Debian Bug report logs - #697722
rails: CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack

version graph

Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for rails is src:rails.

Reported by: Henri Salo <henri@nerv.fi>

Date: Tue, 8 Jan 2013 21:45:02 UTC

Severity: grave

Tags: security

Found in version rails/2.3.5-1.2+squeeze4

Fixed in version rails/2.3.5-1.2+squeeze4.1

Done: Antoine Beaupré <anarcat@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#697722; Package rails. (Tue, 08 Jan 2013 21:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 08 Jan 2013 21:45:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: rails: CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack
Date: Tue, 8 Jan 2013 23:42:46 +0200
Package: rails
Version: 2:2.3.14.2
Severity: grave
Tags: security

http://www.openwall.com/lists/oss-security/2013/01/08/14
https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

"""
Multiple vulnerabilities in parameter parsing in Action Pack 

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156. 

Versions Affected:  ALL versions 
Not affected:       NONE 
Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15 
<snip>
"""

This probably affects squeeze and wheezy too. Please contact me in case you need any help!

- Henri Salo



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#697722; Package rails. (Wed, 09 Jan 2013 17:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to anarcat <anarcat@anarcat.ath.cx>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 09 Jan 2013 17:27:05 GMT) Full text and rfc822 format available.

Message #10 received at 697722@bugs.debian.org (full text, mbox):

From: anarcat <anarcat@anarcat.ath.cx>
To: 697722@bugs.debian.org
Cc: Antonio Terceiro <terceiro@debian.org>
Subject: working on a NMU?
Date: Wed, 9 Jan 2013 12:25:11 -0500
[Message part 1 (text/plain, inline)]
Anyone working on an upload? I'd be ready to help with this or do a
straight out NMU..

By the way, it seems the git repo for the package is totally out of
date... Anyone still working on that?

A.
-- 
Man really attains the state of complete humanity when he produces,
without being forced by physical need to sell himself as a commodity.
                        - Ernesto "Che" Guevara
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#697722; Package rails. (Wed, 09 Jan 2013 18:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antonio Terceiro <terceiro@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 09 Jan 2013 18:03:03 GMT) Full text and rfc822 format available.

Message #15 received at 697722@bugs.debian.org (full text, mbox):

From: Antonio Terceiro <terceiro@debian.org>
To: Henri Salo <henri@nerv.fi>, 697722@bugs.debian.org
Subject: Re: Bug#697722: rails: CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack
Date: Wed, 9 Jan 2013 15:02:04 -0300
[Message part 1 (text/plain, inline)]
notfound 697722 2:2.3.14.2
found 697722 2.3.5-1.2+squeeze4
clone 697722 -1 -2
reassign -1 ruby-actionpack-2.3
reassign -2 ruby-actionpack-3.2
thanks

On Tue, Jan 08, 2013 at 11:42:46PM +0200, Henri Salo wrote:
> Package: rails
> Version: 2:2.3.14.2
> Severity: grave
> Tags: security
> 
> http://www.openwall.com/lists/oss-security/2013/01/08/14
> https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
> 
> """
> Multiple vulnerabilities in parameter parsing in Action Pack 
> 
> There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156. 
> 
> Versions Affected:  ALL versions 
> Not affected:       NONE 
> Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15 
> <snip>
> """
> 
> This probably affects squeeze and wheezy too. Please contact me in case you need any help!

Yes, this affects both squeeze and wheezy, but on different packages. A
fix for wheezy is under way, and wheezy will follow.

-- 
Antonio Terceiro <terceiro@debian.org>
[signature.asc (application/pgp-signature, inline)]

No longer marked as found in versions rails/2:2.3.14.2. Request was from Antonio Terceiro <terceiro@debian.org> to control@bugs.debian.org. (Wed, 09 Jan 2013 18:03:04 GMT) Full text and rfc822 format available.

Marked as found in versions rails/2.3.5-1.2+squeeze4. Request was from Antonio Terceiro <terceiro@debian.org> to control@bugs.debian.org. (Wed, 09 Jan 2013 18:03:05 GMT) Full text and rfc822 format available.

