Re: [CVE-2014-3482] [CVE-2014-3483] Ruby on Rails: Two Active Record SQL Injection Vulnerabilities Affecting PostgreSQL

[Rafael Mendonça França <rafaelmfranca () gmail com>]

Now with the attached patches.

Rafael Mendonça França
http://twitter.com/rafaelfranca
https://github.com/rafaelfranca


On Wed, Jul 2, 2014 at 2:11 PM, Rafael Mendonça França <
rafaelmfranca () gmail com> wrote:

> There are two distinct but related vulnerabilities in PostgreSQL adapter for Active Record. These vulnerabilities 
> have been assigned the CVE identifiers CVE-2014-3482 and CVE-2014-3483.
>
> Versions Affected:  All Versions > 2.0
> Not affected:       Databases other than PostgreSQL
> Fixed Versions:     3.2.19, 4.0.7 & 4.1.3
>
> Impact
> ------
> PostgreSQL supports a number of unique data types which are not present in other supported databases.  A bug in the 
> SQL quoting code in ActiveRecord can allow an attacker to inject arbitrary SQL using carefully crafted values.
>
> Only applications which query against either bitstring or range types are vulnerable. The particular data types 
> affected depend on the version of Rails you're using, but the vulnerable code will look the same.  Vulnerable code 
> will take either take the form of:
>
>   Model.where(bitstring: params[:some_value])
>   Model.where(range: params[:from]..params[:to])
>
> The specific versions affected is included below, however all users running an affected release should upgrade 
> immediately.
>
> SQL Injection Vulnerability in 'bitstring' quoting
> ==================================================
> Versions Affected: 2.0.0-3.2.18
> Not Affected: 4.0 and Later
> Identifier: CVE-2014-3482
>
> SQL Injection Vulnerability in 'range' quoting
> ==============================================
> Versions Affected: 4.0.0-4.1.2
> Not Affected: All versions prior to 4.0.0
> Identifier: CVE-2014-3483
>
> Releases
> --------
> The 3.2.19, 4.0.7 & 4.1.3 releases are available at the normal locations.
>
> Workarounds
> -----------
> The only feasible workaround for this issue is to not allow user controlled values to be used in queries with the 
> affected data types.  Given the difficulty of ensuring this, upgrading is strongly advised.
>
> Patches
> -------
> To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series and 
> the last major release series.  They are in git-am format and consist of a single changeset.
>
> * 4-1-postgres-sqli.patch - Patch for 4.1 series
> * 4-0-postgres-sqli.patch - Patch for 4.0 series
> * 3-2-postgres-sqli.patch - Patch for 3.2 series
>
> Please note that only the 4.0.x and 4.1.x series receive regular security updates at present.  Users of earlier 
> unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of 
> security fixes for earlier releases.
>
> Credits
> -------
>
> Thanks to Sean Griffin of thoughtbot for reporting the vulnerability to us, and to Jeff Jarmoc of Matasano and 
> Charlie Somerville of GitHub for working with us to review the patches and advisories.
>
> Rafael Mendonça França
> http://twitter.com/rafaelfranca
> https://github.com/rafaelfranca

Attachment: 3-2-postgres-sqli.patch
Description:

Attachment: 4-0-postgres-sqli.patch
Description:

Attachment: 4-1-postgres-sqli.patch
Description: