Bug 909633 (CVE-2013-0277)

Summary: CVE-2013-0277 rubygem-activerecord: Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: bkabrda, bkearney, bleanhar, bressers, ccoleman, cpelland, dajohnso, dmcphers, jeckersb, jialiu, jomara, jrafanie, lmeyer, mastahnke, mmccune, morazi, msuchy, obarenbo, sclewis, security-response-team, tkramer, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-11 04:31:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 909635, 909636, 909638, 909639, 946623, 949207, 988646, 995667    
Bug Blocks: 909634, 1011266    
Attachments:
Description Flags
2-3-serialize-cve-2013-0277.patch
none
3-0-serialize-cve-2013-0277.patch none

Description Kurt Seifried 2013-02-10 01:52:58 UTC
Aaron Patterson (tenderlove) reports:

Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0

There is a vulnerability in the serialized attribute handling code in Ruby on 
Rails 2.3 and 3.0, applications which allow users to directly assign to the 
serialized fields in their models are at risk of Denial of Service or Remote 
Code Execution vulnerabilities. This vulnerability has been assigned the CVE 
identifier CVE-2013-0277

Versions Affected:  2.3.x, 3.0.x and all earlier versions
Not affected:       3.1.0 and Above
Fixed Versions:     None

Impact 
------ 
The +serialize+ helper in Active Record allows developers to store various 
objects serialized to a BLOB column in the database.  The objects are 
serialized and deserialized using YAML.  If developers allow their users to 
directly provide values for this attribute, an attacker could use a specially 
crafted request to cause the application to deserialize arbitrary YAML. 

Vulnerable applications will have models similar to this:

  class Post < ActiveRecord::Base
    serialize :tags
  end

and will allow foreign input to be directly assigned to the serialized column 
like this:

  post = Post.new
  post.tags = params[:tags]

All users running an affected release should either apply one of the patches 
or use one of the work arounds immediately. 

Releases 
-------- 
In accordance with our maintenance policy, there will be no new releases of 
Ruby on Rails 2.3 or 3.0 to address this vulnerability.  The patches included 
below have been pushed to the relevant branches in git.

Workarounds 
----------- 
To work around this issue, you must ensure that users cannot assign directly 
to the serialized column.  For example if you have a model Post which 
serializes an array of tags you should use attr_accessible to prevent 
attackers from changing these values directly:

  class Post < ActiveRecord::Base
    serialize :tags
    # because :tags isn't included in the accessible list, it will be protected from assignment by attackers.
    attr_accessible :title, :content
  end

Note: There are additional security concerns caused by allowing your users to 
directly provide values for a serialized attribute like this. You should 
consider making this change even if you apply the patches. 

Patches 
------- 
To aid users who are still running 2.3 or 3.0, we have included patches 
against this vulnerability.  They are in git-am format and consist of a 
single changeset. 

* 2-3-serialize.patch - Patch for 2.3 series 
* 3-0-serialize.patch - Patch for 3.0 series 

Please note that only the 3.1.x and 3.2.x series are supported at present.  
Users of earlier unsupported releases are advised to upgrade as soon as 
possible as we cannot guarantee the continued availability of security fixes 
for unsupported releases.

Credits 
------- 
Thanks to Tobias Kraze for reporting this issue to us and working with us on 
the fix.

Comment 4 Kurt Seifried 2013-02-11 19:56:46 UTC
Created attachment 696264 [details]
2-3-serialize-cve-2013-0277.patch

Comment 5 Kurt Seifried 2013-02-11 19:57:01 UTC
Created attachment 696265 [details]
3-0-serialize-cve-2013-0277.patch

Comment 7 Vít Ondruch 2013-02-12 11:28:17 UTC
Could you please create tracking bug for Fedora? Thank you.

Comment 9 Fedora Update System 2013-02-21 05:32:58 UTC
rubygem-activerecord-3.0.11-6.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Kurt Seifried 2013-04-07 02:44:18 UTC
Created rubygem-activesupport tracking bugs for this issue

Affects: fedora-all [bug 949207]

Comment 11 Kurt Seifried 2013-04-07 02:45:05 UTC
(In reply to comment #7)
> Could you please create tracking bug for Fedora? Thank you.

Apologies, next time can you mark this as needinfo? Created tracking bug #949207

Comment 13 Kurt Seifried 2013-07-26 06:20:37 UTC
Comment removed due to typo.

Comment 17 Kurt Seifried 2013-10-15 20:06:14 UTC
Acknowledgements:

Red Hat would like to thank the Ruby on Rails project for reporting this issue. The Ruby on Rails project acknowledges Tobias Kraze as the original reporter.