Bug 697722 cloned as bugs 697789, 697790 Request was from Antonio Terceiro <terceiro@debian.org> to control@bugs.debian.org. (Wed, 09 Jan 2013 18:03:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#697722; Package rails. (Wed, 09 Jan 2013 18:21:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antoine Beaupré <anarcat@orangeseeds.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Wed, 09 Jan 2013 18:21:09 GMT) Full text and rfc822 format available.

Message #26 received at 697722@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@orangeseeds.org>
To: 697722@bugs.debian.org
Subject: NMU uploaded to security
Date: Wed, 09 Jan 2013 13:19:55 -0500
[Message part 1 (text/plain, inline)]
tags 697722 +pending
thanks

I uploaded a NMU to security-master.debian.org just now. This should be
sufficient to fix rails security on squeeze since #697744 /
CVE-2013-0155 doesn't affect 2.x.

I don't have more time to work on this issue so others will pick up the
upload for sid.

Thanks to the #debian-security for the help!

A.

-- 
La destruction de la société totalitaire marchande n'est pas une affaire
d'opinion. Elle est une nécessité absolue dans un monde que l'on sait
condamné. Puisque le pouvoir est partout, c'est partout et tout le temps
qu'il faut le combattre. - Jean-François Brient, de la servitude moderne
[Message part 2 (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Antoine Beaupré <anarcat@orangeseeds.org> to control@bugs.debian.org. (Wed, 09 Jan 2013 18:21:11 GMT) Full text and rfc822 format available.

Reply sent to Antoine Beaupré <anarcat@debian.org>:
You have taken responsibility. (Sat, 12 Jan 2013 15:48:13 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Sat, 12 Jan 2013 15:48:13 GMT) Full text and rfc822 format available.

