Bug 1310043 (CVE-2016-2097)

Summary: CVE-2016-2097 rubygem-actionview, rubygem-actionpack: directory traversal in Action View, incomplete CVE-2016-0752 fix
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apatters, bkearney, cbillett, ccoleman, cpelland, dajohnso, dclarizi, dmcphers, gblomqui, gmccullo, gtanzill, hhorak, jfrey, jhardy, jialiu, joelsmith, jokerman, jorton, jprause, jrusnack, kseifried, lmeyer, mmaslano, mmccomas, obarenbo, roliveri, security-response-team, slong, tomckay, vondruch, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-actionpack 3.2.22.2, rubygem-actionview 4.1.14.2 Doc Type: Bug Fix
Doc Text:
A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to render unexpected files and, possibly, execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-15 21:20:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1310233, 1310234, 1310235, 1310236, 1313385, 1313386, 1315704, 1315705    
Bug Blocks: 1310055    
Attachments:
Description Flags
Upstream patch
none
Upstream patch for 3.2
none
Upstream patch for 4.1 none

Description Adam Mariš 2016-02-19 10:20:52 UTC 
A possible directory traversal and information leak vulnerability in Action View was found. This issue was meant to be fixed in patch for CVE-2016-0752. However the 3.2 patch was not covering all the scenarios.

Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

```ruby
def index
  render params[:id]
end
```

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method.

Versions Affected:  3.2.x, 4.0.x
Not affected:       4.1+
Fixed Versions:     3.2.22.2
Comment 1 Adam Mariš 2016-02-19 10:22:20 UTC 
Created attachment 1128503 [details]
Upstream patch
Comment 2 Adam Mariš 2016-02-19 10:42:21 UTC 
Acknowledgments:

Name: the Ruby on Rails project
Upstream: Jyoti Singh, Tobias Kraze (makandra)
Comment 3 Tomas Hoger 2016-02-19 20:07:07 UTC 
The original issue CVE-2016-0752 is tracked via bug 1301963.
Comment 6 Adam Mariš 2016-03-01 14:07:44 UTC 
Affected version have been changed from previous advisory. Current versions are following:

Versions Affected:  3.2.x, 4.0.x, 4.1.x
Not affected:       4.2+
Fixed Versions:     3.2.22.2, 4.1.14.2
Comment 7 Adam Mariš 2016-03-01 14:09:01 UTC 
Created attachment 1131946 [details]
Upstream patch for 3.2
Comment 8 Adam Mariš 2016-03-01 14:11:11 UTC 
Created attachment 1131947 [details]
Upstream patch for 4.1
Comment 9 Adam Mariš 2016-03-01 14:11:52 UTC 
External Reference:

https://groups.google.com/forum/#!msg/rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ
Comment 11 Adam Mariš 2016-03-01 14:14:48 UTC 
Created rubygem-actionview tracking bugs for this issue:

Affects: fedora-all [bug 1313386]
Comment 12 Tomas Hoger 2016-03-08 12:30:00 UTC 
Upstream commits:

3.2 https://github.com/rails/rails/commit/af9b9132f82d1f468836997c716a02f14e61c38c
4.1 https://github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324
Comment 17 errata-xmlrpc 2016-03-15 20:59:06 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:0456 https://rhn.redhat.com/errata/RHSA-2016-0456.html
Comment 18 errata-xmlrpc 2016-03-15 21:01:52 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2016:0455 https://rhn.redhat.com/errata/RHSA-2016-0455.html
Comment 19 errata-xmlrpc 2016-03-15 21:04:56 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2016:0454 https://rhn.redhat.com/errata/RHSA-2016-0454.html