Re: [SECURITY] [DLA 3093-1] rails security update
[[resending with different mail address due couple of MTA rejections]]
On 05/09/22 06:28 PM, Abhijith PA wrote:
> Hey,
>
> On 05/09/22 06:09 PM, Utkarsh Gupta wrote:
> > Hi Abhijith,
> >
> > On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA <abhijith@debian.org> wrote:
> > > CVE-2022-32224
> > >
> > > When serialized columns that use YAML (the default) are
> > > deserialized, Rails uses YAML.unsafe_load to convert the YAML data
> > > in to Ruby objects. If an attacker can manipulate data in the
> > > database (via means like SQL injection), then it may be possible
> > > for the attacker to escalate to an RCE.
> > >
> > > For Debian 10 buster, these problems have been fixed in version
> > > 2:5.2.2.1+dfsg-1+deb10u4.
> >
> > I am afraid that CVE-2022-32224 brings in a bad regression for users,
> > esp because of the newly added yaml_column_permitted_classes array -
> > mostly because it didn't have an explicit entry for "Symbol". It's
> > still being investigated and fixed but this regression is known.
> > 6.1.6.1, which is a security upload (to unstable) also brings in a
> > regression. I was waiting for the results of the unstable upload to
> > decide whether to backport this for LTS/ETLS but since you have
> > uploaded it already, I wonder if you checked for this? Did you
> > reverse-build the affected components? Did you try this update with
> > some application?
>
> I relied on https://wiki.debian.org/LTS/TestSuites/rails. And pulled
> couple of random rails apps from Internet to run with my build. It was
> ok for me. Sure I will look at this more.
>
> > I have an unverified fix but I need to inject this in unstable first
> > to be actually able to tell if that works for other releases or not.
>
> ACK
>
> > That said, I'm going to take care of rails for Bullseye (since you
> > haven't yet - which was supposed to happen first. :))
>
> I saw someone working on rails in ruby-team.
> https://lists.debian.org/debian-ruby/2022/08/msg00071.html
> Assumed, there will be also an upload for buster.
^^^^^^ Oops bullseye
Reply to: