Bug 1114427 – CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1114427 - (CVE-2014-3483) CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting

Summary:	CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' qu...

Status:	NEW

Aliases:	CVE-2014-3483

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20140702,repor...
Keywords:	Security

Depends On:	1115335 1115336 1115777
Blocks:	1114429
	Show dependency tree / graph

Reported:	2014-06-30 00:57 EDT by Murray McAllister
Modified:	2015-01-05 11:59 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	rubygem-activerecord 4.0.7, rubygem-activerecord 4.1.3.
Doc Type:	Bug Fix
Doc Text:	It was discovered that Active Record did not properly quote values of the range type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
4.0 patch from upstream (3.16 KB, patch) 2014-06-30 00:59 EDT, Murray McAllister	no flags	Details \| Diff
4.1 patch from upstream (3.29 KB, patch) 2014-06-30 01:00 EDT, Murray McAllister	no flags	Details \| Diff
ammended 4.0 patch from upstream (4.26 KB, patch) 2014-07-03 01:57 EDT, Murray McAllister	no flags	Details \| Diff
amended 4.1 patch from upstream (4.45 KB, patch) 2014-07-03 01:58 EDT, Murray McAllister	no flags	Details \| Diff
Show Obsolete (2) Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:0877	normal	SHIPPED_LIVE	Moderate: ror40-rubygem-activerecord security update	2014-07-14 16:25:31 EDT

Groups: None (edit)

Description Murray McAllister 2014-06-30 00:57:07 EDT

An SQL injection flaw was found in the PostgreSQL adapter for Active Record. An attacker could possibly perform SQL injection attacks if a Ruby on Rails application performed queries against the range type.

This issue affects versions 4.0.0 to 4.1.2. It is reported that versions earlier than 4.0 are not affected.

Acknowledgements:

Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Sean Griffin of thoughtbot as the original reporter.

Comment 2 Murray McAllister 2014-06-30 00:59:38 EDT

Created attachment 913248 [details]
4.0 patch from upstream

Comment 3 Murray McAllister 2014-06-30 01:00:10 EDT

Created attachment 913249 [details]
4.1 patch from upstream

Comment 5 Kurt Seifried 2014-07-02 13:37:19 EDT

This is now public:
https://groups.google.com/forum/#!topic/rubyonrails-security/wDxePLJGZdI

Comment 6 Murray McAllister 2014-07-03 01:54:36 EDT

The original fixes for 4.x introduced a regression:

http://seclists.org/oss-sec/2014/q3/10

Comment 7 Murray McAllister 2014-07-03 01:57:41 EDT

Created attachment 914349 [details]
ammended 4.0 patch from upstream

Comment 8 Murray McAllister 2014-07-03 01:58:27 EDT

Created attachment 914350 [details]
amended 4.1 patch from upstream

Comment 9 Murray McAllister 2014-07-03 02:09:50 EDT

Created rubygem-activerecord tracking bugs for this issue:

Affects: fedora-20 [bug 1115777]

Comment 10 Tomas Hoger 2014-07-03 03:00:15 EDT

Upstream release announcement:
http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/

Fixed in ActiveRecord 4.0.7 and 4.1.3.

As noted in comment 6, the original fixes were discovered to introduce a regression, that was corrected in a new releases of 4.0.8 and 4.1.4:
http://weblog.rubyonrails.org/2014/7/2/Rails_4_0_8_and_4_1_4_have_been_released/

Original fixes (4.0 and 4.1):
https://github.com/rails/rails/commit/c4598b9772a2c13259938dc78e37f62db9295412
https://github.com/rails/rails/commit/27a0c137d00e774bf22050d4cfd952e9ab4362ac

Additional fixes correcting regression:
https://github.com/rails/rails/commit/c1156bfc43dd90e89acb8ffdd4e844f4e4e404ca
https://github.com/rails/rails/commit/958be0e7cc2571b2f57ec62491dc4ded74d29424

Comment 11 Martin Prpič 2014-07-14 05:26:17 EDT

IssueDescription:

It was discovered that Active Record did not properly quote values of the range type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record.

Comment 12 errata-xmlrpc 2014-07-14 12:26:16 EDT

This issue has been addressed in following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7

Via RHSA-2014:0877 https://rhn.redhat.com/errata/RHSA-2014-0877.html

Comment 13 Kurt Seifried 2014-09-17 23:32:10 EDT

CFME doesn't use any range fields in the database backend. But we should rebase activerecord at some point.

Note You need to log in before you can comment on or make changes to this bug.