Bug 520843 (CVE-2009-3009) - CVE-2009-3009 ruby-activesupport: XSS vulnerability
Summary: CVE-2009-3009 ruby-activesupport: XSS vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-3009
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On: 521169
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-02 15:52 UTC by Vincent Danen
Modified: 2019-09-29 12:31 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-07 14:48:09 UTC


Attachments (Terms of Use)
patch to fix CVE-2009-3009 in rails 2.1.x (10.12 KB, patch)
2009-09-02 15:55 UTC, Vincent Danen
no flags Details | Diff
patch to fix CVE-2009-3009 in rails 2.3.x (13.35 KB, patch)
2009-09-02 15:55 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2009-09-02 15:52:14 UTC
From the upstream advisory:


There is a vulnerability in the escaping code for the form helpers in
Ruby on Rails.  Attackers who can inject deliberately malformed unicode
strings into the form helpers can defeat the escaping checks and inject
arbitrary HTML.

Versions Affected:  2.0.0 and *all* subsequent versions.
Not affected:       Applications running on ruby 1.9
Fixed Versions:     2.3.4, 2.2.3
Candidate CVE:      CVE-2009-3009

Due to the way that most databases either don't accept or actively
cleanse malformed unicode strings this vulnerability is most likely to
be exploited by non-persistent attacks however persistent attacks may
still be possible in some configurations.


This affects rubygem-rails in Fedora 10, 11, rawhide, and EPEL 5.  Upstream versions fixing the issue for 2.2.x and 2.3.x will be available Sept 3, 2009 after the vulnerability announcement is made.

Comment 2 Vincent Danen 2009-09-02 15:55:00 UTC
Created attachment 359553 [details]
patch to fix CVE-2009-3009 in rails 2.1.x

In the event upstream does not push a new 2.1.x release, this patch will correct the issue.

Comment 3 Vincent Danen 2009-09-02 15:55:59 UTC
Created attachment 359554 [details]
patch to fix CVE-2009-3009 in rails 2.3.x

Comment 4 Vincent Danen 2009-09-04 01:21:41 UTC
Embargo has been lifted:

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/48ab3f4a2c16190f

Comment 6 Jan Lieskovsky 2009-09-09 15:26:25 UTC
MITRE's CVE-2009-3009 record:
-----------------------------

Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before
2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject
arbitrary web script or HTML by placing malformed Unicode strings into
a form helper.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009
http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source
http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails
http://www.securityfocus.com/bid/36278
http://www.osvdb.org/57666
http://securitytracker.com/id?1022824
http://secunia.com/advisories/36600
http://www.vupen.com/english/advisories/2009/2544
http://xforce.iss.net/xforce/xfdb/53036

Comment 7 Jan Lieskovsky 2009-09-09 15:28:06 UTC
This issue affects the versions of ruby-activesupport package, as shipped
with Fedora release of 10 and 11. Patch from:

http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?dmode=source

seems to be applicable.

Please fix.

Comment 8 Jan Lieskovsky 2009-09-16 10:40:11 UTC
David, any progress while scheduling the updates?

Comment 9 Mamoru TASAKA 2009-09-20 18:57:06 UTC
On rawhide: done
http://koji.fedoraproject.org/koji/taskinfo?taskID=1693160

For F-11:
Opinions welcome about whether we should upgrade rubygems to 1.3.5
or not (rubygem-rails 2.3.4 requires rubygems >= 1.3.4, current
rubygems on F-11 is 1.3.1), already mailed to rubygem-rails and
rubygems maintainers.

Comment 10 Fedora Update System 2009-09-20 20:21:42 UTC
rubygem-actionpack-2.1.1-3.fc10,rubygem-activesupport-2.1.1-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-3.fc10,rubygem-activesupport-2.1.1-2.fc10

Comment 11 Fedora Update System 2009-09-20 20:23:32 UTC
rubygem-actionpack-2.1.1-3.el5,rubygem-activesupport-2.1.1-2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-3.el5,rubygem-activesupport-2.1.1-2.el5

Comment 12 Fedora Update System 2009-09-22 18:33:20 UTC
rubygem-actionpack-2.3.3-2.fc11,rubygem-activesupport-2.3.3-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/rubygem-actionpack-2.3.3-2.fc11,rubygem-activesupport-2.3.3-2.fc11

Comment 13 Mamoru TASAKA 2009-09-22 18:37:19 UTC
rawhide: comment 9
F-11:    comment 12
F-10:    comment 11
EL-5:    comment 10

Comment 14 Mamoru TASAKA 2009-09-22 18:39:34 UTC
(In reply to comment #13)
F-10:    comment 10
EL-5:    comment 11

Comment 15 Fedora Update System 2009-09-22 22:25:45 UTC
rubygem-actionpack-2.1.1-3.el5, rubygem-activesupport-2.1.1-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2009-09-24 05:06:00 UTC
rubygem-actionpack-2.1.1-3.fc10, rubygem-activesupport-2.1.1-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2009-09-25 20:06:35 UTC
rubygem-actionpack-2.3.3-2.fc11, rubygem-activesupport-2.3.3-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Mamoru TASAKA 2009-09-26 04:08:56 UTC
All branches fixed.

Comment 19 Hans Ulrich Niedermann 2009-09-26 16:05:46 UTC
Not fixed on F-11, due to a bunch of rubygem-* packages having versioned requirements on rubygem-actionpack-2.3.2. Such packages include:

  rubygem-activerecord
  rubygem-activeresource
  rubygem-rails

I am not really familiar with the Ruby and the Rails stuff, but I guess this security update should be installable in some way.

BTW, a similar issue appears with the versioned dependencies on rubygem-actionpack.

Comment 20 Fedora Update System 2009-09-26 16:37:24 UTC
rubygem-activerecord-2.3.3-2.fc11,rubygem-activeresource-2.3.3-2.fc11,rubygem-rails-2.3.3-3.fc11,rubygem-actionmailer-2.3.3-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/rubygem-activerecord-2.3.3-2.fc11,rubygem-activeresource-2.3.3-2.fc11,rubygem-rails-2.3.3-3.fc11,rubygem-actionmailer-2.3.3-3.fc11

Comment 21 Mitchell Berger 2009-10-01 08:26:58 UTC
If you push this update and everyone upgrades to Rails 2.3.3, existing
applications will break because of this piece of the default
config/environment.rb:

# Specifies gem version of Rails to use when vendor/rails is not present
RAILS_GEM_VERSION = '2.3.2' unless defined? RAILS_GEM_VERSION

The Rails version shouldn't be bumped in F11.  You're not even attempting
to go to the current version of Rails upstream.  The security patches
apply just fine to 2.3.2, and that's what should have been patched here.
The only reason 2.3.3 is being pushed now is that kanarip imported new
sources, and never pushed them out to the distro, so when a rebuild
happened for this security patch, it's causing everyone to be upgraded
to 2.3.3.  Please back out to 2.3.2 and apply the security patch there.

Comment 22 Mamoru TASAKA 2009-10-01 08:49:31 UTC
You can set RAILS_GEM_VERSION environment then, so no problem.

Honestly saying, I think if a software which expects just rubygem-rails = 2.3.2
and fails suddenly with 2.3.4 it is a serious bug in the software. It is highly
expected that another bugs, not specific to security issues, will be found
on rails and another bug fix releases with minor release number bump will
be released at the time. At that time, postponeing bug fix of rails on Fedora
because some software cannot handle such minor release bump of rails
while rails' API does not change is certainly a bug in that software
and that software must be fixed. 

Also rubygem-activesupport 2.3.3 is already pushed and we cannot revert
it.

Comment 23 Mitchell Berger 2009-10-01 09:03:10 UTC
Mamoru, I believe you're misunderstanding the problem.  Yes, if
everyone with an existing application goes and sets the
RAILS_GEM_VERSION environment variable, or edits the environment.rb
file, their application will once again work unless it has a serious
bug.  That's not the point.

The point is that the restriction to 2.3.2 in environment.rb is
set up *by default* when you first run 'rails' to initialize an
application.  This means that anyone who has set up a rails app
on Fedora 11 will have their app stop working when they take this
update, until they notice that their app has broken and go make
the change.  It is irresponsible for the maintainers of a package
to push an update that pointlessly breaks most existing applications.

Fedora 12 is due out very soon now, and that would be the right
time to push a backwards-incompatible update.  You could argue that
Rails has a bug in that its default framework ties to you a hardcoded
version, and I'd agree with you - it should be possible to upgrade
the package version without breaking your application.  The software
that needs to be fixed is Rails, because it will break applications
on upgrade that should be perfectly compatible with the new version.

The only people who were able to successfully take the rubygem-activesupport
2.3.3 update were the ones who don't have rubygem-rails installed,
which is probably not many people, or the ones running packages out
of updates-testing, who expect some updates to not work.  You could
back out to 2.3.2 by bumping the epoch of the package, and I urge
you to consider doing so.  You've attempted to push a software version
change as a security update, when in fact the security patch isn't
included in the version you're updating to (so you had to manually
apply it), and it applies cleanly to the version of the software
currently in the release.

Comment 24 David Lutterkort 2009-10-02 17:36:32 UTC
I agree that we shouldn't break existing apps with an update (and I am firmly pointing my finger at upstream rails for the insanity of hardcoding version numbers to avoid any semblancce of API stability)

I am revoking the push request for now, and will see about pushing a patched 2.3.2 into F-11 on Monday.

Comment 25 Mitchell Berger 2009-10-02 20:24:40 UTC
Thank you very much.  I'm presently running locally built 2.3.2 packages
with the same patch that you folks applied to 2.3.3, and it seems to
work fine.  Let me know if you'd like any assistance testing what you
come up with.

Also, I see that you added a negative comment to Bodhi, though it
still lists the status as "pending."  Is this just a bug in the Bodhi
display, or was the revocation unsuccessful?

Comment 26 Fedora Update System 2009-10-09 21:55:38 UTC
rubygem-actionmailer-2.3.2-3.fc11,rubygem-actionpack-2.3.2-2.fc11,rubygem-activerecord-2.3.2-2.fc11,rubygem-activeresource-2.3.2-2.fc11,rubygem-activesupport-2.3.2-2.fc11,rubygem-rails-2.3.2-5.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/rubygem-actionmailer-2.3.2-3.fc11,rubygem-actionpack-2.3.2-2.fc11,rubygem-activerecord-2.3.2-2.fc11,rubygem-activeresource-2.3.2-2.fc11,rubygem-activesupport-2.3.2-2.fc11,rubygem-rails-2.3.2-5.fc11

Comment 27 Fedora Update System 2009-10-14 01:55:06 UTC
rubygem-actionmailer-2.3.2-3.fc11, rubygem-actionpack-2.3.2-2.fc11, rubygem-activerecord-2.3.2-2.fc11, rubygem-activeresource-2.3.2-2.fc11, rubygem-activesupport-2.3.2-2.fc11, rubygem-rails-2.3.2-5.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Mamoru TASAKA 2009-12-07 14:48:09 UTC
I guess this one is already fixed.


Note You need to log in before you can comment on or make changes to this bug.