Your message dated Sun, 17 Jun 2012 00:20:42 +0000
with message-id <[email protected]>
and subject line Bug#675429: fixed in ruby-activerecord-3.2 3.2.6-1
has caused the Debian Bug report #675429,
regarding ruby-activerecord-3.2: CVE-2012-2660 unsafe query generation risk in
Ruby on Rails when Active Record is used
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
675429: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675429
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ruby-activerecord-3.2
Severity: important
Tags: security, patch
http://seclists.org/oss-sec/2012/q2/449
"""
Unsafe Query Generation Risk in Ruby on Rails
There is a vulnerability when Active Record is used in conjunction with
parameter parsing from Rack via Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2012-2660.
Versions Affected: ALL versions
Not affected: NONE
Fixed Versions: 3.2.4, 3.1.5, 3.0.13
Impact
------
Due to the way Active Record interprets parameters in combination with the way
that Rack parses query parameters, it is possible for an attacker to issue
unexpected database queries with "IS NULL" where clauses. This issue does
*not* let an attacker insert arbitrary values into an SQL query, however they
can cause the query to check for NULL where most users wouldn't expect it.
For example, a system has password reset with token functionality:
unless params[:token].nil?
user = User.find_by_token(params[:token])
user.reset_password!
end
An attacker can craft a request such that `params[:token]` will return `[nil]`.
The `[nil]` value will bypass the test for nil, but will still add an "IS
NULL" clause to the SQL query.
All users running an affected release should either upgrade or use one of the
work arounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
This problem can be mitigated by testing for `[nil]`. For example:
unless params[:token].nil? || params[:token] == [nil]
user = User.find_by_token(params[:token])
user.reset_password!
end
Another possible workaround is to cast to a known type and test against that
type. For example:
unless params[:token].to_s.empty?
user = User.find_by_token(params[:token])
user.reset_password!
end
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist of
a single changeset.
* 3-0-null_param.patch - Patch for 3.0 series
* 3-1-null_param.patch - Patch for 3.1 series
* 3-2-null_param.patch - Patch for 3.2 series
Please note that only the 3.1.x and 3.2.x series are supported at present.
Users of earlier unsupported releases are advised to upgrade as soon as
possible as we cannot guarantee the continued availability of security fixes
for unsupported releases.
Credits
-------
Thanks to Ben Murphy for reporting the vulnerability to us, and to Chad Pyne of
thoughtbot for helping us verify the fix.
"""
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: ruby-activerecord-3.2
Source-Version: 3.2.6-1
We believe that the bug you reported is fixed in the latest version of
ruby-activerecord-3.2, which is due to be installed in the Debian FTP archive:
ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
ruby-activerecord-3.2_3.2.6-1.dsc
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6-1.dsc
ruby-activerecord-3.2_3.2.6-1_all.deb
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6-1_all.deb
ruby-activerecord-3.2_3.2.6.orig.tar.gz
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <[email protected]> (supplier of updated
ruby-activerecord-3.2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 16 Jun 2012 20:58:15 -0300
Source: ruby-activerecord-3.2
Binary: ruby-activerecord-3.2
Architecture: source all
Version: 3.2.6-1
Distribution: unstable
Urgency: low
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Antonio Terceiro <[email protected]>
Description:
ruby-activerecord-3.2 - object-relational mapper framework (part of Rails)
Closes: 675396 675429
Changes:
ruby-activerecord-3.2 (3.2.6-1) unstable; urgency=low
.
* New upstream release. Fixes the following security problems:
+ CVE-2012-2695
+ CVE-2012-2660 (Closes: #675429)
+ CVE-2012-2661 (Closes: #675396)
* debian/control:
+ Add myself to Uploaders:
+ Conflicty with ruby-activerecord-2.3
+ Review short description
* debian/patches/Remove_rubygems_dependency.patch: do not require database
adapters to be installed via Rubygems.
Checksums-Sha1:
bdae91bb2c992d8427a08ef0f6852c351d9d04a4 1681 ruby-activerecord-3.2_3.2.6-1.dsc
d094533d81c5c05ff57a3ad60370a51120c48161 388542
ruby-activerecord-3.2_3.2.6.orig.tar.gz
ac06d9cea429e035de515d1e3265f66d76f5e175 3201
ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
d8cbfb16718a269c06890b7c0208f666a682a526 391234
ruby-activerecord-3.2_3.2.6-1_all.deb
Checksums-Sha256:
c35bf868740e055e23b7a19224924a930f93a3cc10f1dfb20fc8451511d6ee5c 1681
ruby-activerecord-3.2_3.2.6-1.dsc
42b454aa45d940369f5baf2ad245e741c075bb81e688f603c82d65b893bdff8b 388542
ruby-activerecord-3.2_3.2.6.orig.tar.gz
d1b639d14584f7a4460c71af3b4f662b74d42481b16b719359e4ee3f5a86b25c 3201
ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
3e5c0fe7dd489811591ca7222957a1c9e4810e61380568e7d943e836ecc0bba4 391234
ruby-activerecord-3.2_3.2.6-1_all.deb
Files:
02dd79518ae747268edc52e2276afd7b 1681 ruby optional
ruby-activerecord-3.2_3.2.6-1.dsc
cfcceb44e4f7a66bcbb7982e733738b4 388542 ruby optional
ruby-activerecord-3.2_3.2.6.orig.tar.gz
a13c0e3a7b126773cf969c9e0ca0fcef 3201 ruby optional
ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
62cd46e3f2c6f2f4c88bb123a9c44abf 391234 ruby optional
ruby-activerecord-3.2_3.2.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/dHdgACgkQDOM8kQ+cso9gBQCfb+bJx9gh9IaBb33JP3EJ2ur4
BwIAnR4KxLNP70m6ei5FQGqD2qjNlLV6
=11PY
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
