Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 892870 (CVE-2013-0156) - CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack
Summary: CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter pa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-0156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 847202 893281 893665
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-01-08 05:57 UTC by Kurt Seifried
Modified: 2021-02-04 00:52 UTC (History)
22 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-01-16 08:37:09 UTC
Embargoed:


Attachments (Terms of Use)
actionpack-CVE-2012-0156-2-3-xml_parsing.patch (deleted)
2013-01-08 06:03 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-0-xml_parsing.patch (deleted)
2013-01-08 06:03 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-1-xml_parsing.patch (deleted)
2013-01-08 06:03 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-2-xml_parsing.patch (deleted)
2013-01-08 06:04 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0155-3-0-null_array_param.patch (deleted)
2013-01-08 21:14 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0155-3-1-null_array_param.patch (deleted)
2013-01-08 21:14 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0155-3-2-null_array_param.patch (deleted)
2013-01-08 21:15 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-2-3-xml_parsing.patch (deleted)
2013-01-08 21:16 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-2-3-xml_parsing.patch (deleted)
2013-01-08 21:19 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-0-null_array_param.patch (deleted)
2013-01-08 21:19 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-1-null_array_param.patch (deleted)
2013-01-08 21:20 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-2-null_array_param.patch (deleted)
2013-01-08 21:20 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2013-0156-2-3-xml_parsing.patch (deleted)
2013-01-08 21:28 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2013-0156-3-0-null_array_param.patch (deleted)
2013-01-08 21:28 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2013-0156-3-1-null_array_param.patch (deleted)
2013-01-08 21:29 UTC, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2013-0156-3-2-null_array_param.patch (deleted)
2013-01-08 21:29 UTC, Kurt Seifried
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0153 0 normal SHIPPED_LIVE Critical: Ruby on Rails security update 2013-01-11 01:39:17 UTC
Red Hat Product Errata RHSA-2013:0154 0 normal SHIPPED_LIVE Critical: Ruby on Rails security update 2013-01-11 01:38:55 UTC
Red Hat Product Errata RHSA-2013:0155 0 normal SHIPPED_LIVE Critical: Ruby on Rails security update 2013-01-11 03:40:25 UTC

Description Kurt Seifried 2013-01-08 05:57:29 UTC
The Ruby on Rails project reports:

Multiple vulnerabilities in parameter parsing in ActionPack

There are multiple weaknesses in the parameter parsing code for Ruby on Rails 
which could allow attackers to bypass authentication systems, inject arbitrary
SQL, inject an execute arbitrary code, or perform a DoS attack on a rails 
application. This vulnerability has been assigned the CVE identifier 
CVE-2013-0156.

Versions Affected:  ALL versions
Not affected:       NONE
Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15

Impact
------
The XML parameter parsing code of Ruby on Rails allows applications to 
automatically to cast values from strings to certain data types.  
Unfortunately the type casting code supported certain conversions which were 
not suitable for performing on user-provided data including.  This unsuitable 
conversion can be used by an attacker to compromise a rails application.

Due to the serious nature of this vulnerability, and the fact it has been 
disclosed publicly, all users running an affected release should either 
upgrade or use one of the work arounds *immediately*.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
The work arounds differ depending on the rails version you are using.  It 
involves disabling the YAML and Symbol type conversion from the Rails XML 
parser.  You should place one of the following code snippets in an 
application initializer to ensure your application isn't vulnerable.

Rails 3.2, 3.1, 3.0
---------

ActiveSupport::XmlMini::PARSING.delete("symbol")
ActiveSupport::XmlMini::PARSING.delete("yaml")

Rails 2.3
---------

ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')

Comment 1 Kurt Seifried 2013-01-08 06:03:08 UTC
Created attachment 674509 [details]
actionpack-CVE-2012-0156-2-3-xml_parsing.patch

Comment 2 Kurt Seifried 2013-01-08 06:03:26 UTC
Created attachment 674510 [details]
actionpack-CVE-2012-0156-3-0-xml_parsing.patch

Comment 3 Kurt Seifried 2013-01-08 06:03:47 UTC
Created attachment 674511 [details]
actionpack-CVE-2012-0156-3-1-xml_parsing.patch

Comment 4 Kurt Seifried 2013-01-08 06:04:05 UTC
Created attachment 674512 [details]
actionpack-CVE-2012-0156-3-2-xml_parsing.patch

Comment 9 Kurt Seifried 2013-01-08 20:59:50 UTC
*** Bug 893188 has been marked as a duplicate of this bug. ***

