Debian Bug report logs -
#675396
rails: CVE-2012-2661 SQL-injection vulnerability
Reported by: Henri Salo <henri@nerv.fi>
Date: Thu, 31 May 2012 20:15:01 UTC
Severity: important
Tags: patch, security
Fixed in version ruby-activerecord-3.2/3.2.6-1
Done: Antonio Terceiro <terceiro@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#675396; Package rails.
(Thu, 31 May 2012 20:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Thu, 31 May 2012 20:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rails
Severity: important
Tags: security, patch
http://seclists.org/oss-sec/2012/q2/448
"""
SQL Injection Vulnerability in Ruby on Rails
There is a SQL injection vulnerability in Active Record, version 3.0 and later. This vulnerability has been assigned the CVE identifier CVE-2012-2661.
Versions Affected: 3.0.0 and ALL later versions
Not affected: 2.3.14
Fixed Versions: 3.2.4, 3.1.5, 3.0.13
Impact
------
Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.
All users running an affected release should upgrade immediately.
Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:
Post.where(:id => params[:id]).all
An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
This issue can be mitigated by casting the parameter to an expected value. For example, change this:
Post.where(:id => params[:id]).all
to this:
Post.where(:id => params[:id].to_s).all
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. We have also provided a patch for the 3.0 series despite the fact it is unmaintained.
* 3-0-params_sql_injection.patch - Patch for 3.0 series
* 3-1-params_sql_injection.patch - Patch for 3.1 series
* 3-2-params_sql_injection.patch - Patch for 3.2 series
Please note that only the 3.1.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
-------
Thanks to Ben Murphy for reporting the vulnerability to us, and to Chad Pyne of thoughtbot for helping us verify the fix.
"""
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#675396; Package rails.
(Thu, 31 May 2012 20:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to OndÅej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Thu, 31 May 2012 20:27:06 GMT) (full text, mbox, link).
Message #10 received at 675396@bugs.debian.org (full text, mbox, reply):
reassign 675396 ruby-activerecord-3.2
thank you
On Thu, May 31, 2012 at 10:12 PM, Henri Salo <henri@nerv.fi> wrote:
> Package: rails
> Severity: important
> Tags: security, patch
>
> http://seclists.org/oss-sec/2012/q2/448
>
> """
> SQL Injection Vulnerability in Ruby on Rails
>
> There is a SQL injection vulnerability in Active Record, version 3.0 and later. This vulnerability has been assigned the CVE identifier CVE-2012-2661.
>
> Versions Affected: 3.0.0 and ALL later versions
> Not affected: 2.3.14
> Fixed Versions: 3.2.4, 3.1.5, 3.0.13
>
> Impact
> ------
> Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.
>
> All users running an affected release should upgrade immediately.
>
> Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:
>
> Post.where(:id => params[:id]).all
>
> An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
>
> Releases
> --------
> The FIXED releases are available at the normal locations.
>
> Workarounds
> -----------
> This issue can be mitigated by casting the parameter to an expected value. For example, change this:
>
> Post.where(:id => params[:id]).all
>
> to this:
>
> Post.where(:id => params[:id].to_s).all
>
> Patches
> -------
> To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. We have also provided a patch for the 3.0 series despite the fact it is unmaintained.
>
> * 3-0-params_sql_injection.patch - Patch for 3.0 series
> * 3-1-params_sql_injection.patch - Patch for 3.1 series
> * 3-2-params_sql_injection.patch - Patch for 3.2 series
>
> Please note that only the 3.1.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
>
> Credits
> -------
>
> Thanks to Ben Murphy for reporting the vulnerability to us, and to Chad Pyne of thoughtbot for helping us verify the fix.
> """
>
> -- System Information:
> Debian Release: 6.0.5
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
>
>
--
Ondřej Surý <ondrej@sury.org>
Reply sent
to Antonio Terceiro <terceiro@debian.org>:
You have taken responsibility.
(Sun, 17 Jun 2012 00:21:17 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Sun, 17 Jun 2012 00:21:17 GMT) (full text, mbox, link).
Message #17 received at 675396-close@bugs.debian.org (full text, mbox, reply):
Source: ruby-activerecord-3.2
Source-Version: 3.2.6-1
We believe that the bug you reported is fixed in the latest version of
ruby-activerecord-3.2, which is due to be installed in the Debian FTP archive:
ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
ruby-activerecord-3.2_3.2.6-1.dsc
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6-1.dsc
ruby-activerecord-3.2_3.2.6-1_all.deb
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6-1_all.deb
ruby-activerecord-3.2_3.2.6.orig.tar.gz
to main/r/ruby-activerecord-3.2/ruby-activerecord-3.2_3.2.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 675396@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated ruby-activerecord-3.2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 16 Jun 2012 20:58:15 -0300
Source: ruby-activerecord-3.2
Binary: ruby-activerecord-3.2
Architecture: source all
Version: 3.2.6-1
Distribution: unstable
Urgency: low
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
ruby-activerecord-3.2 - object-relational mapper framework (part of Rails)
Closes: 675396 675429
Changes:
ruby-activerecord-3.2 (3.2.6-1) unstable; urgency=low
.
* New upstream release. Fixes the following security problems:
+ CVE-2012-2695
+ CVE-2012-2660 (Closes: #675429)
+ CVE-2012-2661 (Closes: #675396)
* debian/control:
+ Add myself to Uploaders:
+ Conflicty with ruby-activerecord-2.3
+ Review short description
* debian/patches/Remove_rubygems_dependency.patch: do not require database
adapters to be installed via Rubygems.
Checksums-Sha1:
bdae91bb2c992d8427a08ef0f6852c351d9d04a4 1681 ruby-activerecord-3.2_3.2.6-1.dsc
d094533d81c5c05ff57a3ad60370a51120c48161 388542 ruby-activerecord-3.2_3.2.6.orig.tar.gz
ac06d9cea429e035de515d1e3265f66d76f5e175 3201 ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
d8cbfb16718a269c06890b7c0208f666a682a526 391234 ruby-activerecord-3.2_3.2.6-1_all.deb
Checksums-Sha256:
c35bf868740e055e23b7a19224924a930f93a3cc10f1dfb20fc8451511d6ee5c 1681 ruby-activerecord-3.2_3.2.6-1.dsc
42b454aa45d940369f5baf2ad245e741c075bb81e688f603c82d65b893bdff8b 388542 ruby-activerecord-3.2_3.2.6.orig.tar.gz
d1b639d14584f7a4460c71af3b4f662b74d42481b16b719359e4ee3f5a86b25c 3201 ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
3e5c0fe7dd489811591ca7222957a1c9e4810e61380568e7d943e836ecc0bba4 391234 ruby-activerecord-3.2_3.2.6-1_all.deb
Files:
02dd79518ae747268edc52e2276afd7b 1681 ruby optional ruby-activerecord-3.2_3.2.6-1.dsc
cfcceb44e4f7a66bcbb7982e733738b4 388542 ruby optional ruby-activerecord-3.2_3.2.6.orig.tar.gz
a13c0e3a7b126773cf969c9e0ca0fcef 3201 ruby optional ruby-activerecord-3.2_3.2.6-1.debian.tar.gz
62cd46e3f2c6f2f4c88bb123a9c44abf 391234 ruby optional ruby-activerecord-3.2_3.2.6-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAk/dHdgACgkQDOM8kQ+cso9gBQCfb+bJx9gh9IaBb33JP3EJ2ur4
BwIAnR4KxLNP70m6ei5FQGqD2qjNlLV6
=11PY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Jul 2012 07:33:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:08:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon