Re: [SECURITY] [DLA 3093-1] rails security update
On 05/09/22 06:09 PM, Utkarsh Gupta wrote:
> Hi Abhijith,
> On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA <firstname.lastname@example.org> wrote:
> > CVE-2022-32224
> > When serialized columns that use YAML (the default) are
> > deserialized, Rails uses YAML.unsafe_load to convert the YAML data
> > in to Ruby objects. If an attacker can manipulate data in the
> > database (via means like SQL injection), then it may be possible
> > for the attacker to escalate to an RCE.
> > For Debian 10 buster, these problems have been fixed in version
> > 2:188.8.131.52+dfsg-1+deb10u4.
> I am afraid that CVE-2022-32224 brings in a bad regression for users,
> esp because of the newly added yaml_column_permitted_classes array -
> mostly because it didn't have an explicit entry for "Symbol". It's
> still being investigated and fixed but this regression is known.
> 184.108.40.206, which is a security upload (to unstable) also brings in a
> regression. I was waiting for the results of the unstable upload to
> decide whether to backport this for LTS/ETLS but since you have
> uploaded it already, I wonder if you checked for this? Did you
> reverse-build the affected components? Did you try this update with
> some application?
I relied on https://wiki.debian.org/LTS/TestSuites/rails. And pulled
couple of random rails apps from Internet to run with my build. It was
ok for me. Sure I will look at this more.
> I have an unverified fix but I need to inject this in unstable first
> to be actually able to tell if that works for other releases or not.
> That said, I'm going to take care of rails for Bullseye (since you
> haven't yet - which was supposed to happen first. :))
I saw someone working on rails in ruby-team.
Assumed, there will be also an upload for buster.