An SQL injection flaw was found in the PostgreSQL adapter for Active Record. An attacker could possibly perform SQL injection attacks if a Ruby on Rails application performed queries against the range type.
This issue affects versions 4.0.0 to 4.1.2. It is reported that versions earlier than 4.0 are not affected.
Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Sean Griffin of thoughtbot as the original reporter.
Created attachment 913248 [details]
4.0 patch from upstream
Created attachment 913249 [details]
4.1 patch from upstream
This is now public:
The original fixes for 4.x introduced a regression:
Created attachment 914349 [details]
ammended 4.0 patch from upstream
Created attachment 914350 [details]
amended 4.1 patch from upstream
Created rubygem-activerecord tracking bugs for this issue:
Affects: fedora-20 [bug 1115777]
Upstream release announcement:
Fixed in ActiveRecord 4.0.7 and 4.1.3.
As noted in comment 6, the original fixes were discovered to introduce a regression, that was corrected in a new releases of 4.0.8 and 4.1.4:
Original fixes (4.0 and 4.1):
Additional fixes correcting regression:
It was discovered that Active Record did not properly quote values of the range type attributes when using the PostgreSQL database adapter. A remote attacker could possibly use this flaw to conduct an SQL injection attack against applications using Active Record.
This issue has been addressed in following products:
Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
Via RHSA-2014:0877 https://rhn.redhat.com/errata/RHSA-2014-0877.html
CFME doesn't use any range fields in the database backend. But we should rebase activerecord at some point.