Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

2.3.16 Including fix for CVE-2013-0155 #8948

Closed
wants to merge 2 commits into from

10 participants

@cjohansen

In response to this announcement: https://groups.google.com/group/rubyonrails-security/browse_thread/thread/73b8d3f8478df5e2

It's hard to tell whether or not the fix is legitimate:

  • There's no updated gem (for 2.3)
  • The commit doesn't exist on GitHub
  • There's no tag
  • The vulnerability is not addressed on the blog
  • There's no test
  • The code fix looks... strange
  • The email is not signed

If this problem is legitimate, and the patch fixes it, we would immensely appreciate an updated Rails 2 gem. Especially since last week's issue in fact did result in a new 2.3 gem.

This PR makes all the necessary preparations, all you need to do is build and push.

@zmalltalker

+1, especially considering that Googling the sha1 yields a single result.

@martinrehfeld

+1 for 2.3.16 (also in the light of 28cfd79)

@guilleiguaran

Thanks @cjohansen, I've merged the fix commit in 7763f39. I can't merge your other commit since a 2.3.16 isn't planned for release yet.

@cjohansen

@guilleiguaran "yet" - does that mean there will be a 2.3.16? This is sorta critical, I can't see why you wouldn't push this immediately?

@jeremy
Owner

2.3.15 was released as an exception to make it easier to address a significant security vulnerability. We don't anticipate or plan on any future 2.3.x releases. Your best bet is to bundle the 2-3-stable branch.

@cjohansen

I don't understand this decision. This other vulnerability is bad as well, and I did this pull request so the only thing you need to do is gem push. It would've taken less time than closing this PR and responding. Lots of people are stuck on 2.x I don't see why they can't receive upgrades when the community itself is doing the actual work...

@martinrehfeld

cjohansen has a very good point here. Especially as it is major work to "bundle" the 2-3-staging branch (http://robanderson123.wordpress.com/2013/01/05/applying-backported-security-patches-to-rails-2-3/)

@zmalltalker

Please reconsider this decision. This PR will make some interesting headlines once the first 2.3 app in production is hit by this vulnerability.

@zmalltalker

Looks like this post: https://groups.google.com/d/topic/rubyonrails-security/G4TTUDDYbNA/discussion on the rubyonrails-security mailing list is somehow related to this thread.

@mguterl

I'm guessing this particular security issue falls under the "Security issues" classification and not under "Severe security issues" listed in @NZKoz's email. I would like to have confirmation of this, but I think the fact that it hasn't been released is enough.

For those of us with Rails 2.3 apps in production what is the best way to keep tracking the 2-3-stable branch?

I modified my Gemfile:

gem 'rails', :git => 'git://github.com/rails/rails.git', :branch => '2-3-stable'

When bundling I receive this error:

Could not find gem 'rails (>= 0) ruby' in git://github.com/rails/rails.git (at 2-3-stable).
Source does not contain any versions of 'rails (>= 0) ruby'

which I assume is happening because there is no rails.gemspec present in the branch.

@johndouthat

@mguterl If you trust me, you can do this

git 'git://github.com/johndouthat/rails.git', :branch => '2-3-stable' do
  gem 'rails'
  gem 'actionmailer'
  gem 'actionpack'
  gem 'activerecord'
  gem 'activeresource'
  gem 'activesupport'
end
@cjohansen

I made this pull request from /rails2/rails, and my thought was that if the PR is closed, we could perhaps join forces and keep /rails2/rails up to date. I even thought about doing gem releases, but don't know how much trouble it'll be given that we need to do all six gems under different names. I started by cherry-picking @johndouthat's gemspecs into the organization repo so you can do:

git 'git://github.com/rails2/rails.git', :branch => '2-3-stable' do
  gem 'rails'
  gem 'actionmailer'
  gem 'actionpack'
  gem 'activerecord'
  gem 'activeresource'
  gem 'activesupport'
end

This works, but it sucks. The monolithic Rails repo is huge, so now bundle takes way longer than I'd like. At least we're safe(r) and avoid vendoring the whole thing.

@mguterl

@johndouthat - it's not that I don't trust the code, I just don't trust that the repo will be around forever. I wonder if Rails Core would consider merging your changes in so that each project has a gemspec?

@johndouthat

@cjohansen If you want to avoid the huge download, you could strip the history and rails3+4 branches, which would reduce the download from ~60MB to ~4MB. But it's really not a big deal, because git bundles are cached after the first download. The Rails maintainers have been generous and patient (i.e. true heroes) to backport security fixes to such an old branch. If that changes, a fork may be necessary, but my hope is that https://github.com/rails/rails/tree/2-3-stable remains the best one.

