Bug 679351 (CVE-2011-0449)

Summary: CVE-2011-0449 rubygem-actionpack: Intended access restriction bypass via crafted action name, when case-insensitive filesystem is used
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: lutter, mastahnke, mmorsi, sseago, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-18 10:37:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2011-02-22 11:01:09 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0449 to
the following vulnerability:

actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x
before 3.0.4, when a case-insensitive filesystem is used, does not
properly implement filters associated with the list of available
templates, which allows remote attackers to bypass intended access
restrictions via an action name that uses an unintended case for
alphabetic characters.

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0449
[2] http://groups.google.com/group/rubyonrails-security/msg/04345b2e84df5b4f?dmode=source&output=gplain
[3] http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4
Comment 1 Jan Lieskovsky 2011-02-22 11:03:17 UTC 
This issue did NOT affect the versions of the rubygem-actionpack
package, as shipped with Fedora release of 13 and 14.

--

This issue did NOT affect the version of the rubygem-actionpack
package, as present within EPEL-5 repository.
Comment 2 Vít Ondruch 2011-04-18 10:37:00 UTC 
rubygem-actionpack-3.0.5-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/rubygem-activesupport-3.0.5-1.fc15,rubygem-activemodel-3.0.5-1.fc15,rubygem-activeresource-3.0.5-1.fc15,rubygem-activerecord-3.0.5-1.fc15,rubygem-actionpack-3.0.5-1.fc15,rubygem-actionmailer-3.0.5-1.fc15,rubygem-railties-3.0.5-1.fc15,rubygem-rails-3.0.5-2.fc15