Bugzilla – Bug 963330
VUL-0: CVE-2015-7577: rubygem-activerecord: Nested attributes rejection proc bypass
Last modified: 2017-09-11 16:04:16 UTC
EMBARGOED via distros CRD: 2016-01-25 Nested attributes rejection proc bypass in Active Record. There is a vulnerability in how the nested attributes feature in Active Record handles updates in combination with destroy flags when destroying records is disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577. Versions Affected: 3.1.0 and newer Not affected: 3.0.x and older Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 Impact ------ When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the `allow_destroy: false` option to the `accepts_nested_attributes_for` method. However due to a change in the commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from being called because it assumes that the record will be destroyed anyway. However this isn't true if `:allow_destroy` is false so this leads to changes that would have been rejected being applied to the record. Attackers could use this do things like set attributes to invalid values and to clear all of the attributes amongst other things. The severity will be dependent on how the application has used this feature. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- If you can't upgrade, please use the following monkey patch in an initializer that is loaded before your application: ``` $ cat config/initializers/nested_attributes_bypass_fix.rb module ActiveRecord module NestedAttributes private def reject_new_record?(association_name, attributes) will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes) end def call_reject_if(association_name, attributes) return false if will_be_destroyed?(association_name, attributes) case callback = self.nested_attributes_options[association_name][:reject_if] when Symbol method(callback).arity == 0 ? send(callback) : send(callback, attributes) when Proc callback.call(attributes) end end def will_be_destroyed?(association_name, attributes) allow_destroy?(association_name) && has_destroy_flag?(attributes) end def allow_destroy?(association_name) self.nested_attributes_options[association_name][:allow_destroy] end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series * 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series * 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series * 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thank you to Justin Coyne for reporting the problem and working with us to fix it. [1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325
Created attachment 662981 [details] 5-0-nested-attributes-reject-if-bypass.patch
Created attachment 662982 [details] 4-2-nested-attributes-reject-if-bypass.patch
Created attachment 662983 [details] 4-1-nested-attributes-reject-if-bypass.patch
Created attachment 662984 [details] 3-2-nested-attributes-reject-if-bypass.patch
bugbot adjusting priority
public at http://seclists.org/oss-sec/2016/q1/203
we need to update: Package |Repo (Products) ------------------------------------------------------------------------------ rubygem-activerecord-4_2: SUSE:SLE-12:Update (Portus build dependency) rubygem-activerecord-4_1: SUSE:SLE-11-SP3:Update:Cloud5:Test:Update (CLOUD5) rubygem-activerecord-3_2: SUSE:SLE-11-SP2:Update (SLMS, WEBYAST and STUDIO*) Portus**: SUSE:SLE-12:Update Studio***: SUSE:SLE-11-SP2:Update (*) rubygem-activerecord-3_2 rpm in studio is actually the webyast dependency. WebYast is installed on the studio onsite product and depends on that RPM. Studio also bundles the gem, but that is a different story. (**) rubygem-activerecord-4_2 is a build dependencies for Portus, so that we need to rebuild the package and release it (***)Studio embeds active_record gem, so the patches need to be ported and the rpm rebuild.
bugs for studio and portus 963603 963604
This is an autogenerated message for OBS integration: This bug (963330) was mentioned in https://build.opensuse.org/request/show/356317 13.2 / rubygem-activerecord-3_2 https://build.opensuse.org/request/show/356327 42.1 / rubygem-activerecord-4_2
all submissions have been done. Assigning to security team.
openSUSE-SU-2016:0363-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963330,963331,963332 CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2016-0751,CVE-2016-0752 Sources used: openSUSE 13.2 (src): rubygem-actionpack-3_2-3.2.17-3.7.1, rubygem-activerecord-3_2-3.2.17-3.3.1, rubygem-activesupport-3_2-3.2.17-2.6.1
openSUSE-SU-2016:0372-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963330,963331,963332,963334,963335 CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753 Sources used: openSUSE Leap 42.1 (src): rubygem-actionpack-4_2-4.2.4-6.1, rubygem-actionview-4_2-4.2.4-6.1, rubygem-activemodel-4_2-4.2.4-6.1, rubygem-activerecord-4_2-4.2.4-6.1, rubygem-activesupport-4_2-4.2.4-6.1
SUSE-SU-2016:0458-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 963330,963334 CVE References: CVE-2015-7577,CVE-2016-0753 Sources used: SUSE Enterprise Storage 2.1 (src): rubygem-activerecord-4_2-4.2.2-5.1
SUSE-SU-2016:0598-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 963330,963334 CVE References: CVE-2015-7577,CVE-2016-0753 Sources used: SUSE OpenStack Cloud 5 (src): rubygem-activerecord-4_1-4.1.9-9.1
SUSE-SU-2016:0619-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 963330 CVE References: CVE-2015-7577 Sources used: SUSE Webyast 1.3 (src): rubygem-activerecord-3_2-3.2.12-0.15.1 SUSE Studio Onsite 1.3 (src): rubygem-activerecord-3_2-3.2.12-0.15.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): rubygem-activerecord-3_2-3.2.12-0.15.1 SUSE Lifecycle Management Server 1.3 (src): rubygem-activerecord-3_2-3.2.12-0.15.1
released