Originally, the CVE-2012-2661 identifier has been assigned to the following issue: A security flaw was found in the way rubygem-activerecord, the ActiveRecord pattern for ORM, performed SQL query generation based on the content of params hash, when nested query paramaters were provided. If a Ruby on Rails application directly passed request params to the 'where' method of an ActiveRecord class, a remote attacker could use this flaw to cause the 'params[:id]' to return a specially-crafted hash, resulting into the WHERE clause of the SQL statement to query an arbitrary table with value of attacker's choice, leading to disclosure of sensitive information. (bug 827363) Recently (2012-06-12) it has been reported: [1] https://groups.google.com/group/rubyonrails-security/browse_thread/thread/9782f44c4540cf59 that there still exists a variant of this attack, which is possible to exploit even when the upstream patch for the original CVE-2012-2661 issue has been applied. More from [1]: -- Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2661, even if you upgraded to address that issue, you must take action again. Impacted code directly passes request params to the `where` method of an ActiveRecord class like this: Post.where(:id => params[:id]).all An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value. -- Proposed upstream patches (see attachments).
Created attachment 591438 [details] Proposed upstream patch against the v2.3 branch
Created attachment 591439 [details] Proposed upstream patch against the v3.0 branch
Created attachment 591440 [details] Proposed upstream patch against the v3.1 branch
Created attachment 591441 [details] Proposed upstream patch against the v3.2 branch
This issue affects the versions of the rubygem-activerecord package, as shipped with Fedora release of 15, 16, and 17. Please schedule an update. -- This issue affects the version of the rubygem-activerecord package, as shipped with Fedora EPEL 5. Please schedule an update.
Created rubygem-activerecord tracking bugs for this issue Affects: fedora-all [bug 831582] Affects: epel-5 [bug 831583]
rubygem-activerecord-3.0.10-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-activerecord-3.0.11-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: CloudForms for RHEL 6 Via RHSA-2012:1542 https://rhn.redhat.com/errata/RHSA-2012-1542.html
This issue has been addressed in following products: Red Hat Subscription Asset Manager 1.1 Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html