@jeremy
Owner

@mguteri you can bundle git repos without a gemspec by providing a version explicitly. Then Bundler will synthesize a stand-in spec for you:

gem 'rails', '2.3.15', :github => 'rails/rails', :branch => '2-3-stable'
@cjohansen

@jeremy ah, thanks, that's better.

@mguterl
@johndouthat

As of now (thanks, steveklabnik!) the official 2.3 branch has gemspecs. So you can add this to your gemfile to pick up Ernie's fix for CVE-2013-0155:

git 'git://github.com/rails/rails.git', :branch => '2-3-stable' do
  gem 'rails'
  gem 'actionmailer'
  gem 'actionpack'
  gem 'activerecord'
  gem 'activeresource'
  gem 'activesupport'
end

After doing that, if there are additional commits to the branch in the future, run bundle update rails to pick them up.

@steveyken
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 15, 2013
  1. @ernie @cjohansen

    Fix for CVE-2013-0155

    ernie authored cjohansen committed
  2. @cjohansen

    Bump to 2.3.16

    cjohansen authored
This page is out of date. Refresh to see the latest.
View
2  actionmailer/Rakefile
@@ -54,7 +54,7 @@ spec = Gem::Specification.new do |s|
s.rubyforge_project = "actionmailer"
s.homepage = "http://www.rubyonrails.org"
- s.add_dependency('actionpack', '= 2.3.15' + PKG_BUILD)
+ s.add_dependency('actionpack', '= 2.3.16' + PKG_BUILD)
s.requirements << 'none'
s.require_path = 'lib'
View
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 15
+ TINY = 16
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
2  actionpack/Rakefile
@@ -78,7 +78,7 @@ spec = Gem::Specification.new do |s|
s.requirements << 'none'
- s.add_dependency('activesupport', '= 2.3.15' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
s.add_dependency('rack', '~> 1.1.3')
s.require_path = 'lib'
View
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 15
+ TINY = 16
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
2  activerecord/Rakefile
@@ -192,7 +192,7 @@ spec = Gem::Specification.new do |s|
s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
end
- s.add_dependency('activesupport', '= 2.3.15' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
s.files.delete FIXTURES_ROOT + "/fixture_database.sqlite"
s.files.delete FIXTURES_ROOT + "/fixture_database_2.sqlite"
View
2  activerecord/lib/active_record/base.rb
@@ -2340,6 +2340,8 @@ def expand_hash_conditions_for_aggregates(attrs)
def sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
attrs = expand_hash_conditions_for_aggregates(attrs)
+ return '1 = 2' if !top_level && attrs.is_a?(Hash) && attrs.empty?
+
conditions = attrs.map do |attr, value|
table_name = default_table_name
View
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 15
+ TINY = 16
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
4 activeresource/Rakefile
@@ -65,8 +65,8 @@ spec = Gem::Specification.new do |s|
dist_dirs.each do |dir|
s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
end
-
- s.add_dependency('activesupport', '= 2.3.15' + PKG_BUILD)
+
+ s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
s.require_path = 'lib'
View
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 15
+ TINY = 16
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
4 activesupport/CHANGELOG
@@ -1,3 +1,7 @@
+## Rails 2.3.16 (Jan 15, 2013) ##
+
+* Fix for CVE-2013-0155 (Ernie Miller)
+
## Rails 2.3.15 (Jan 8, 2012) ##
* Hash.from_xml raises when it encounters type="symbol" or type="yaml". Use Hash.from_trusted_xml to parse this XML. CVE-2013-0156 [Jeremy Kemper]
View
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 15
+ TINY = 16
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
10 railties/Rakefile
@@ -313,11 +313,11 @@ spec = Gem::Specification.new do |s|
EOF
s.add_dependency('rake', '>= 0.8.3')
- s.add_dependency('activesupport', '= 2.3.15' + PKG_BUILD)
- s.add_dependency('activerecord', '= 2.3.15' + PKG_BUILD)
- s.add_dependency('actionpack', '= 2.3.15' + PKG_BUILD)
- s.add_dependency('actionmailer', '= 2.3.15' + PKG_BUILD)
- s.add_dependency('activeresource', '= 2.3.15' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('activerecord', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('actionpack', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('actionmailer', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('activeresource', '= 2.3.16' + PKG_BUILD)
s.rdoc_options << '--exclude' << '.'
View
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 15
+ TINY = 16
STRING = [MAJOR, MINOR, TINY].join('.')
end
Something went wrong with that request. Please try again.