An SQL injection flaw was found in the PostgreSQL adapter for Active Record. An attacker could possibly perform SQL injection attacks if a Ruby on Rails application performed queries against the bitstring type. This issue affects versions 2.0.0-3.2.18 and newer. It is reported that versions 4.0 and newer are not affected. Acknowledgements: Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Sean Griffin of thoughtbot as the original reporter.
Created attachment 913247 [details] patch from upstream
This is now public: https://groups.google.com/forum/#!topic/rubyonrails-security/wDxePLJGZdI
Statement: This issue does not affect CloudForms 5 as it does not use the "bitstring" data type anywhere in the product.
Created rubygem-activerecord tracking bugs for this issue: Affects: fedora-19 [bug 1115775] Affects: epel-5 [bug 1115776]
Upstream release announcement: http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/ Upstream 3.2.x commit: https://github.com/rails/rails/commit/1f2192e46d78ee0ba2b06373f2c24caf8440ff5b Fixed in ActiveRecord 3.2.19. 4.x versions were not affected according to upstream.
IssueDescription: It was discovered that Active Record did not properly quote values of the bitstring type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record.
This issue has been addressed in following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Via RHSA-2014:0876 https://rhn.redhat.com/errata/RHSA-2014-0876.html
CFME doesn't use any bitstring fields in the database backend. But we should rebase activerecord at some point.
SAM-1 doesn't use any bitstring fields in the database backend. But we should rebase activerecord at some point.