The Ruby on Rails project reports: Multiple vulnerabilities in parameter parsing in ActionPack There are multiple weaknesses in the parameter parsing code for Ruby on Rails which could allow attackers to bypass authentication systems, inject arbitrary SQL, inject an execute arbitrary code, or perform a DoS attack on a rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156. Versions Affected: ALL versions Not affected: NONE Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15 Impact ------ The XML parameter parsing code of Ruby on Rails allows applications to automatically to cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including. This unsuitable conversion can be used by an attacker to compromise a rails application. Due to the serious nature of this vulnerability, and the fact it has been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds *immediately*. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- The work arounds differ depending on the rails version you are using. It involves disabling the YAML and Symbol type conversion from the Rails XML parser. You should place one of the following code snippets in an application initializer to ensure your application isn't vulnerable. Rails 3.2, 3.1, 3.0 --------- ActiveSupport::XmlMini::PARSING.delete("symbol") ActiveSupport::XmlMini::PARSING.delete("yaml") Rails 2.3 --------- ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol') ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')
Created attachment 674509 [details] actionpack-CVE-2012-0156-2-3-xml_parsing.patch
Created attachment 674510 [details] actionpack-CVE-2012-0156-3-0-xml_parsing.patch
Created attachment 674511 [details] actionpack-CVE-2012-0156-3-1-xml_parsing.patch
Created attachment 674512 [details] actionpack-CVE-2012-0156-3-2-xml_parsing.patch
*** Bug 893188 has been marked as a duplicate of this bug. ***
Created attachment 675064 [details] actionpack-CVE-2012-0155-3-0-null_array_param.patch
Created attachment 675066 [details] actionpack-CVE-2012-0155-3-1-null_array_param.patch
Created attachment 675067 [details] actionpack-CVE-2012-0155-3-2-null_array_param.patch
Created attachment 675068 [details] actionpack-CVE-2012-0156-2-3-xml_parsing.patch
Created attachment 675069 [details] actionpack-CVE-2012-0156-2-3-xml_parsing.patch
Created attachment 675070 [details] actionpack-CVE-2012-0156-3-0-null_array_param.patch
Created attachment 675071 [details] actionpack-CVE-2012-0156-3-1-null_array_param.patch
Created attachment 675072 [details] actionpack-CVE-2012-0156-3-2-null_array_param.patch
Created attachment 675077 [details] actionpack-CVE-2013-0156-2-3-xml_parsing.patch
Created attachment 675078 [details] actionpack-CVE-2013-0156-3-0-null_array_param.patch
Created attachment 675079 [details] actionpack-CVE-2013-0156-3-1-null_array_param.patch
Created attachment 675080 [details] actionpack-CVE-2013-0156-3-2-null_array_param.patch
Presumably the patches should be named CVE-2013-0156, not CVE-2012-0156.
*** Bug 893189 has been marked as a duplicate of this bug. ***
The upstream report: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
Created rubygem-actionpack tracking bugs for this issue Affects: epel-5 [bug 847202] Affects: fedora-all [bug 893281]
A write up of this issue is available at (external link): http://www.insinuator.net/2013/01/rails-yaml/
upgrading severity to critical based on an assessment of the issue.
Statement: For details of affected products and workarounds see https://access.redhat.com/knowledge/node/290903
This issue has been addressed in following products: Red Hat Subscription Asset Manager 1.1 Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise Via RHSA-2013:0153 https://rhn.redhat.com/errata/RHSA-2013-0153.html
This issue has been addressed in following products: CloudForms for RHEL 6 Via RHSA-2013:0155 https://rhn.redhat.com/errata/RHSA-2013-0155.html
rubygem-actionpack-3.2.8-2.fc18, rubygem-activerecord-3.2.8-3.fc18, rubygem-activesupport-3.2.8-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-3.0.10-10.fc16, rubygem-activerecord-3.0.10-5.fc16, rubygem-activesupport-3.0.10-5.fc16, rubygem-activemodel-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-3.0.11-8.fc17, rubygem-activerecord-3.0.11-5.fc17, rubygem-activemodel-3.0.11-2.fc17, rubygem-activesupport-3.0.11-7.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.