Bug 903658 (CVE-2014-7819) - VUL-0: CVE-2014-7819: rubygem-sprockets: Arbitrary file existence disclosure
Summary: VUL-0: CVE-2014-7819: rubygem-sprockets: Arbitrary file existence disclosure
Status: RESOLVED FIXED
Alias: CVE-2014-7819
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Deadline: 2014-12-03
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/110365/
Whiteboard: maint:released:sle11-sp3-cl4:59663 ma...
Keywords:
Depends on:
Blocks:
 
Reported: 2014-11-03 11:12 UTC by Johannes Segitz
Modified: 2015-04-28 14:05 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch for 2.12.x series (2.96 KB, patch)
2014-11-13 11:28 UTC, Jordi Massaguer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-11-03 11:12:36 UTC 
There is an information leak vulnerability in Sprockets. This vulnerability
has been assigned the CVE identifier CVE-2014-7819.

Versions Affected:  ALL
Not affected:       NONE
Fixed Versions:     3.0.0.beta.3, 2.12.3, 2.11.3, 2.10.2, 2.9.4, 2.8.3, 2.7.1, 2.5.1, 2.4.6, 2.3.3, 2.2.3, 2.1.4, 2.0.5

Impact
------
Specially crafted requests can be used to determine whether a file exists on
the filesystem that is outside an application's root directory.  The files will not be served, but attackers can determine whether or not the file exists.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Releases
--------
The 2.12.X releases are available at the normal locations.

Workarounds
-----------
In Rails applications, work around this issue, set config.serve_static_assets = false in an initializer.  This work around will not be possible in all hosting environments and upgrading is
advised.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.

* 2-12-sec-static-files.patch - Patch for the 2.12.x release series

Credits
-------
This vulnerability was reported by multiple researchers working independently.  Thanks to each of them for reporting the issue to us and verifying the fixes.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7819
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-7819.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7819
Comment 1 Swamp Workflow Management 2014-11-03 23:00:40 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2014-11-05 09:13:22 UTC 
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2014-12-03.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59574
Comment 13 Jordi Massaguer 2014-11-13 11:28:25 UTC 
Created attachment 613509 [details]
patch for 2.12.x series

Adding the 2.12.x series patch for reference.
Comment 16 Bernhard Wiedemann 2014-11-14 16:00:31 UTC 
This is an autogenerated message for OBS integration:
This bug (903658) was mentioned in
https://build.opensuse.org/request/show/261610 12.3 / rubygem-sprockets
https://build.opensuse.org/request/show/261611 12.3 / rubygem-sprockets-2_2
https://build.opensuse.org/request/show/261612 12.3 / rubygem-sprockets-2_1
https://build.opensuse.org/request/show/261632 13.1 / rubygem-sprockets
https://build.opensuse.org/request/show/261633 13.1 / rubygem-sprockets-2_2
https://build.opensuse.org/request/show/261634 13.1 / rubygem-sprockets-2_1
https://build.opensuse.org/request/show/261641 13.2 / rubygem-sprockets-2_2
https://build.opensuse.org/request/show/261643 13.2 / rubygem-sprockets-2_1
Comment 17 Johannes Segitz 2014-11-17 09:59:41 UTC 
(In reply to Jordi Massaguer Pla from comment #12)
Thank you for your submits. rubygem-sprockets for 13.2 is still missing.
Comment 18 Jordi Massaguer 2014-11-17 10:27:09 UTC 
I know. Actually I am having some trouble with that one. Seems like rubygem-sprockets for 13.2 is not working properly (I am taking about the one in 13.2 repo, without the patch for this issue). I am trying to figure out what is wrong.
Comment 19 Jordi Massaguer 2014-11-17 12:19:50 UTC 
The problem is that sprockets should require tilt ~> 1.3 instead of ~> 1.1 .

See:

https://github.com/sstephenson/sprockets/pull/659

I am waiting for upstream feedback on the PR.

This means that we will need to package tilt-1_3 . Do we need to submit an ECO for that, right? How do we do that?

We have version 1.3.3 in SUSE:SLE-11-SP2:Update.

The latest versions in rubygems are 1.3.7 and 1.4.1 for 1.x series.

Which version should we have in openSUSE?
Comment 20 Johannes Segitz 2014-11-17 13:03:12 UTC 
(In reply to Jordi Massaguer from comment #19)
SUSE:SLE-11-SP2:GA                            rubygem-tilt  1.3.3  2    
SUSE:SLE-11-SP2:Update                        rubygem-tilt  1.3.3  1    
SUSE:SLE-12:GA                                rubygem-tilt  2.0.0  2    

and

openSUSE:12.3                                       rubygem-tilt  1.3.3  1    
openSUSE:13.1                                       rubygem-tilt  1.4.1  1    
openSUSE:13.2                                       rubygem-tilt  2.0.1  1    

so we have the necessary versions already. You just have to add the requires as far as I can see.
Comment 21 Jordi Massaguer 2014-11-17 14:53:10 UTC 
the problem is that in openSUSE 13.2, we have

rubygem-tilt-2.0.1-2.1.4
rubygem-tilt-1_1-1.1-11.1.4

sprockets needs a 1.x tilt, thus it takes the tilt-1.1, which does not work.

we need a rubygem-tilt-1_3 or rubygem-tilt-1_4
Comment 22 Jordi Massaguer 2014-11-17 15:13:09 UTC 
since we have version 1.4.1 in 13.1, I would go for a rubygem-tilt-1_4 with the latest tilt gem (1.4.1).
Comment 23 Johannes Segitz 2014-11-17 15:47:57 UTC 
(In reply to Jordi Massaguer from comment #22)
Please do that. If rubygem-tilt-1_3 is necessary and 1_4 doesn't cut it we could include it in openSUSE 13.1 but I would like to avoid that.
Comment 24 Bernhard Wiedemann 2014-11-18 12:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (903658) was mentioned in
https://build.opensuse.org/request/show/262149 13.2 / rubygem-sprockets
Comment 25 Bernhard Wiedemann 2014-11-18 13:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (903658) was mentioned in
https://build.opensuse.org/request/show/262150 13.2 / rubygem-tilt-1_4
Comment 26 Swamp Workflow Management 2014-11-26 09:04:57 UTC 
openSUSE-SU-2014:1502-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 903658
CVE References: CVE-2014-7819
Sources used:
openSUSE 13.2 (src):    rubygem-sprockets-2_1-2.1.3-8.4.1
openSUSE 13.1 (src):    rubygem-sprockets-2_1-2.1.3-6.4.1
openSUSE 12.3 (src):    rubygem-sprockets-2_1-2.1.3-4.4.1
Comment 27 Swamp Workflow Management 2014-11-26 09:06:00 UTC 
openSUSE-SU-2014:1504-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 903658
CVE References: CVE-2014-7819
Sources used:
openSUSE 13.2 (src):    rubygem-sprockets-2_2-2.2.2-8.4.1
openSUSE 13.1 (src):    rubygem-sprockets-2_2-2.2.2-5.4.1
openSUSE 12.3 (src):    rubygem-sprockets-2_2-2.2.2-2.4.1
Comment 28 Swamp Workflow Management 2014-11-27 10:04:54 UTC 
openSUSE-SU-2014:1513-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 903658
CVE References: CVE-2014-7819
Sources used:
openSUSE 13.1 (src):    rubygem-sprockets-2.10.0-2.4.1
openSUSE 12.3 (src):    rubygem-sprockets-2.8.2-2.4.1
Comment 29 Swamp Workflow Management 2014-11-27 10:05:06 UTC 
openSUSE-SU-2014:1514-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 903658
CVE References: CVE-2014-7819
Sources used:
openSUSE 13.2 (src):    rubygem-sprockets-2.12.1-2.4.1, rubygem-tilt-1_4-1.4.1-2.1
Comment 30 Swamp Workflow Management 2014-12-10 00:04:54 UTC 
SUSE-SU-2014:1609-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 903658
CVE References: CVE-2014-7819
Sources used:
SUSE Cloud 4 (src):    rubygem-sprockets-2_10-2.10.1-0.11.1
SUSE Cloud 3 (src):    rubygem-sprockets-2_10-2.10.1-0.13.1
Comment 31 Swamp Workflow Management 2015-01-28 00:05:05 UTC 
SUSE-SU-2014:1609-2: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 903658
CVE References: CVE-2014-7819
Sources used:
WebYaST 1.3 (src):    rubygem-sprockets-2_2-2.2.1-0.7.11.1
SUSE Studio Onsite 1.3 (src):    rubygem-sprockets-2_2-2.2.1-0.7.11.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-sprockets-2_2-2.2.1-0.7.11.1
Comment 32 Victor Pereira 2015-02-13 14:44:26 UTC 
fixed
Comment 34 Swamp Workflow Management 2015-04-28 14:05:07 UTC 
SUSE-SU-2015:0787-1: An update that solves one vulnerability and has one errata is now available.

Category: security (low)
Bug References: 903658,926549
CVE References: CVE-2014-7819
Sources used:
SUSE Cloud 5 (src):    rubygem-sprockets-2_11-2.11.0-0.9.1