Bug 892870 (CVE-2013-0156)

Summary: CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: andersk, bkearney, bleanhar, cpelland, gfidente, hasari, jialiu, jlieskov, katello-bugs, katello-internal, lmeyer, mastahnke, mjc, mmccune, morazi, msuchy, rcvalle, rmillner, security-response-team, tdawson, tkramer, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-16 08:37:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 847202, 892873, 892874, 892875, 892877, 893281, 893665, 946303, 946331    
Bug Blocks: 892872    
Attachments:
Description Flags
actionpack-CVE-2012-0156-2-3-xml_parsing.patch
none
actionpack-CVE-2012-0156-3-0-xml_parsing.patch
none
actionpack-CVE-2012-0156-3-1-xml_parsing.patch
none
actionpack-CVE-2012-0156-3-2-xml_parsing.patch
none
actionpack-CVE-2012-0155-3-0-null_array_param.patch
none
actionpack-CVE-2012-0155-3-1-null_array_param.patch
none
actionpack-CVE-2012-0155-3-2-null_array_param.patch
none
actionpack-CVE-2012-0156-2-3-xml_parsing.patch
none
actionpack-CVE-2012-0156-2-3-xml_parsing.patch
none
actionpack-CVE-2012-0156-3-0-null_array_param.patch
none
actionpack-CVE-2012-0156-3-1-null_array_param.patch
none
actionpack-CVE-2012-0156-3-2-null_array_param.patch
none
actionpack-CVE-2013-0156-2-3-xml_parsing.patch
none
actionpack-CVE-2013-0156-3-0-null_array_param.patch
none
actionpack-CVE-2013-0156-3-1-null_array_param.patch
none
actionpack-CVE-2013-0156-3-2-null_array_param.patch none

Description Kurt Seifried 2013-01-08 05:57:29 UTC 
The Ruby on Rails project reports:

Multiple vulnerabilities in parameter parsing in ActionPack

There are multiple weaknesses in the parameter parsing code for Ruby on Rails 
which could allow attackers to bypass authentication systems, inject arbitrary
SQL, inject an execute arbitrary code, or perform a DoS attack on a rails 
application. This vulnerability has been assigned the CVE identifier 
CVE-2013-0156.

Versions Affected:  ALL versions
Not affected:       NONE
Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15

Impact
------
The XML parameter parsing code of Ruby on Rails allows applications to 
automatically to cast values from strings to certain data types.  
Unfortunately the type casting code supported certain conversions which were 
not suitable for performing on user-provided data including.  This unsuitable 
conversion can be used by an attacker to compromise a rails application.

Due to the serious nature of this vulnerability, and the fact it has been 
disclosed publicly, all users running an affected release should either 
upgrade or use one of the work arounds *immediately*.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
The work arounds differ depending on the rails version you are using.  It 
involves disabling the YAML and Symbol type conversion from the Rails XML 
parser.  You should place one of the following code snippets in an 
application initializer to ensure your application isn't vulnerable.

Rails 3.2, 3.1, 3.0
---------

ActiveSupport::XmlMini::PARSING.delete("symbol")
ActiveSupport::XmlMini::PARSING.delete("yaml")

