Bug 1310043 - (CVE-2016-2097) CVE-2016-2097 rubygem-actionview, rubygem-actionpack: directory traversal in Action View, incomplete CVE-2016-0752 fix
CVE-2016-2097 rubygem-actionview, rubygem-actionpack: directory traversal in ...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20160229,repo...
: Security
Depends On: 1310233 1310234 1310235 1310236 1313385 1313386 1315704 1315705
Blocks: 1310055
  Show dependency treegraph
 
Reported: 2016-02-19 05:20 EST by Adam Mariš
Modified: 2016-04-11 09:04 EDT (History)
31 users (show)

See Also:
Fixed In Version: rubygem-actionpack 3.2.22.2, rubygem-actionview 4.1.14.2
Doc Type: Bug Fix
Doc Text:
A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to render unexpected files and, possibly, execute arbitrary code.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-15 17:20:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch (14.58 KB, patch)
2016-02-19 05:22 EST, Adam Mariš
no flags Details | Diff
Upstream patch for 3.2 (15.27 KB, patch)
2016-03-01 09:09 EST, Adam Mariš
no flags Details | Diff
Upstream patch for 4.1 (9.22 KB, patch)
2016-03-01 09:11 EST, Adam Mariš
no flags Details | Diff

  None (edit)
Description Adam Mariš 2016-02-19 05:20:52 EST
A possible directory traversal and information leak vulnerability in Action View was found. This issue was meant to be fixed in patch for CVE-2016-0752. However the 3.2 patch was not covering all the scenarios.

Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

```ruby
def index
  render params[:id]
end
```

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method.

Versions Affected:  3.2.x, 4.0.x
Not affected:       4.1+
Fixed Versions:     3.2.22.2
Comment 1 Adam Mariš 2016-02-19 05:22 EST
Created attachment 1128503 [details]
Upstream patch
Comment 2 Adam Mariš 2016-02-19 05:42:21 EST
Acknowledgments:

Name: the Ruby on Rails project
Upstream: Jyoti Singh, Tobias Kraze (makandra)
Comment 3 Tomas Hoger 2016-02-19 15:07:07 EST
The original issue CVE-2016-0752 is tracked via bug 1301963.
Comment 6 Adam Mariš 2016-03-01 09:07:44 EST
Affected version have been changed from previous advisory. Current versions are following:

Versions Affected:  3.2.x, 4.0.x, 4.1.x
Not affected:       4.2+
Fixed Versions:     3.2.22.2, 4.1.14.2
Comment 7 Adam Mariš 2016-03-01 09:09 EST
Created attachment 1131946 [details]
Upstream patch for 3.2
Comment 8 Adam Mariš 2016-03-01 09:11 EST
Created attachment 1131947 [details]
Upstream patch for 4.1
Comment 11 Adam Mariš 2016-03-01 09:14:48 EST
Created rubygem-actionview tracking bugs for this issue:

Affects: fedora-all [bug 1313386]
Comment 17 errata-xmlrpc 2016-03-15 16:59:06 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:0456 https://rhn.redhat.com/errata/RHSA-2016-0456.html
Comment 18 errata-xmlrpc 2016-03-15 17:01:52 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2016:0455 https://rhn.redhat.com/errata/RHSA-2016-0455.html
Comment 19 errata-xmlrpc 2016-03-15 17:04:56 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2016:0454 https://rhn.redhat.com/errata/RHSA-2016-0454.html

Note You need to log in before you can comment on or make changes to this bug.