CVE-2013-4389

Published: 17 October 2013

Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.

Priority

Medium

Status

Package Release Status
rails
Launchpad, Ubuntu, Debian
Upstream
Released (3.2.15, 4.0.0)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [contains no code])
rails-4.0
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)
ruby-actionmailer-2.3
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby-actionmailer-3.2
Launchpad, Ubuntu, Debian
Upstream
Released (3.2.15)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [3.2.16-1])
Patches:
Upstream: https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ
ruby-actionpack-2.3
Launchpad, Ubuntu, Debian
Upstream Ignored
(reached end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby-actionpack-3.2
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)
ruby-activerecord-2.3
Launchpad, Ubuntu, Debian
Upstream Ignored
(reached end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby-activerecord-3.2
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)
ruby-activesupport-2.3
Launchpad, Ubuntu, Debian
Upstream Ignored
(reached end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby-activesupport-3.2
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)
ruby-rails-2.3
Launchpad, Ubuntu, Debian
Upstream Ignored
(reached end-of-life)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby-rails-3.2
Launchpad, Ubuntu, Debian
Upstream Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)

Notes

AuthorNote
mdeslaur
in Oneiric+, rails package is just for transition
seth-arnold
Only 3.x.x is affected; earlier and 4.0.x are safe
The patch standardizes some log handling across multiple packages,
but the security fix looks restricted to just one line in action mailer:
info("\nSent mail to #{recipients} ...
the other packages can be left alone.

References

Bugs