Rails 2.3
---------

ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')
Comment 1 Kurt Seifried 2013-01-08 06:03:08 UTC 
Created attachment 674509 [details]
actionpack-CVE-2012-0156-2-3-xml_parsing.patch
Comment 2 Kurt Seifried 2013-01-08 06:03:26 UTC 
Created attachment 674510 [details]
actionpack-CVE-2012-0156-3-0-xml_parsing.patch
Comment 3 Kurt Seifried 2013-01-08 06:03:47 UTC 
Created attachment 674511 [details]
actionpack-CVE-2012-0156-3-1-xml_parsing.patch
Comment 4 Kurt Seifried 2013-01-08 06:04:05 UTC 
Created attachment 674512 [details]
actionpack-CVE-2012-0156-3-2-xml_parsing.patch
Comment 9 Kurt Seifried 2013-01-08 20:59:50 UTC 
*** Bug 893188 has been marked as a duplicate of this bug. ***
Comment 10 Kurt Seifried 2013-01-08 21:14:15 UTC 
Created attachment 675064 [details]
actionpack-CVE-2012-0155-3-0-null_array_param.patch
Comment 11 Kurt Seifried 2013-01-08 21:14:46 UTC 
Created attachment 675066 [details]
actionpack-CVE-2012-0155-3-1-null_array_param.patch
Comment 12 Kurt Seifried 2013-01-08 21:15:33 UTC 
Created attachment 675067 [details]
actionpack-CVE-2012-0155-3-2-null_array_param.patch
Comment 13 Kurt Seifried 2013-01-08 21:16:41 UTC 
Created attachment 675068 [details]
actionpack-CVE-2012-0156-2-3-xml_parsing.patch
Comment 14 Kurt Seifried 2013-01-08 21:19:37 UTC 
Created attachment 675069 [details]
actionpack-CVE-2012-0156-2-3-xml_parsing.patch
Comment 15 Kurt Seifried 2013-01-08 21:19:57 UTC 
Created attachment 675070 [details]
actionpack-CVE-2012-0156-3-0-null_array_param.patch
Comment 16 Kurt Seifried 2013-01-08 21:20:19 UTC 
Created attachment 675071 [details]
actionpack-CVE-2012-0156-3-1-null_array_param.patch
Comment 17 Kurt Seifried 2013-01-08 21:20:41 UTC 
Created attachment 675072 [details]
actionpack-CVE-2012-0156-3-2-null_array_param.patch
Comment 18 Kurt Seifried 2013-01-08 21:28:22 UTC 
Created attachment 675077 [details]
actionpack-CVE-2013-0156-2-3-xml_parsing.patch
Comment 19 Kurt Seifried 2013-01-08 21:28:53 UTC 
Created attachment 675078 [details]
actionpack-CVE-2013-0156-3-0-null_array_param.patch
Comment 20 Kurt Seifried 2013-01-08 21:29:14 UTC 
Created attachment 675079 [details]
actionpack-CVE-2013-0156-3-1-null_array_param.patch
Comment 21 Kurt Seifried 2013-01-08 21:29:35 UTC 
Created attachment 675080 [details]
actionpack-CVE-2013-0156-3-2-null_array_param.patch
Comment 22 Anders Kaseorg 2013-01-08 21:38:01 UTC 
Presumably the patches should be named CVE-2013-0156, not CVE-2012-0156.
Comment 23 Vincent Danen 2013-01-09 01:27:56 UTC 
*** Bug 893189 has been marked as a duplicate of this bug. ***
Comment 24 Vincent Danen 2013-01-09 01:30:10 UTC 
The upstream report:

https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
Comment 25 Vincent Danen 2013-01-09 02:27:17 UTC 
Created rubygem-actionpack tracking bugs for this issue

Affects: epel-5 [bug 847202]
Affects: fedora-all [bug 893281]
Comment 26 Kurt Seifried 2013-01-09 04:26:58 UTC 
A write up of this issue is available at (external link): http://www.insinuator.net/2013/01/rails-yaml/
Comment 27 Mark J. Cox 2013-01-09 11:13:14 UTC 
upgrading severity to critical based on an assessment of the issue.
Comment 29 Mark J. Cox 2013-01-09 13:28:57 UTC 
Statement:

For details of affected products and workarounds see https://access.redhat.com/knowledge/node/290903
Comment 35 errata-xmlrpc 2013-01-10 20:42:51 UTC 
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.1

Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html
Comment 36 errata-xmlrpc 2013-01-10 20:43:28 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0153 https://rhn.redhat.com/errata/RHSA-2013-0153.html
Comment 37 errata-xmlrpc 2013-01-10 22:41:41 UTC 
This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2013:0155 https://rhn.redhat.com/errata/RHSA-2013-0155.html
Comment 38 Fedora Update System 2013-01-20 03:40:32 UTC 
rubygem-actionpack-3.2.8-2.fc18, rubygem-activerecord-3.2.8-3.fc18, rubygem-activesupport-3.2.8-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 39 Fedora Update System 2013-01-23 01:33:33 UTC 
rubygem-actionpack-3.0.10-10.fc16, rubygem-activerecord-3.0.10-5.fc16, rubygem-activesupport-3.0.10-5.fc16, rubygem-activemodel-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 40 Fedora Update System 2013-01-23 01:53:21 UTC 
rubygem-actionpack-3.0.11-8.fc17, rubygem-activerecord-3.0.11-5.fc17, rubygem-activemodel-3.0.11-2.fc17, rubygem-activesupport-3.0.11-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.