Code injection vulnerability in Action Pack was found, possibly leading to remote code execution. Applications that pass unverified user input to the `render` method in a controller may be vulnerable to a code injection. Impacted code will look like this: ```ruby class TestController < ApplicationController def show render params[:id] end end ``` Carefully crafted request parameters, can be used to coerce the above example to execute arbitrary ruby code. A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method. Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x Not affected: 5.0+ Fixed Versions: 3.2.22.2, 4.1.14.2, 4.2.5.2
Acknowledgments: Name: the Ruby on Rails project Upstream: Tobias Kraze (makandra), joernchen (Phenoelit)
Created attachment 1128508 [details] Upstream patch
Created attachment 1131939 [details] Upstream patch 3.2
Created attachment 1131942 [details] Upstream patch 4.1
Created attachment 1131943 [details] Upstream patch 4.2
Affected versions were changed, previous advisory listed these versions: Versions Affected: 3.2.x, 4.0.x Not affected: 4.1+ Fixed Versions: 3.2.22.2
External Reference: https://groups.google.com/forum/#!msg/rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ
Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1313387]
Created rubygem-actionpack tracking bugs for this issue: Affects: epel-5 [bug 1313389]
Upstream commits: 3.2 https://github.com/rails/rails/commit/769b4d3f6638f8871bb7ca7ad3d076a3dcc9e1a9 4.1 https://github.com/rails/rails/commit/fcf0f42494634861a648276ba7acab6b9b123257 4.2 https://github.com/rails/rails/commit/9e579ef9e239ee8ee76596bc541daf1182ba8b8d
hackerone report, but it fails to provide any additional information not already included in the upstream announcement: https://hackerone.com/reports/113928
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:0456 https://rhn.redhat.com/errata/RHSA-2016-0456.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2016:0455 https://rhn.redhat.com/errata/RHSA-2016-0455.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Via RHSA-2016:0454 https://rhn.redhat.com/errata/RHSA-2016-0454.html
rubygem-actionpack-4.2.3-5.fc23, rubygem-actionview-4.2.3-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-4.2.0-4.fc22, rubygem-actionview-4.2.0-5.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.