Bug 963332 - (CVE-2016-0752) VUL-0: CVE-2016-0752: rubygem-actionpack, rubygem-actionview: directory traversal and information leak in Action View
(CVE-2016-0752)
VUL-0: CVE-2016-0752: rubygem-actionpack, rubygem-actionview: directory trave...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-0752:6.8:(AV:N...
:
Depends on:
Blocks: 963607 963608
  Show dependency treegraph
 
Reported: 2016-01-23 21:42 UTC by Andreas Stieger
Modified: 2017-09-11 16:04 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
5-0-render_data_leak.patch (10.77 KB, patch)
2016-01-23 21:43 UTC, Andreas Stieger
Details | Diff
4-2-render_data_leak.patch (11.05 KB, patch)
2016-01-23 21:43 UTC, Andreas Stieger
Details | Diff
4-1-render_data_leak.patch (11.05 KB, patch)
2016-01-23 21:43 UTC, Andreas Stieger
Details | Diff
3-2-render_data_leak.patch (5.78 KB, patch)
2016-01-23 21:44 UTC, Andreas Stieger
Details | Diff
updated patch for 3.2 version (1.37 KB, patch)
2016-01-27 09:58 UTC, Jordi Massaguer
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-01-23 21:42:25 UTC
EMBARGOED via distros
CRD: 2016-01-25

Possible Information Leak Vulnerability in Action View

There is a possible directory traversal and information leak vulnerability in
Action View. This vulnerability has been assigned the CVE identifier
CVE-2016-0752.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1

Impact
------
Applications that pass unverified user input to the `render` method in a
controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

```ruby
def index
  render params[:id]
end
```

Carefully crafted requests can cause the above code to render files from
unexpected places like outside the application's view directory, and can
possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
A workaround to this issue is to not pass arbitrary user input to the `render`
method.  Instead, verify that data before passing it to the `render` method.

For example, change this:

```ruby
def index
  render params[:id]
end
```

To this:

```ruby
def index
  render verify_template(params[:id])
end

private
def verify_template(name)
  # add verification logic particular to your application here
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 3-2-render_data_leak.patch - Patch for 3.2 series
* 4-1-render_data_leak.patch - Patch for 4.1 series
* 4-2-render_data_leak.patch - Patch for 4.2 series
* 5-0-render_data_leak.patch - Patch for 5.0 series

Please note that only the 4.1.x and 4.2.x series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.

Credits
-------
Thanks John Poulin for reporting this!
Comment 1 Andreas Stieger 2016-01-23 21:43:24 UTC
Created attachment 662989 [details]
5-0-render_data_leak.patch
Comment 2 Andreas Stieger 2016-01-23 21:43:40 UTC
Created attachment 662990 [details]
4-2-render_data_leak.patch
Comment 3 Andreas Stieger 2016-01-23 21:43:57 UTC
Created attachment 662991 [details]
4-1-render_data_leak.patch
Comment 4 Andreas Stieger 2016-01-23 21:44:12 UTC
Created attachment 662992 [details]
3-2-render_data_leak.patch
Comment 5 Swamp Workflow Management 2016-01-23 23:01:18 UTC
bugbot adjusting priority
Comment 7 Andreas Stieger 2016-01-26 07:26:42 UTC
public at http://seclists.org/oss-sec/2016/q1/206
Comment 9 Jordi Massaguer 2016-01-26 16:31:08 UTC
Portus and studio issues:

963607 963608
Comment 13 Jordi Massaguer 2016-01-27 09:58:17 UTC
Created attachment 663371 [details]
updated patch for 3.2 version

adapt the patch for 3.2 version to ruby 1.8 syntax.

https://github.com/rails/rails/commit/7f71b4d8a4744e26fcec7be13efb243e73ffd3ce

Also I had to update the line numbers in the patch.
Comment 15 Bernhard Wiedemann 2016-01-27 16:00:29 UTC
This is an autogenerated message for OBS integration:
This bug (963332) was mentioned in
https://build.opensuse.org/request/show/356307 42.1 / rubygem-actionpack-4_2
Comment 16 Bernhard Wiedemann 2016-01-27 17:00:37 UTC
This is an autogenerated message for OBS integration:
This bug (963332) was mentioned in
https://build.opensuse.org/request/show/356315 13.2 / rubygem-actionpack-3_2
Comment 17 Bernhard Wiedemann 2016-01-27 18:00:32 UTC
This is an autogenerated message for OBS integration:
This bug (963332) was mentioned in
https://build.opensuse.org/request/show/356334 42.1 / rubygem-actionview-4_2
Comment 18 Jordi Massaguer 2016-01-28 09:06:44 UTC
All submissions done. Assigning to security team.
Comment 19 Swamp Workflow Management 2016-02-07 19:13:34 UTC
openSUSE-SU-2016:0363-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963330,963331,963332
CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2016-0751,CVE-2016-0752
Sources used:
openSUSE 13.2 (src):    rubygem-actionpack-3_2-3.2.17-3.7.1, rubygem-activerecord-3_2-3.2.17-3.3.1, rubygem-activesupport-3_2-3.2.17-2.6.1
Comment 20 Swamp Workflow Management 2016-02-07 19:18:16 UTC
openSUSE-SU-2016:0372-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963330,963331,963332,963334,963335
CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753
Sources used:
openSUSE Leap 42.1 (src):    rubygem-actionpack-4_2-4.2.4-6.1, rubygem-actionview-4_2-4.2.4-6.1, rubygem-activemodel-4_2-4.2.4-6.1, rubygem-activerecord-4_2-4.2.4-6.1, rubygem-activesupport-4_2-4.2.4-6.1
Comment 21 Swamp Workflow Management 2016-02-15 17:12:20 UTC
SUSE-SU-2016:0456-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 963332
CVE References: CVE-2016-0752
Sources used:
SUSE Enterprise Storage 2.1 (src):    rubygem-actionview-4_2-4.2.2-5.1
Comment 22 Swamp Workflow Management 2016-02-15 17:13:02 UTC
SUSE-SU-2016:0457-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332,963335
CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE Enterprise Storage 2.1 (src):    rubygem-actionpack-4_2-4.2.2-6.1
Comment 23 Swamp Workflow Management 2016-02-26 18:12:20 UTC
SUSE-SU-2016:0599-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 963332
CVE References: CVE-2016-0752
Sources used:
SUSE OpenStack Cloud 5 (src):    rubygem-actionview-4_1-4.1.9-9.1
Comment 24 Swamp Workflow Management 2016-03-01 17:15:20 UTC
SUSE-SU-2016:0618-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332
CVE References: CVE-2015-7576,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE Webyast 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
SUSE Studio Onsite 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
SUSE Lifecycle Management Server 1.3 (src):    rubygem-actionpack-3_2-3.2.12-0.23.1
Comment 25 Marcus Meissner 2016-03-22 15:47:54 UTC
released
Comment 26 Swamp Workflow Management 2016-03-22 20:09:10 UTC
SUSE-SU-2016:0858-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 963329,963331,963332,963335
CVE References: CVE-2015-7576,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752
Sources used:
SUSE OpenStack Cloud 5 (src):    rubygem-actionpack-4_1-4.1.9-9.1