency=low

  * SECURITY UPDATE: unsafe query generation risk (LP: #1100188)
    - debian/patches/CVE-2013-0155.patch: added patch from Debian 2.3.14-4.
    - CVE-2013-0155
 -- Marc Deslauriers <email address hidden> Fri, 18 Jan 2013 08:34:35 -0500

Changed in ruby-activerecord-2.3 (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Since there is nothing left to sponsor, I am unsubscribing ubuntu-security-sponsors.

Please re-subscribe the team again if someone attaches a debdiff for rails on lucid.

Changed in ruby-actionpack-3.2 (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in rails (Ubuntu Lucid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.