[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 3093-1] rails security update


On 05/09/22 06:09 PM, Utkarsh Gupta wrote:
> Hi Abhijith,
> On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA <abhijith@debian.org> wrote:
> > CVE-2022-32224
> >
> >     When serialized columns that use YAML (the default) are
> >     deserialized, Rails uses YAML.unsafe_load to convert the YAML data
> >     in to Ruby objects. If an attacker can manipulate data in the
> >     database (via means like SQL injection), then it may be possible
> >     for the attacker to escalate to an RCE.
> >
> > For Debian 10 buster, these problems have been fixed in version
> > 2:
> I am afraid that CVE-2022-32224 brings in a bad regression for users,
> esp because of the newly added yaml_column_permitted_classes array -
> mostly because it didn't have an explicit entry for "Symbol". It's
> still being investigated and fixed but this regression is known.
>, which is a security upload (to unstable) also brings in a
> regression. I was waiting for the results of the unstable upload to
> decide whether to backport this for LTS/ETLS but since you have
> uploaded it already, I wonder if you checked for this? Did you
> reverse-build the affected components? Did you try this update with
> some application?

I relied on https://wiki.debian.org/LTS/TestSuites/rails. And pulled 
couple of random rails apps from Internet to run with my build. It was 
ok for me. Sure I will look at this more.
> I have an unverified fix but I need to inject this in unstable first
> to be actually able to tell if that works for other releases or not.


> That said, I'm going to take care of rails for Bullseye (since you
> haven't yet - which was supposed to happen first. :))

I saw someone working on rails in ruby-team. 
Assumed, there will be also an  upload for buster.


Reply to: