Ubuntu
rails package

several vulnerabilities in rails

Bug #870846 reported by Felix Geyer
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
rails (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
Natty
Fix Released
Undecided
Unassigned
Oneiric
Invalid
Undecided
Unassigned

Bug Description

There are a bunch of Rails vulnerabilities that have't been fixed in Ubuntu.

First some CVE tracker triaging:

CVE-2009-4214: already fixed in lucid (2.2.3-2), can be marked as not-affected.
CVE-2011-0446, CVE-2011-0447, CVE-2011-2932: don't affect oneiric (fixed upstream)
CVE-2011-2932: doesn't seem to affect lucid-natty as activesupport/lib/active_support/core_ext/string/output_safety.rb doesn't provide a html_escape method in thse versions
CVE-2011-2197: doesn't affect Ubuntu, see http://bugs.debian.org/634990
CVE-2011-2929, CVE-2011-3187: seems to only affect 3.x which isn't in Ubuntu

Felix Geyer (debfx)
visibility: private → public
Changed in rails (Ubuntu Oneiric):
status: New → Invalid
Revision history for this message
Felix Geyer (debfx) wrote :

Attaching a debdiff for lucid.
(package without a patch system and multiple fixes, yay!)

Revision history for this message
Felix Geyer (debfx) wrote :

For maverick and natty we could just fakesync/merge 2.3.5-1.2+squeeze1 from Debian.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiff, but I have a few comments:

- CVE-2011-2932 does seem to affect lucid, as the insecure code seems to be present in actionpack/lib/action_view/erb/util.rb
- Please add the upstream commit that fixed each issue to debian/changelog, so we can trace where the fix came from

Also, did you successfully run the test suite after updating the package? I'm curious if this actually worked:

+ 'Mysql2Adapter' => '`',

For Maverick and Natty, we're going to need minimal debdiffs also, as natty has a ubuntu-specific change in it, and the debian update contains some other changes which are not currently in maverick.

I am unsubscribing ubuntu-security-sponsors for now, please fix the debdiff. Once that is done, please resubscribe ubuntu-security-sponsors and set the status to 'NEW'.

Thanks.

tags: added: patch-needswork
Changed in rails (Ubuntu Lucid):
status: New → Incomplete
assignee: nobody → Felix Geyer (debfx)
Revision history for this message
Felix Geyer (debfx) wrote :

> - CVE-2011-2932 does seem to affect lucid, as the insecure code seems to be present in actionpack/lib/action_view/erb/util.rb

Ah yes, but the affected code is in actionpack/lib/action_view/template_handlers/erb.rb

> - Please add the upstream commit that fixed each issue to debian/changelog, so we can trace where the fix came from

I've added links to the rubyonrails-security threads.

> Also, did you successfully run the test suite after updating the package?

Yes, for mysql and sqlite.
One test failed but I think that's an error in the test code that seems to be fixed by https://rails.lighthouseapp.com/projects/8994/tickets/3826-patch-failure-on-test_validates_acceptance_of_as_database_column

I've also discovered a mistake in the patch for CVE-2011-0446 which I've fixed now.

Changed in rails (Ubuntu Lucid):
status: Incomplete → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Debdiff looks good. ACK.
Uploading package to build now, it will be published today or tomorow.

Thanks!

Changed in rails (Ubuntu Lucid):
status: New → Fix Committed
assignee: Felix Geyer (debfx) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rails - 2.2.3-2ubuntu0.1

---------------
rails (2.2.3-2ubuntu0.1) lucid-security; urgency=low

   * SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
     the mail_to helper
     - backported fix from upstream:
       actionpack/test/template/url_helper_test.rb
       actionpack/lib/action_view/helpers/url_helper.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
     - CVE-2011-0446
     - LP: #870846
   * SECURITY UPDATE: rails does not properly validate HTTP requests that
     contain an X-Requested-With header
     - patch from upstream:
       actionpack/test/controller/request_forgery_protection_test.rb
       actionpack/lib/action_view/helpers.rb
       actionpack/lib/action_view/helpers/csrf_helper.rb
       actionpack/lib/action_controller/request_forgery_protection.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
     - CVE-2011-0447
   * SECURITY UPDATE: multiple SQL injection vulnerabilities in the
     quote_table_name method in the ActiveRecord adapters
     - patch from upstream:
       activerecord/test/cases/base_test.rb
       activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
       activerecord/lib/active_record/connection_adapters/sqlite_adapter.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
     - CVE-2011-2930
   * SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
     strip_tags helper
     - patch from upstream:
       actionpack/test/controller/html-scanner/sanitizer_test.rb
       actionpack/lib/action_controller/vendor/html-scanner/html/node.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
     - CVE-2011-2931
   * SECURITY UPDATE: cross-site scripting vulnerability which allows remote
     attackers to inject arbitrary web script or HTML via a malformed Unicode string
     - backported fix from upstream:
       actionpack/lib/action_view/template_handlers/erb.rb
       actionpack/test/template/erb_util_test.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
     - CVE-2011-2932
   * SECURITY UPDATE: response splitting vulnerability
     - patch from upstream:
       actionpack/test/controller/content_type_test.rb
       actionpack/lib/action_controller/response.rb
     - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
     - CVE-2011-3186
 -- Felix Geyer <email address hidden> Sat, 08 Oct 2011 17:26:54 +0200

Changed in rails (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Felix Geyer (debfx) wrote :

maverick debdiff

Revision history for this message
Felix Geyer (debfx) wrote :

natty debdiff

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the two debdiffs, thanks!

I've uploading the packages for building, and they should get released today or tomorrow.

Thanks!

Changed in rails (Ubuntu Maverick):
status: New → Fix Committed
Changed in rails (Ubuntu Natty):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rails - 2.3.5-1.2ubuntu1.1

---------------
rails (2.3.5-1.2ubuntu1.1) natty-security; urgency=low

  * SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
    the mail_to helper
    - Add 0001-Be-sure-to-javascript_escape-the-email-address-to-pr.patch
      from Debian and fix Debian bug #629067 by replacing .html_safe with
      html_escape()
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
    - CVE-2011-0446
    - LP: #870846
  * SECURITY UPDATE: rails does not properly validate HTTP requests that
    contain an X-Requested-With header
    - Add 0002-Change-the-CSRF-whitelisting-to-only-apply-to-get-re.patch
      from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
    - CVE-2011-0447
  * SECURITY UPDATE: multiple SQL injection vulnerabilities in the
    quote_table_name method in the ActiveRecord adapters
    - Add CVE-2011-2930.patch from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
    - CVE-2011-2930
  * SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
    strip_tags helper
    - Add CVE-2011-2931.patch from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
    - CVE-2011-2931
  * SECURITY UPDATE: cross-site scripting vulnerability which allows remote
    attackers to inject arbitrary web script or HTML via a malformed Unicode string
    - Add CVE-2011-2932.patch, backported from upstream
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
    - CVE-2011-2932
  * SECURITY UPDATE: response splitting vulnerability
    - Add CVE-2011-3186.patch from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
    - CVE-2011-3186
 -- Felix Geyer <email address hidden> Wed, 12 Oct 2011 20:05:02 +0200

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package rails - 2.3.5-1.1ubuntu0.1

---------------
rails (2.3.5-1.1ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: multiple cross-site scripting (XSS) vulnerabilities in
    the mail_to helper
    - Add 0001-Be-sure-to-javascript_escape-the-email-address-to-pr.patch
      from Debian and fix Debian bug #629067 by replacing .html_safe with
      html_escape()
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
    - CVE-2011-0446
    - LP: #870846
  * SECURITY UPDATE: rails does not properly validate HTTP requests that
    contain an X-Requested-With header
    - Add 0002-Change-the-CSRF-whitelisting-to-only-apply-to-get-re.patch
      from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
    - CVE-2011-0447
  * SECURITY UPDATE: multiple SQL injection vulnerabilities in the
    quote_table_name method in the ActiveRecord adapters
    - Add CVE-2011-2930.patch from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
    - CVE-2011-2930
  * SECURITY UPDATE: cross-site scripting (XSS) vulnerability in the
    strip_tags helper
    - Add CVE-2011-2931.patch from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b9130749b74ea12
    - CVE-2011-2931
  * SECURITY UPDATE: cross-site scripting vulnerability which allows remote
    attackers to inject arbitrary web script or HTML via a malformed Unicode string
    - Add CVE-2011-2932.patch, backported from upstream
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
    - CVE-2011-2932
  * SECURITY UPDATE: response splitting vulnerability
    - Add CVE-2011-3186.patch from Debian
    - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
    - CVE-2011-3186
 -- Felix Geyer <email address hidden> Wed, 12 Oct 2011 18:48:13 +0200

Changed in rails (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in rails (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.