Message #33 received at 697722-close@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: 697722-close@bugs.debian.org
Subject: Bug#697722: fixed in rails 2.3.5-1.2+squeeze4.1
Date: Sat, 12 Jan 2013 15:47:05 +0000
Source: rails
Source-Version: 2.3.5-1.2+squeeze4.1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 697722@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anarcat@debian.org> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 09 Jan 2013 12:31:47 -0500
Source: rails
Binary: rails rails-ruby1.8 rails-doc libactiverecord-ruby libactiverecord-ruby1.8 libactiverecord-ruby1.9.1 libactivesupport-ruby libactivesupport-ruby1.8 libactivesupport-ruby1.9.1 libactionpack-ruby libactionpack-ruby1.8 libactionmailer-ruby libactionmailer-ruby1.8 libactiveresource-ruby libactiveresource-ruby1.8
Architecture: source all
Version: 2.3.5-1.2+squeeze4.1
Distribution: stable-security
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Antoine Beaupré <anarcat@debian.org>
Description: 
 libactionmailer-ruby - Framework for generation of customized email messages
 libactionmailer-ruby1.8 - Framework for generation of customized email messages
 libactionpack-ruby - Controller and View framework used by Rails
 libactionpack-ruby1.8 - Controller and View framework used by Rails
 libactiverecord-ruby - ORM database interface for ruby
 libactiverecord-ruby1.8 - ORM database interface for ruby
 libactiverecord-ruby1.9.1 - ORM database interface for ruby
 libactiveresource-ruby - Connects objects and REST web services
 libactiveresource-ruby1.8 - Connects objects and REST web services
 libactivesupport-ruby - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.8 - utility classes and extensions (Ruby 1.8)
 libactivesupport-ruby1.9.1 - utility classes and extensions (Ruby 1.8)
 rails      - MVC ruby based framework geared for web application development
 rails-doc  - Documentation for rails, a MVC ruby based framework
 rails-ruby1.8 - MVC ruby based framework geared for web application development
Closes: 697722
Changes: 
 rails (2.3.5-1.2+squeeze4.1) stable-security; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches/CVE-2013-0156.patch: fix remote execution (Closes: #697722)
Checksums-Sha1: 
 9e81e7c7095bf82907a9567f302793648fb70aba 2438 rails_2.3.5-1.2+squeeze4.1.dsc
 6a2e7be45e12a81a5af84c4912c51f0b9a9ecacd 28105 rails_2.3.5-1.2+squeeze4.1.debian.tar.gz
 4b2aa65aca7b1fb08173edb906173867733e04f5 12282 rails_2.3.5-1.2+squeeze4.1_all.deb
 5fae39f096d9c618ab2ab13a9e2866b1bd039e24 221760 rails-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 c1968f5aab7f996f5c477fdef5367159fbca2031 891848 rails-doc_2.3.5-1.2+squeeze4.1_all.deb
 13a0d35eb36d9e61489245f3c351c0373639957b 9734 libactiverecord-ruby_2.3.5-1.2+squeeze4.1_all.deb
 b29e26881e3094fc84f4f2c4a6d04564a291d0bf 266430 libactiverecord-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 6ed98652310d6c10aabbb84059f8d418fafa7049 265238 libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 110141c940b20db8de94f84bb00a9faa4deda371 9656 libactivesupport-ruby_2.3.5-1.2+squeeze4.1_all.deb
 e4b2f0c972a8d72dfe552a4ec86d0206279d9bc9 260700 libactivesupport-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 1a71d6012a85ad802ec4b5d226db3e39a60fd2a9 260512 libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 229eea266e7026d4870aa53aa3a32809bff07e57 9794 libactionpack-ruby_2.3.5-1.2+squeeze4.1_all.deb
 7ee43077b192d9ed16ee7b02dadc73cab66fc2bf 320106 libactionpack-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 49cc438f4240bbaebfc41410a928f9e0654dd387 9760 libactionmailer-ruby_2.3.5-1.2+squeeze4.1_all.deb
 c0dd8259b5fdc1abe60d9f1f752448ec253cdd34 32032 libactionmailer-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 0b9a5f19b984b901e80f27a6608bfa6dd333939e 9776 libactiveresource-ruby_2.3.5-1.2+squeeze4.1_all.deb
 91e9c29e240dfaa83072fda7674da2bd36352095 37144 libactiveresource-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
Checksums-Sha256: 
 51aa6f0ffb4140143a72111ee83898137bb402ddabb48c77bee63f4a201687b7 2438 rails_2.3.5-1.2+squeeze4.1.dsc
 8ae9b7341963cc3a349a9cd5216da17934fc23355a1f8d411387ac513e6f896b 28105 rails_2.3.5-1.2+squeeze4.1.debian.tar.gz
 38b5c73b041416df63f7799faf0b9e1ed940a9297545a62f1cbba07fac6b4a45 12282 rails_2.3.5-1.2+squeeze4.1_all.deb
 6fa665e3b8db2f33a6e55b306c5b9f6f833b4e4de26d4efcac8814d279f5d20a 221760 rails-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 1805567830fd55132a5d10d29624269f13583aaedb97ade75a62adfc2a77f643 891848 rails-doc_2.3.5-1.2+squeeze4.1_all.deb
