2.3.16 Including fix for CVE-2013-0155 #8948

Closed
wants to merge 2 commits into
from

Conversation

Projects
None yet
10 participants

In response to this announcement: https://groups.google.com/group/rubyonrails-security/browse_thread/thread/73b8d3f8478df5e2

It's hard to tell whether or not the fix is legitimate:

  • There's no updated gem (for 2.3)
  • The commit doesn't exist on GitHub
  • There's no tag
  • The vulnerability is not addressed on the blog
  • There's no test
  • The code fix looks... strange
  • The email is not signed

If this problem is legitimate, and the patch fixes it, we would immensely appreciate an updated Rails 2 gem. Especially since last week's issue in fact did result in a new 2.3 gem.

This PR makes all the necessary preparations, all you need to do is build and push.

+1, especially considering that Googling the sha1 yields a single result.

👍

Contributor

martinrehfeld commented Jan 18, 2013

+1 for 2.3.16 (also in the light of 28cfd79)

Owner

guilleiguaran commented Jan 20, 2013

Thanks @cjohansen, I've merged the fix commit in 7763f39. I can't merge your other commit since a 2.3.16 isn't planned for release yet.

@guilleiguaran "yet" - does that mean there will be a 2.3.16? This is sorta critical, I can't see why you wouldn't push this immediately?

Owner

jeremy commented Jan 21, 2013

2.3.15 was released as an exception to make it easier to address a significant security vulnerability. We don't anticipate or plan on any future 2.3.x releases. Your best bet is to bundle the 2-3-stable branch.

I don't understand this decision. This other vulnerability is bad as well, and I did this pull request so the only thing you need to do is gem push. It would've taken less time than closing this PR and responding. Lots of people are stuck on 2.x I don't see why they can't receive upgrades when the community itself is doing the actual work...

Contributor

martinrehfeld commented Jan 21, 2013

cjohansen has a very good point here. Especially as it is major work to "bundle" the 2-3-staging branch (http://robanderson123.wordpress.com/2013/01/05/applying-backported-security-patches-to-rails-2-3/)

Please reconsider this decision. This PR will make some interesting headlines once the first 2.3 app in production is hit by this vulnerability.

Looks like this post: https://groups.google.com/d/topic/rubyonrails-security/G4TTUDDYbNA/discussion on the rubyonrails-security mailing list is somehow related to this thread.

Contributor

mguterl commented Jan 22, 2013

I'm guessing this particular security issue falls under the "Security issues" classification and not under "Severe security issues" listed in @NZKoz's email. I would like to have confirmation of this, but I think the fact that it hasn't been released is enough.

For those of us with Rails 2.3 apps in production what is the best way to keep tracking the 2-3-stable branch?

I modified my Gemfile:

gem 'rails', :git => 'git://github.com/rails/rails.git', :branch => '2-3-stable'

When bundling I receive this error:

Could not find gem 'rails (>= 0) ruby' in git://github.com/rails/rails.git (at 2-3-stable).
Source does not contain any versions of 'rails (>= 0) ruby'

which I assume is happening because there is no rails.gemspec present in the branch.

Contributor

johndouthat commented Jan 22, 2013

@mguterl If you trust me, you can do this

git 'git://github.com/johndouthat/rails.git', :branch => '2-3-stable' do
  gem 'rails'
  gem 'actionmailer'
  gem 'actionpack'
  gem 'activerecord'
  gem 'activeresource'
  gem 'activesupport'
end

I made this pull request from /rails2/rails, and my thought was that if the PR is closed, we could perhaps join forces and keep /rails2/rails up to date. I even thought about doing gem releases, but don't know how much trouble it'll be given that we need to do all six gems under different names. I started by cherry-picking @johndouthat's gemspecs into the organization repo so you can do:

git 'git://github.com/rails2/rails.git', :branch => '2-3-stable' do
  gem 'rails'
  gem 'actionmailer'
  gem 'actionpack'
  gem 'activerecord'
  gem 'activeresource'
  gem 'activesupport'
end

This works, but it sucks. The monolithic Rails repo is huge, so now bundle takes way longer than I'd like. At least we're safe(r) and avoid vendoring the whole thing.

Contributor

mguterl commented Jan 22, 2013

@johndouthat - it's not that I don't trust the code, I just don't trust that the repo will be around forever. I wonder if Rails Core would consider merging your changes in so that each project has a gemspec?

Contributor

johndouthat commented Jan 22, 2013

@cjohansen If you want to avoid the huge download, you could strip the history and rails3+4 branches, which would reduce the download from ~60MB to ~4MB. But it's really not a big deal, because git bundles are cached after the first download. The Rails maintainers have been generous and patient (i.e. true heroes) to backport security fixes to such an old branch. If that changes, a fork may be necessary, but my hope is that https://github.com/rails/rails/tree/2-3-stable remains the best one.

Owner

jeremy commented Jan 22, 2013

@mguteri you can bundle git repos without a gemspec by providing a version explicitly. Then Bundler will synthesize a stand-in spec for you:

gem 'rails', '2.3.15', :github => 'rails/rails', :branch => '2-3-stable'

@jeremy ah, thanks, that's better.

Contributor

mguterl commented Jan 22, 2013

Thank you Jeremy, this works great.

On Tue, Jan 22, 2013 at 2:49 PM, Jeremy Kemper notifications@github.comwrote:

@mguteri you can bundle git repos without a gemspec by providing a version
explicitly. Then Bundler will synthesize a stand-in spec for you:

gem 'rails', '2.3.15', :github => 'rails/rails', :branch => '2-3-stable'


Reply to this email directly or view it on GitHubhttps://github.com/rails/rails/pull/8948#issuecomment-12562507.

Contributor

johndouthat commented Jan 22, 2013

As of now (thanks, steveklabnik!) the official 2.3 branch has gemspecs. So you can add this to your gemfile to pick up Ernie's fix for CVE-2013-0155:

git 'git://github.com/rails/rails.git', :branch => '2-3-stable' do
  gem 'rails'
  gem 'actionmailer'
  gem 'actionpack'
  gem 'activerecord'
  gem 'activeresource'
  gem 'activesupport'
end

After doing that, if there are additional commits to the branch in the future, run bundle update rails to pick them up.

Thank you @johndouthat!

This is seriously good news. Thank you!

On Wed, Jan 23, 2013 at 3:17 PM, Marius Mathiesen
notifications@github.comwrote:

Thank you @johndouthat https://github.com/johndouthat!


Reply to this email directly or view it on GitHubhttps://github.com/rails/rails/pull/8948#issuecomment-12584284.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment