GLSA 201401-22: Active Record: SQL injection

Severity:low
Title:Active Record: SQL injection
Date:01/21/2014
Bugs: #449826
ID:201401-22

Synopsis

A vulnerability in Active Record could allow a remote attacker to inject SQL commands.

Background

Active Record is a Ruby gem that allows database entries to be manipulated as objects.

Affected packages

Package Vulnerable Unaffected Architecture(s)
dev-ruby/activerecord < 2.3.14-r1 >= 2.3.14-r1 All supported architectures

Description

An Active Record method parameter can mistakenly be used as a scope.

Impact

A remote attacker could use specially crafted input to execute arbitrary SQL statements.

Workaround

The vulnerability may be mitigated by converting the input to an expected value. This is accomplished by changing instances of ‘Post.find_by_id(params[:id])’ in code using Active Record to ‘Post.find_by_id(params[:id].to_s)’

Resolution

All Active Record users should upgrade to the latest version:

      # emerge --sync
      # emerge --ask --oneshot --verbose ">=dev-ruby/activerecord-2.3.14-r1"
    

References

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201401-22.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Thank you!