Comment 10 Kurt Seifried 2013-01-08 21:14:15 UTC
Created attachment 675064 [details]
actionpack-CVE-2012-0155-3-0-null_array_param.patch

Comment 11 Kurt Seifried 2013-01-08 21:14:46 UTC
Created attachment 675066 [details]
actionpack-CVE-2012-0155-3-1-null_array_param.patch

Comment 12 Kurt Seifried 2013-01-08 21:15:33 UTC
Created attachment 675067 [details]
actionpack-CVE-2012-0155-3-2-null_array_param.patch

Comment 13 Kurt Seifried 2013-01-08 21:16:41 UTC
Created attachment 675068 [details]
actionpack-CVE-2012-0156-2-3-xml_parsing.patch

Comment 14 Kurt Seifried 2013-01-08 21:19:37 UTC
Created attachment 675069 [details]
actionpack-CVE-2012-0156-2-3-xml_parsing.patch

Comment 15 Kurt Seifried 2013-01-08 21:19:57 UTC
Created attachment 675070 [details]
actionpack-CVE-2012-0156-3-0-null_array_param.patch

Comment 16 Kurt Seifried 2013-01-08 21:20:19 UTC
Created attachment 675071 [details]
actionpack-CVE-2012-0156-3-1-null_array_param.patch

Comment 17 Kurt Seifried 2013-01-08 21:20:41 UTC
Created attachment 675072 [details]
actionpack-CVE-2012-0156-3-2-null_array_param.patch

Comment 18 Kurt Seifried 2013-01-08 21:28:22 UTC
Created attachment 675077 [details]
actionpack-CVE-2013-0156-2-3-xml_parsing.patch

Comment 19 Kurt Seifried 2013-01-08 21:28:53 UTC
Created attachment 675078 [details]
actionpack-CVE-2013-0156-3-0-null_array_param.patch

Comment 20 Kurt Seifried 2013-01-08 21:29:14 UTC
Created attachment 675079 [details]
actionpack-CVE-2013-0156-3-1-null_array_param.patch

Comment 21 Kurt Seifried 2013-01-08 21:29:35 UTC
Created attachment 675080 [details]
actionpack-CVE-2013-0156-3-2-null_array_param.patch

Comment 22 Anders Kaseorg 2013-01-08 21:38:01 UTC
Presumably the patches should be named CVE-2013-0156, not CVE-2012-0156.

Comment 23 Vincent Danen 2013-01-09 01:27:56 UTC
*** Bug 893189 has been marked as a duplicate of this bug. ***

Comment 24 Vincent Danen 2013-01-09 01:30:10 UTC
The upstream report:

https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

Comment 25 Vincent Danen 2013-01-09 02:27:17 UTC
Created rubygem-actionpack tracking bugs for this issue

Affects: epel-5 [bug 847202]
Affects: fedora-all [bug 893281]

Comment 26 Kurt Seifried 2013-01-09 04:26:58 UTC
A write up of this issue is available at (external link): http://www.insinuator.net/2013/01/rails-yaml/

Comment 27 Mark J. Cox 2013-01-09 11:13:14 UTC
upgrading severity to critical based on an assessment of the issue.

Comment 29 Mark J. Cox 2013-01-09 13:28:57 UTC
Statement:

For details of affected products and workarounds see https://access.redhat.com/knowledge/node/290903

Comment 35 errata-xmlrpc 2013-01-10 20:42:51 UTC
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.1

Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html

Comment 36 errata-xmlrpc 2013-01-10 20:43:28 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0153 https://rhn.redhat.com/errata/RHSA-2013-0153.html

Comment 37 errata-xmlrpc 2013-01-10 22:41:41 UTC
This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2013:0155 https://rhn.redhat.com/errata/RHSA-2013-0155.html

Comment 38 Fedora Update System 2013-01-20 03:40:32 UTC
rubygem-actionpack-3.2.8-2.fc18, rubygem-activerecord-3.2.8-3.fc18, rubygem-activesupport-3.2.8-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 39 Fedora Update System 2013-01-23 01:33:33 UTC
rubygem-actionpack-3.0.10-10.fc16, rubygem-activerecord-3.0.10-5.fc16, rubygem-activesupport-3.0.10-5.fc16, rubygem-activemodel-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 40 Fedora Update System 2013-01-23 01:53:21 UTC
rubygem-actionpack-3.0.11-8.fc17, rubygem-activerecord-3.0.11-5.fc17, rubygem-activemodel-3.0.11-2.fc17, rubygem-activesupport-3.0.11-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.