Re: [SECURITY] [DLA 3093-1] rails security update
Hi Abhijith,
On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA <abhijith@debian.org> wrote:
> CVE-2022-32224
>
> When serialized columns that use YAML (the default) are
> deserialized, Rails uses YAML.unsafe_load to convert the YAML data
> in to Ruby objects. If an attacker can manipulate data in the
> database (via means like SQL injection), then it may be possible
> for the attacker to escalate to an RCE.
>
> For Debian 10 buster, these problems have been fixed in version
> 2:5.2.2.1+dfsg-1+deb10u4.
I am afraid that CVE-2022-32224 brings in a bad regression for users,
esp because of the newly added yaml_column_permitted_classes array -
mostly because it didn't have an explicit entry for "Symbol". It's
still being investigated and fixed but this regression is known.
6.1.6.1, which is a security upload (to unstable) also brings in a
regression. I was waiting for the results of the unstable upload to
decide whether to backport this for LTS/ETLS but since you have
uploaded it already, I wonder if you checked for this? Did you
reverse-build the affected components? Did you try this update with
some application?
I have an unverified fix but I need to inject this in unstable first
to be actually able to tell if that works for other releases or not.
That said, I'm going to take care of rails for Bullseye (since you
haven't yet - which was supposed to happen first. :))
- u
Reply to: