Bug 892870 - (CVE-2013-0156) CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack
CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter pa...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20130108,repor...
: Security
: 893188 893189 (view as bug list)
Depends On: 847202 892873 892874 892875 892877 893281 893665 946303 946331
Blocks: 892872
  Show dependency treegraph
 
Reported: 2013-01-08 00:57 EST by Kurt Seifried
Modified: 2013-04-04 00:16 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-16 03:37:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
actionpack-CVE-2012-0156-2-3-xml_parsing.patch (6.36 KB, patch)
2013-01-08 01:03 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-0-xml_parsing.patch (5.76 KB, patch)
2013-01-08 01:03 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-1-xml_parsing.patch (6.30 KB, patch)
2013-01-08 01:03 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-2-xml_parsing.patch (6.35 KB, patch)
2013-01-08 01:04 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0155-3-0-null_array_param.patch (7.67 KB, patch)
2013-01-08 16:14 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0155-3-1-null_array_param.patch (7.56 KB, patch)
2013-01-08 16:14 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0155-3-2-null_array_param.patch (7.53 KB, patch)
2013-01-08 16:15 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-2-3-xml_parsing.patch (27 bytes, patch)
2013-01-08 16:16 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-2-3-xml_parsing.patch (8.84 KB, patch)
2013-01-08 16:19 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-0-null_array_param.patch (7.96 KB, patch)
2013-01-08 16:19 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-1-null_array_param.patch (8.18 KB, patch)
2013-01-08 16:20 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2012-0156-3-2-null_array_param.patch (8.24 KB, patch)
2013-01-08 16:20 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2013-0156-2-3-xml_parsing.patch (8.84 KB, patch)
2013-01-08 16:28 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2013-0156-3-0-null_array_param.patch (7.96 KB, patch)
2013-01-08 16:28 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2013-0156-3-1-null_array_param.patch (8.18 KB, patch)
2013-01-08 16:29 EST, Kurt Seifried
no flags Details | Diff
actionpack-CVE-2013-0156-3-2-null_array_param.patch (8.24 KB, patch)
2013-01-08 16:29 EST, Kurt Seifried
no flags Details | Diff

  None (edit)
Description Kurt Seifried 2013-01-08 00:57:29 EST
The Ruby on Rails project reports:

Multiple vulnerabilities in parameter parsing in ActionPack

There are multiple weaknesses in the parameter parsing code for Ruby on Rails 
which could allow attackers to bypass authentication systems, inject arbitrary
SQL, inject an execute arbitrary code, or perform a DoS attack on a rails 
application. This vulnerability has been assigned the CVE identifier 
CVE-2013-0156.

Versions Affected:  ALL versions
Not affected:       NONE
Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15

Impact
------
The XML parameter parsing code of Ruby on Rails allows applications to 
automatically to cast values from strings to certain data types.  
Unfortunately the type casting code supported certain conversions which were 
not suitable for performing on user-provided data including.  This unsuitable 
conversion can be used by an attacker to compromise a rails application.

Due to the serious nature of this vulnerability, and the fact it has been 
disclosed publicly, all users running an affected release should either 
upgrade or use one of the work arounds *immediately*.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
The work arounds differ depending on the rails version you are using.  It 
involves disabling the YAML and Symbol type conversion from the Rails XML 
parser.  You should place one of the following code snippets in an 
application initializer to ensure your application isn't vulnerable.

Rails 3.2, 3.1, 3.0
---------

ActiveSupport::XmlMini::PARSING.delete("symbol")
ActiveSupport::XmlMini::PARSING.delete("yaml")

Rails 2.3
---------

ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')
Comment 1 Kurt Seifried 2013-01-08 01:03:08 EST
Created attachment 674509 [details]
actionpack-CVE-2012-0156-2-3-xml_parsing.patch
Comment 2 Kurt Seifried 2013-01-08 01:03:26 EST
Created attachment 674510 [details]
actionpack-CVE-2012-0156-3-0-xml_parsing.patch
Comment 3 Kurt Seifried 2013-01-08 01:03:47 EST
Created attachment 674511 [details]
actionpack-CVE-2012-0156-3-1-xml_parsing.patch
Comment 4 Kurt Seifried 2013-01-08 01:04:05 EST
Created attachment 674512 [details]
actionpack-CVE-2012-0156-3-2-xml_parsing.patch
Comment 9 Kurt Seifried 2013-01-08 15:59:50 EST
*** Bug 893188 has been marked as a duplicate of this bug. ***
Comment 10 Kurt Seifried 2013-01-08 16:14:15 EST
Created attachment 675064 [details]
actionpack-CVE-2012-0155-3-0-null_array_param.patch
Comment 11 Kurt Seifried 2013-01-08 16:14:46 EST
Created attachment 675066 [details]
actionpack-CVE-2012-0155-3-1-null_array_param.patch
Comment 12 Kurt Seifried 2013-01-08 16:15:33 EST
Created attachment 675067 [details]
actionpack-CVE-2012-0155-3-2-null_array_param.patch
Comment 13 Kurt Seifried 2013-01-08 16:16:41 EST
Created attachment 675068 [details]
actionpack-CVE-2012-0156-2-3-xml_parsing.patch
Comment 14 Kurt Seifried 2013-01-08 16:19:37 EST
Created attachment 675069 [details]
actionpack-CVE-2012-0156-2-3-xml_parsing.patch
Comment 15 Kurt Seifried 2013-01-08 16:19:57 EST
Created attachment 675070 [details]
actionpack-CVE-2012-0156-3-0-null_array_param.patch
Comment 16 Kurt Seifried 2013-01-08 16:20:19 EST
Created attachment 675071 [details]
actionpack-CVE-2012-0156-3-1-null_array_param.patch
Comment 17 Kurt Seifried 2013-01-08 16:20:41 EST
Created attachment 675072 [details]
actionpack-CVE-2012-0156-3-2-null_array_param.patch
Comment 18 Kurt Seifried 2013-01-08 16:28:22 EST
Created attachment 675077 [details]
actionpack-CVE-2013-0156-2-3-xml_parsing.patch
Comment 19 Kurt Seifried 2013-01-08 16:28:53 EST
Created attachment 675078 [details]
actionpack-CVE-2013-0156-3-0-null_array_param.patch
Comment 20 Kurt Seifried 2013-01-08 16:29:14 EST
Created attachment 675079 [details]
actionpack-CVE-2013-0156-3-1-null_array_param.patch
Comment 21 Kurt Seifried 2013-01-08 16:29:35 EST
Created attachment 675080 [details]
actionpack-CVE-2013-0156-3-2-null_array_param.patch
Comment 22 Anders Kaseorg 2013-01-08 16:38:01 EST
Presumably the patches should be named CVE-2013-0156, not CVE-2012-0156.
Comment 23 Vincent Danen 2013-01-08 20:27:56 EST
*** Bug 893189 has been marked as a duplicate of this bug. ***
Comment 24 Vincent Danen 2013-01-08 20:30:10 EST
The upstream report:

https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
Comment 25 Vincent Danen 2013-01-08 21:27:17 EST
Created rubygem-actionpack tracking bugs for this issue

Affects: epel-5 [bug 847202]
Affects: fedora-all [bug 893281]
Comment 26 Kurt Seifried 2013-01-08 23:26:58 EST
A write up of this issue is available at (external link): http://www.insinuator.net/2013/01/rails-yaml/
Comment 27 Mark J. Cox (Product Security) 2013-01-09 06:13:14 EST
upgrading severity to critical based on an assessment of the issue.
Comment 29 Mark J. Cox (Product Security) 2013-01-09 08:28:57 EST
Statement:

For details of affected products and workarounds see https://access.redhat.com/knowledge/node/290903
Comment 35 errata-xmlrpc 2013-01-10 15:42:51 EST
This issue has been addressed in following products:

  Red Hat Subscription Asset Manager 1.1

Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html
Comment 36 errata-xmlrpc 2013-01-10 15:43:28 EST
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise

Via RHSA-2013:0153 https://rhn.redhat.com/errata/RHSA-2013-0153.html
Comment 37 errata-xmlrpc 2013-01-10 17:41:41 EST
This issue has been addressed in following products:

  CloudForms for RHEL 6

Via RHSA-2013:0155 https://rhn.redhat.com/errata/RHSA-2013-0155.html
Comment 38 Fedora Update System 2013-01-19 22:40:32 EST
rubygem-actionpack-3.2.8-2.fc18, rubygem-activerecord-3.2.8-3.fc18, rubygem-activesupport-3.2.8-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 39 Fedora Update System 2013-01-22 20:33:33 EST
rubygem-actionpack-3.0.10-10.fc16, rubygem-activerecord-3.0.10-5.fc16, rubygem-activesupport-3.0.10-5.fc16, rubygem-activemodel-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 40 Fedora Update System 2013-01-22 20:53:21 EST
rubygem-actionpack-3.0.11-8.fc17, rubygem-activerecord-3.0.11-5.fc17, rubygem-activemodel-3.0.11-2.fc17, rubygem-activesupport-3.0.11-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.