Bug 1114427 (CVE-2014-3483)
| Summary: | CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> | ||||||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||||||
| Severity: | medium | Docs Contact: | |||||||||||
| Priority: | medium | ||||||||||||
| Version: | unspecified | CC: | jorton, mmaslano, security-response-team, vondruch | ||||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||||
| Target Release: | --- | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | Linux | ||||||||||||
| Whiteboard: | |||||||||||||
| Fixed In Version: | rubygem-activerecord 4.0.7, rubygem-activerecord 4.1.3. | Doc Type: | Bug Fix | ||||||||||
| Doc Text: |
It was discovered that Active Record did not properly quote values of the range type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record.
|
Story Points: | --- | ||||||||||
| Clone Of: | Environment: | ||||||||||||
| Last Closed: | 2021-10-20 10:45:28 UTC | Type: | --- | ||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||
| Documentation: | --- | CRM: | |||||||||||
| Verified Versions: | Category: | --- | |||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
| Embargoed: | |||||||||||||
| Bug Depends On: | 1115335, 1115336, 1115777 | ||||||||||||
| Bug Blocks: | 1114429 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Murray McAllister
2014-06-30 04:57:07 UTC
Created attachment 913248 [details]
4.0 patch from upstream
Created attachment 913249 [details]
4.1 patch from upstream
This is now public: https://groups.google.com/forum/#!topic/rubyonrails-security/wDxePLJGZdI The original fixes for 4.x introduced a regression: http://seclists.org/oss-sec/2014/q3/10 Created attachment 914349 [details]
ammended 4.0 patch from upstream
Created attachment 914350 [details]
amended 4.1 patch from upstream
Created rubygem-activerecord tracking bugs for this issue: Affects: fedora-20 [bug 1115777] Upstream release announcement: http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/ Fixed in ActiveRecord 4.0.7 and 4.1.3. As noted in comment 6, the original fixes were discovered to introduce a regression, that was corrected in a new releases of 4.0.8 and 4.1.4: http://weblog.rubyonrails.org/2014/7/2/Rails_4_0_8_and_4_1_4_have_been_released/ Original fixes (4.0 and 4.1): https://github.com/rails/rails/commit/c4598b9772a2c13259938dc78e37f62db9295412 https://github.com/rails/rails/commit/27a0c137d00e774bf22050d4cfd952e9ab4362ac Additional fixes correcting regression: https://github.com/rails/rails/commit/c1156bfc43dd90e89acb8ffdd4e844f4e4e404ca https://github.com/rails/rails/commit/958be0e7cc2571b2f57ec62491dc4ded74d29424 IssueDescription: It was discovered that Active Record did not properly quote values of the range type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record. This issue has been addressed in following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Via RHSA-2014:0877 https://rhn.redhat.com/errata/RHSA-2014-0877.html CFME doesn't use any range fields in the database backend. But we should rebase activerecord at some point. |