Bugzilla – Bug 963332
VUL-0: CVE-2016-0752: rubygem-actionpack, rubygem-actionview: directory traversal and information leak in Action View
Last modified: 2017-09-11 16:04:59 UTC
EMBARGOED via distros CRD: 2016-01-25 Possible Information Leak Vulnerability in Action View There is a possible directory traversal and information leak vulnerability in Action View. This vulnerability has been assigned the CVE identifier CVE-2016-0752. Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 Impact ------ Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ```ruby def index render params[:id] end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method. For example, change this: ```ruby def index render params[:id] end ``` To this: ```ruby def index render verify_template(params[:id]) end private def verify_template(name) # add verification logic particular to your application here end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 3-2-render_data_leak.patch - Patch for 3.2 series * 4-1-render_data_leak.patch - Patch for 4.1 series * 4-2-render_data_leak.patch - Patch for 4.2 series * 5-0-render_data_leak.patch - Patch for 5.0 series Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks John Poulin for reporting this!
Created attachment 662989 [details] 5-0-render_data_leak.patch
Created attachment 662990 [details] 4-2-render_data_leak.patch
Created attachment 662991 [details] 4-1-render_data_leak.patch
Created attachment 662992 [details] 3-2-render_data_leak.patch
bugbot adjusting priority
public at http://seclists.org/oss-sec/2016/q1/206
Portus and studio issues: 963607 963608
Created attachment 663371 [details] updated patch for 3.2 version adapt the patch for 3.2 version to ruby 1.8 syntax. https://github.com/rails/rails/commit/7f71b4d8a4744e26fcec7be13efb243e73ffd3ce Also I had to update the line numbers in the patch.
This is an autogenerated message for OBS integration: This bug (963332) was mentioned in https://build.opensuse.org/request/show/356307 42.1 / rubygem-actionpack-4_2
This is an autogenerated message for OBS integration: This bug (963332) was mentioned in https://build.opensuse.org/request/show/356315 13.2 / rubygem-actionpack-3_2
This is an autogenerated message for OBS integration: This bug (963332) was mentioned in https://build.opensuse.org/request/show/356334 42.1 / rubygem-actionview-4_2
All submissions done. Assigning to security team.
openSUSE-SU-2016:0363-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963330,963331,963332 CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2016-0751,CVE-2016-0752 Sources used: openSUSE 13.2 (src): rubygem-actionpack-3_2-3.2.17-3.7.1, rubygem-activerecord-3_2-3.2.17-3.3.1, rubygem-activesupport-3_2-3.2.17-2.6.1
openSUSE-SU-2016:0372-1: An update that fixes 6 vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963330,963331,963332,963334,963335 CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753 Sources used: openSUSE Leap 42.1 (src): rubygem-actionpack-4_2-4.2.4-6.1, rubygem-actionview-4_2-4.2.4-6.1, rubygem-activemodel-4_2-4.2.4-6.1, rubygem-activerecord-4_2-4.2.4-6.1, rubygem-activesupport-4_2-4.2.4-6.1
SUSE-SU-2016:0456-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 963332 CVE References: CVE-2016-0752 Sources used: SUSE Enterprise Storage 2.1 (src): rubygem-actionview-4_2-4.2.2-5.1
SUSE-SU-2016:0457-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963331,963332,963335 CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752 Sources used: SUSE Enterprise Storage 2.1 (src): rubygem-actionpack-4_2-4.2.2-6.1
SUSE-SU-2016:0599-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 963332 CVE References: CVE-2016-0752 Sources used: SUSE OpenStack Cloud 5 (src): rubygem-actionview-4_1-4.1.9-9.1
SUSE-SU-2016:0618-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963331,963332 CVE References: CVE-2015-7576,CVE-2016-0751,CVE-2016-0752 Sources used: SUSE Webyast 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.23.1 SUSE Studio Onsite 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.23.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): rubygem-actionpack-3_2-3.2.12-0.23.1 SUSE Lifecycle Management Server 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.23.1
released
SUSE-SU-2016:0858-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 963329,963331,963332,963335 CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752 Sources used: SUSE OpenStack Cloud 5 (src): rubygem-actionpack-4_1-4.1.9-9.1