Bug 1114427 (CVE-2014-3483) - CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting
Summary: CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' qu...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3483
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1115335 1115336 1115777
Blocks: 1114429
TreeView+ depends on / blocked
 
Reported: 2014-06-30 04:57 UTC by Murray McAllister
Modified: 2023-05-12 04:21 UTC (History)
4 users (show)

Fixed In Version: rubygem-activerecord 4.0.7, rubygem-activerecord 4.1.3.
Doc Type: Bug Fix
Doc Text:
It was discovered that Active Record did not properly quote values of the range type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record.
Clone Of:
Environment:
Last Closed: 2021-10-20 10:45:28 UTC
Embargoed:

Attachments (Terms of Use)
4.0 patch from upstream (3.16 KB, patch)
2014-06-30 04:59 UTC, Murray McAllister 		no flags Details | Diff
4.1 patch from upstream (3.29 KB, patch)
2014-06-30 05:00 UTC, Murray McAllister 		no flags Details | Diff
ammended 4.0 patch from upstream (4.26 KB, patch)
2014-07-03 05:57 UTC, Murray McAllister 		no flags Details | Diff
amended 4.1 patch from upstream (4.45 KB, patch)
2014-07-03 05:58 UTC, Murray McAllister 		no flags Details | Diff
Show Obsolete (2) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0877 0 normal SHIPPED_LIVE Moderate: ror40-rubygem-activerecord security update 2014-07-14 20:25:31 UTC

Description Murray McAllister 2014-06-30 04:57:07 UTC 
An SQL injection flaw was found in the PostgreSQL adapter for Active Record. An attacker could possibly perform SQL injection attacks if a Ruby on Rails application performed queries against the range type.

This issue affects versions 4.0.0 to 4.1.2. It is reported that versions earlier than 4.0 are not affected.

Acknowledgements:

Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Sean Griffin of thoughtbot as the original reporter.
Comment 2 Murray McAllister 2014-06-30 04:59:38 UTC 
Created attachment 913248 [details]
4.0 patch from upstream
Comment 3 Murray McAllister 2014-06-30 05:00:10 UTC 
Created attachment 913249 [details]
4.1 patch from upstream
Comment 5 Kurt Seifried 2014-07-02 17:37:19 UTC 
This is now public:
https://groups.google.com/forum/#!topic/rubyonrails-security/wDxePLJGZdI
Comment 6 Murray McAllister 2014-07-03 05:54:36 UTC 
The original fixes for 4.x introduced a regression:

http://seclists.org/oss-sec/2014/q3/10
Comment 7 Murray McAllister 2014-07-03 05:57:41 UTC 
Created attachment 914349 [details]
ammended 4.0 patch from upstream
Comment 8 Murray McAllister 2014-07-03 05:58:27 UTC 
Created attachment 914350 [details]
amended 4.1 patch from upstream
Comment 9 Murray McAllister 2014-07-03 06:09:50 UTC 
Created rubygem-activerecord tracking bugs for this issue:

Affects: fedora-20 [bug 1115777]
Comment 10 Tomas Hoger 2014-07-03 07:00:15 UTC 
Upstream release announcement:
http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/

Fixed in ActiveRecord 4.0.7 and 4.1.3.

As noted in comment 6, the original fixes were discovered to introduce a regression, that was corrected in a new releases of 4.0.8 and 4.1.4:
http://weblog.rubyonrails.org/2014/7/2/Rails_4_0_8_and_4_1_4_have_been_released/

Original fixes (4.0 and 4.1):
https://github.com/rails/rails/commit/c4598b9772a2c13259938dc78e37f62db9295412
https://github.com/rails/rails/commit/27a0c137d00e774bf22050d4cfd952e9ab4362ac

Additional fixes correcting regression:
https://github.com/rails/rails/commit/c1156bfc43dd90e89acb8ffdd4e844f4e4e404ca
https://github.com/rails/rails/commit/958be0e7cc2571b2f57ec62491dc4ded74d29424
Comment 11 Martin Prpič 2014-07-14 09:26:17 UTC 
IssueDescription:

It was discovered that Active Record did not properly quote values of the range type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record.
Comment 12 errata-xmlrpc 2014-07-14 16:26:16 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7

Via RHSA-2014:0877 https://rhn.redhat.com/errata/RHSA-2014-0877.html
Comment 13 Kurt Seifried 2014-09-18 03:32:10 UTC 
CFME doesn't use any range fields in the database backend. But we should rebase activerecord at some point.
Note You need to log in before you can comment on or make changes to this bug.