Fedora Account System
Red Hat Associate
Red Hat Customer
An SQL injection flaw was found in the PostgreSQL adapter for Active Record. An attacker could possibly perform SQL injection attacks if a Ruby on Rails application performed queries against the range type. This issue affects versions 4.0.0 to 4.1.2. It is reported that versions earlier than 4.0 are not affected. Acknowledgements: Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Sean Griffin of thoughtbot as the original reporter.
Created attachment 913248 [details] 4.0 patch from upstream
Created attachment 913249 [details] 4.1 patch from upstream
This is now public: https://groups.google.com/forum/#!topic/rubyonrails-security/wDxePLJGZdI
The original fixes for 4.x introduced a regression: http://seclists.org/oss-sec/2014/q3/10
Created attachment 914349 [details] ammended 4.0 patch from upstream
Created attachment 914350 [details] amended 4.1 patch from upstream
Created rubygem-activerecord tracking bugs for this issue: Affects: fedora-20 [bug 1115777]
Upstream release announcement: http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/ Fixed in ActiveRecord 4.0.7 and 4.1.3. As noted in comment 6, the original fixes were discovered to introduce a regression, that was corrected in a new releases of 4.0.8 and 4.1.4: http://weblog.rubyonrails.org/2014/7/2/Rails_4_0_8_and_4_1_4_have_been_released/ Original fixes (4.0 and 4.1): https://github.com/rails/rails/commit/c4598b9772a2c13259938dc78e37f62db9295412 https://github.com/rails/rails/commit/27a0c137d00e774bf22050d4cfd952e9ab4362ac Additional fixes correcting regression: https://github.com/rails/rails/commit/c1156bfc43dd90e89acb8ffdd4e844f4e4e404ca https://github.com/rails/rails/commit/958be0e7cc2571b2f57ec62491dc4ded74d29424
IssueDescription: It was discovered that Active Record did not properly quote values of the range type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record.
This issue has been addressed in following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Via RHSA-2014:0877 https://rhn.redhat.com/errata/RHSA-2014-0877.html
CFME doesn't use any range fields in the database backend. But we should rebase activerecord at some point.