 323feacdef1b0d0b5eee342ba0a5bef192560482123f27a970b5289ab3d2b96d 9734 libactiverecord-ruby_2.3.5-1.2+squeeze4.1_all.deb
 dcc16ce4b37abbd3c4bbb41b864bbcbff4e20b3759117fbbc989a0108e12a02d 266430 libactiverecord-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 f2a6fc1c93591720460e00913797e5ad2584772cdfa1d6fe2d4c0fc3d5c23b58 265238 libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 cc9e6c6ab3bad6668fb4a5b9abbad0ee785ec468d07ac78d90b035a96c21bd22 9656 libactivesupport-ruby_2.3.5-1.2+squeeze4.1_all.deb
 85f8ad488c9639e33b47cdec98c3348607fafa94153933b2667a60d5f1a9a6b3 260700 libactivesupport-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 020091d236e6a5960fa581078a8d17977701c8c70454ea5d1283f901d40b8ae8 260512 libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 cc4b7ea14025e56fcaf41780af821a698164ff213b649b5bd66ab77ceac4645c 9794 libactionpack-ruby_2.3.5-1.2+squeeze4.1_all.deb
 f337de0b12129ba1cea113413aebbcec25600731b165d7c208ac2c1549cdee53 320106 libactionpack-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 a0036cd6c504f962a41e36ec1ef7ff4742accf4c7eb4328c7b4db43b74e80355 9760 libactionmailer-ruby_2.3.5-1.2+squeeze4.1_all.deb
 968f586f119a5722722f253b6a1b21c7848cbbbadb1eeb38b6bd2d95bd51d9ae 32032 libactionmailer-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 36ea0bb2d94382abedbbf48bd522d8cbd9933e68f16b8b9f4b655f0ee6b72b9e 9776 libactiveresource-ruby_2.3.5-1.2+squeeze4.1_all.deb
 f9011184c1baa98ed7c41370f06caf81f17a84551204ed6b180429348fa6ce5f 37144 libactiveresource-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
Files: 
 09f7cbd2b86cfafab5b75e15ee146e59 2438 ruby optional rails_2.3.5-1.2+squeeze4.1.dsc
 5920d8423b094dd587eb6380a1e100b1 28105 ruby optional rails_2.3.5-1.2+squeeze4.1.debian.tar.gz
 c38a3797f7b343bede1fb88a0bdf6010 12282 ruby optional rails_2.3.5-1.2+squeeze4.1_all.deb
 2983384cf065ab13ba6487bf153bdba5 221760 ruby optional rails-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 efcb7c98db6fab7f72d00956f834039f 891848 doc optional rails-doc_2.3.5-1.2+squeeze4.1_all.deb
 4e91bae9b089c805a577b31dafacd369 9734 ruby optional libactiverecord-ruby_2.3.5-1.2+squeeze4.1_all.deb
 7ded3445ea7024f69e81695b80ecfe0b 266430 ruby optional libactiverecord-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 c7b41daba154cc104ea56e132b4f16da 265238 ruby optional libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 b635cdabe00560107dcb22f75fc67519 9656 ruby optional libactivesupport-ruby_2.3.5-1.2+squeeze4.1_all.deb
 1894f46ac5251005fbb863730c8cf1c4 260700 ruby optional libactivesupport-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 180aea7baa5276aec07411c8094b9770 260512 ruby optional libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze4.1_all.deb
 7cf2e53185fea2799a6a31316e9b71f5 9794 ruby optional libactionpack-ruby_2.3.5-1.2+squeeze4.1_all.deb
 001de800e01b3108f9c37383ae7c7aa0 320106 ruby optional libactionpack-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 3adb325d1deb8b4dc2da2ead9b336a04 9760 ruby optional libactionmailer-ruby_2.3.5-1.2+squeeze4.1_all.deb
 691a33a56107136da23524a0f954fa00 32032 ruby optional libactionmailer-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb
 608df23322c5069eaf94a9e1f29090bb 9776 ruby optional libactiveresource-ruby_2.3.5-1.2+squeeze4.1_all.deb
 5367c45eda081f3764fda66cb62d049a 37144 ruby optional libactiveresource-ruby1.8_2.3.5-1.2+squeeze4.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQ7a7CAAoJEHkhUlJ7dZIe+KYQAKj+BhhbZ0ASVlemWV4BiI41
64Pqqy6hsGY8CObQFIJuHnuvXE4RZDSqO9OV+DziLVnIPuR93ssG8EPmmHqb3ksk
0QCrYw7uBLJDVssC8h8zM8FVxPzqwwUQQV/CgGcnk6iu1AkD+TQpDEcV19i0hmFn
RLAWbgoW+e5PoKevNTTUDIABDDBKaFjBj+CCYLX4w9LaPFUOqVW1LbEVhndDkbvK
25nr+rFvs6LdfiVlxdpz3z3csBDdQniBYpazAyyriEooZXY/SjauMTuuiidhr9hV
URc8L/PQ8wpCT8YzFAkcsI62TpSrG4P3bRpGooyByWn4/nkCWYRjpDzonZLubw4+
qbGsxZ/4e4ZifSBoNNYlLeaqrHZjHBWyls7XfVJrH5HK/dMW8AKBQs2T+JAVWMQr
VZefbvMhfEfipB7sVJKCOfjDlVhhzQjL+lmXUPCF2oB8XqKsLc4/X/eVGHPRLsSa
oMMAUexIhCWRsAu8DNE3/j5WxlsVCuNvPpz2puc5auzc15T+KZnxdBz8EQJgPlyK
dewNRhSsc3tVBWbii8wYnoFIzJzorHLy9MSgc4EeQFo2G5wAQwDiJx4AFUHRcn9Y
wpLwI6DApru3bZi/Nu0e4HXKLYoUaJEsbVP0M2GPsSlCYuV9haheisbZJiNHPPK1
Qf60vtJAw52EjmwaOyHf
=SzA2
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 Feb 2013 07:25:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 04:37:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.