Re: [SECURITY] [DLA 3093-1] rails security update

To: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Cc: Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>
Subject: Re: [SECURITY] [DLA 3093-1] rails security update
From: Abhijith PA <abhijith@debian.org>
Date: Mon, 5 Sep 2022 18:32:54 +0530
Message-id: <[🔎] YxXzfi2LzGOfotip@debian.org>
In-reply-to: <[🔎] YxXyhvMOO9xj1SKV@debian.org>
References: <YxM7suKjzKPHqPMo@debian.org> <[🔎] CAPP0f94po+9ggK=pjMO+gv2358Ba7gC7C6NPa1X4kzP78bDgsg@mail.gmail.com> <[🔎] YxXyhvMOO9xj1SKV@debian.org>

[[resending with different mail address due couple of MTA rejections]]

On 05/09/22 06:28 PM, Abhijith PA wrote:
> Hey,
> 
> On 05/09/22 06:09 PM, Utkarsh Gupta wrote:
> > Hi Abhijith,
> > 
> > On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA <abhijith@debian.org> wrote:
> > > CVE-2022-32224
> > >
> > >     When serialized columns that use YAML (the default) are
> > >     deserialized, Rails uses YAML.unsafe_load to convert the YAML data
> > >     in to Ruby objects. If an attacker can manipulate data in the
> > >     database (via means like SQL injection), then it may be possible
> > >     for the attacker to escalate to an RCE.
> > >
> > > For Debian 10 buster, these problems have been fixed in version
> > > 2:5.2.2.1+dfsg-1+deb10u4.
> > 
> > I am afraid that CVE-2022-32224 brings in a bad regression for users,
> > esp because of the newly added yaml_column_permitted_classes array -
> > mostly because it didn't have an explicit entry for "Symbol". It's
> > still being investigated and fixed but this regression is known.
> > 6.1.6.1, which is a security upload (to unstable) also brings in a
> > regression. I was waiting for the results of the unstable upload to
> > decide whether to backport this for LTS/ETLS but since you have
> > uploaded it already, I wonder if you checked for this? Did you
> > reverse-build the affected components? Did you try this update with
> > some application?
> 
> I relied on https://wiki.debian.org/LTS/TestSuites/rails. And pulled 
> couple of random rails apps from Internet to run with my build. It was 
> ok for me. Sure I will look at this more.
>  
> > I have an unverified fix but I need to inject this in unstable first
> > to be actually able to tell if that works for other releases or not.
> 
> ACK
> 
> > That said, I'm going to take care of rails for Bullseye (since you
> > haven't yet - which was supposed to happen first. :))
> 
> I saw someone working on rails in ruby-team. 
> https://lists.debian.org/debian-ruby/2022/08/msg00071.html
> Assumed, there will be also an  upload for buster.
                                             ^^^^^^  Oops bullseye

Reply to:

References:
- Re: [SECURITY] [DLA 3093-1] rails security update
  - From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
- Re: [SECURITY] [DLA 3093-1] rails security update
  - From: Abhijith PA <abhijith@disroot.org>

Prev by Date: Re: [SECURITY] [DLA 3093-1] rails security update
Next by Date: Vulnerability in pcs or is it in more generic code?
Previous by thread: Re: [SECURITY] [DLA 3093-1] rails security update
Next by thread: Vulnerability in pcs or is it in more generic code?
Index(es):
- Date
- Thread