Extremely critical Ruby on Rails bug (CVE-2013-0156)

Added by Djordjije Crni almost 5 years ago

January 8, 2013: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)

http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/

How to patch RoR, in order to fix installed Redmine v1.4.x (1.4.x requires Rails 2.3.14)?
Upgrade to v2.2.0 is not an option, because of plugin incompatibility...

Replies (9)

RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Jan Niggemann (redmine.org team member) almost 5 years ago

To use rails 2.3.15, edit your Gemfile and replace the rails version, then you use bundle update to update your bundle.
While it is unlikely that a minor rails update will break something, it still can happen - please make sure you have recent backups.

Migrating to a more recent Redmine release using Rails 3.2.11 as a dependency is a better option if you can allow it.

https://github.com/rails/rails/compare/v2.3.14...v2.3.15

RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Peter Panther almost 5 years ago

I've updated my redmine sever 1.4.5 with rails 2.3.15.
after running a set of tests everything seems to be ok!

RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Glenn Gould almost 5 years ago

We have a server with an antique redmine 0.9.2 which seems to use rails 2.3.5 and therefore is affected by this critical Rails bug.

Is there a chance to make 0.9.2 work with rails 2.3.15 and if so, any suggestions how to do it? 2.3.15 doesn't use bundler?

As an alternative, is it safe, to disable XML parsing like suggested in the CVE, or will this break Redmine?

RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Jan Niggemann (redmine.org team member) almost 5 years ago

Holy cow, 0.9.2 is 3 years old... What keeps you from updating?

You can copy your instance to a new machine and run the tests with rails 2.3.15...

RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Etienne Massip almost 5 years ago

Glenn Gould wrote:

We have a server with an antique redmine 0.9.2 which seems to use rails 2.3.5 and therefore is affected by this critical Rails bug.

Is there a chance to make 0.9.2 work with rails 2.3.15

You can try as Jan suggested but I'd say no.

As an alternative, is it safe, to disable XML parsing like suggested in the CVE, or will this break Redmine?

Yes it should be safe.

RE: Extremely critical Ruby on Rails bug (CVE-2013-0156) - Added by Glenn Gould almost 5 years ago

Thanks for your answers, Jan and Etienne!

If I get the CVE correctly, I need to put something like

ActionController::Base.param_parsers.delete(Mime::XML)

"inside an application initializer."

Unfortunately I'm not really an insider of the Rails world (which is at least part of the problem of stacking with 0.9.2).

Do I get it correctly: that means to put the snippet into <redmine_home>/config/environment.rb?

The file environment.rb looks like that

hoshi:/srv/www/redmine/config/environments# cat ../environment.rb 
# Be sure to restart your web server when you modify this file.

# Uncomment below to force Rails into production mode when 
# you don't control web/app server and can't set it the proper way
# ENV['RAILS_ENV'] ||= 'production'

# Specifies gem version of Rails to use when vendor/rails is not present
RAILS_GEM_VERSION = '2.3.5' unless defined? RAILS_GEM_VERSION

# Bootstrap the Rails environment, frameworks, and default configuration
require File.join(File.dirname(__FILE__), 'boot')

# Load Engine plugin if available
begin
  require File.join(File.dirname(__FILE__), '../vendor/plugins/engines/boot')
rescue LoadError
  # Not available
end

Rails::Initializer.run do |config|
  # Settings in config/environments/* take precedence those specified here

  # Skip frameworks you're not going to use
  # config.frameworks -= [ :action_web_service, :action_mailer ]

  # Add additional load paths for sweepers
  config.load_paths += %W( #{RAILS_ROOT}/app/sweepers )

  # Force all environments to use the same logger level 
  # (by default production uses :info, the others :debug)
  # config.log_level = :debug

  # Enable page/fragment caching by setting a file-based store
  # (remember to create the caching directory and make it readable to the application)
  # config.action_controller.fragment_cache_store = :file_store, "#{RAILS_ROOT}/cache" 

  # Activate observers that should always be running
  # config.active_record.observers = :cacher, :garbage_collector
  config.active_record.observers = :message_observer, :issue_observer, :journal_observer, :news_observer, :document_observer, :wiki_content_observer

  # Make Active Record use UTC-base instead of local time
  # config.active_record.default_timezone = :utc

  # Use Active Record's schema dumper instead of SQL when creating the test database
  # (enables use of different database adapters for development and test environments)
  # config.active_record.schema_format = :ruby

  # Deliveries are disabled by default. Do NOT modify this section.
  # Define your email configuration in email.yml instead.
  # It will automatically turn deliveries on
  config.action_mailer.perform_deliveries = false

  config.gem 'rubytree', :lib => 'tree'

  # Load any local configuration that is kept out of source control
  # (e.g. gems, patches).
  if File.exists?(File.join(File.dirname(__FILE__), 'additional_environment.rb'))
    instance_eval File.read(File.join(File.dirname(__FILE__), 'additional_environment.rb'))
  end
end

So I'd put the Code snippet as a first line into the "Rails::Initializer.run do" loop, correct?

Sorry for asking very basic questions, but I'm a little bit lost here...

Thanks again for your help!

(1-9/9)