Aaron Patterson of the Ruby on Rails project reports: Data Injection Vulnerability in Active Record There is a data injection vulnerability in Active Record. Specially crafted strings can be used to save data in PostgreSQL array columns that may not be intended. Versions Affected: 4.0.x, 4.1.0.beta1 Not affected: 3.2.x and older Fixed Versions: 4.0.3, 4.1.0.beta2 Impact ------ Specially crafted strings may be used to save data to array columns in PostgreSQL databases. This vulnerability cannot be used to delete data or execute arbitrary SQL statements, but *can* be used to add data that could have an impact on the application (such as setting an admin flag). Only array type columns in PostgreSQL are impacted. All users running an affected release should either upgrade or use one of the work arounds immediately.
Created attachment 863434 [details] 4-0-array_injection.patch
Created attachment 863435 [details] 4-1-beta-array_injection.patch
Acknowledgement: Red Hat would like to thank the Ruby on Rails Project for reporting this issue. Upstream acknowledges Godfrey Chan as the original reporter.
Statement: Not vulnerable. This issue did not affect the versions of rubygem-activerecord as shipped with CloudForms, OpenShift Enterprise 1 and 2, Red Hat Enterprise Linux OpenStack Platform 3 and 4, Red Hat Software Collections 1 and Subscription Asset Manager as they did not include the vulnerable code.
Created rubygem-activerecord tracking bugs for this issue: Affects: fedora-20 [bug 1066671]
Fixed upstream in 4.0.3, and 4.1.0.beta2: http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/ https://groups.google.com/forum/#!topic/ruby-security-ann/S8FleL3IXPs Upstream commits (4.0 and master): https://github.com/rails/rails/commit/3eaea655a506ed035fab3d143aa918958cf52405 https://github.com/rails/rails/commit/6256b1de9a2d968b0d123ad6a09b33de01019ae6
rubygem-activerecord-4.0.0-2.fc20, rubygem-actionpack-4.0.0-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.