Bug 1310043 (CVE-2016-2097) - CVE-2016-2097 rubygem-actionview, rubygem-actionpack: directory traversal in Action View, incomplete CVE-2016-0752 fix
Summary: CVE-2016-2097 rubygem-actionview, rubygem-actionpack: directory traversal in ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2097
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1310233 1310234 1310235 1310236 1313385 1313386 1315704 1315705
Blocks: 1310055
TreeView+ depends on / blocked
 
Reported: 2016-02-19 10:20 UTC by Adam Mariš
Modified: 2021-02-17 04:20 UTC (History)
31 users (show)

Fixed In Version: rubygem-actionpack 3.2.22.2, rubygem-actionview 4.1.14.2
Clone Of:
Environment:
Last Closed: 2016-03-15 21:20:21 UTC
Embargoed:

Attachments (Terms of Use)
Upstream patch (14.58 KB, patch)
2016-02-19 10:22 UTC, Adam Mariš 		no flags Details | Diff
Upstream patch for 3.2 (15.27 KB, patch)
2016-03-01 14:09 UTC, Adam Mariš 		no flags Details | Diff
Upstream patch for 4.1 (9.22 KB, patch)
2016-03-01 14:11 UTC, Adam Mariš 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0454 0 normal SHIPPED_LIVE Important: ror40 security update 2016-03-16 00:56:17 UTC
Red Hat Product Errata RHSA-2016:0455 0 normal SHIPPED_LIVE Important: ruby193 security update 2016-03-16 00:55:59 UTC
Red Hat Product Errata RHSA-2016:0456 0 normal SHIPPED_LIVE Important: rh-ror41 security update 2016-03-16 00:55:45 UTC

Description Adam Mariš 2016-02-19 10:20:52 UTC 
A possible directory traversal and information leak vulnerability in Action View was found. This issue was meant to be fixed in patch for CVE-2016-0752. However the 3.2 patch was not covering all the scenarios.

Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

```ruby
def index
  render params[:id]
end
```

Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack.

A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method.

Versions Affected:  3.2.x, 4.0.x
Not affected:       4.1+
Fixed Versions:     3.2.22.2
Comment 1 Adam Mariš 2016-02-19 10:22:20 UTC 
Created attachment 1128503 [details]
Upstream patch
Comment 2 Adam Mariš 2016-02-19 10:42:21 UTC 
Acknowledgments:

Name: the Ruby on Rails project
Upstream: Jyoti Singh, Tobias Kraze (makandra)
Comment 3 Tomas Hoger 2016-02-19 20:07:07 UTC 
The original issue CVE-2016-0752 is tracked via bug 1301963.
Comment 6 Adam Mariš 2016-03-01 14:07:44 UTC 
Affected version have been changed from previous advisory. Current versions are following:

Versions Affected:  3.2.x, 4.0.x, 4.1.x
Not affected:       4.2+
Fixed Versions:     3.2.22.2, 4.1.14.2
Comment 7 Adam Mariš 2016-03-01 14:09:01 UTC 
Created attachment 1131946 [details]
Upstream patch for 3.2
Comment 8 Adam Mariš 2016-03-01 14:11:11 UTC 
Created attachment 1131947 [details]
Upstream patch for 4.1
Comment 9 Adam Mariš 2016-03-01 14:11:52 UTC 
External Reference:

https://groups.google.com/forum/#!msg/rubyonrails-security/ddY6HgqB2z4/we0RasMZIAAJ
Comment 11 Adam Mariš 2016-03-01 14:14:48 UTC 
Created rubygem-actionview tracking bugs for this issue:

Affects: fedora-all [bug 1313386]
Comment 12 Tomas Hoger 2016-03-08 12:30:00 UTC 
Upstream commits:

3.2 https://github.com/rails/rails/commit/af9b9132f82d1f468836997c716a02f14e61c38c
4.1 https://github.com/rails/rails/commit/8a1d3ea617ffb0c8ae8467fa439bf63a3bfc4324
Comment 17 errata-xmlrpc 2016-03-15 20:59:06 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:0456 https://rhn.redhat.com/errata/RHSA-2016-0456.html
Comment 18 errata-xmlrpc 2016-03-15 21:01:52 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2016:0455 https://rhn.redhat.com/errata/RHSA-2016-0455.html
Comment 19 errata-xmlrpc 2016-03-15 21:04:56 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS

Via RHSA-2016:0454 https://rhn.redhat.com/errata/RHSA-2016-0454.html
Note You need to log in before you can comment on or make changes to this bug.