[[resending with different mail address due couple of MTA rejections]]
On 05/09/22 06:28 PM, Abhijith PA wrote: > Hey, > > On 05/09/22 06:09 PM, Utkarsh Gupta wrote: > > Hi Abhijith, > > > > On Sat, Sep 3, 2022 at 5:04 PM Abhijith PA <abhij...@debian.org> wrote: > > > CVE-2022-32224 > > > > > > When serialized columns that use YAML (the default) are > > > deserialized, Rails uses YAML.unsafe_load to convert the YAML data > > > in to Ruby objects. If an attacker can manipulate data in the > > > database (via means like SQL injection), then it may be possible > > > for the attacker to escalate to an RCE. > > > > > > For Debian 10 buster, these problems have been fixed in version > > > 2:5.2.2.1+dfsg-1+deb10u4. > > > > I am afraid that CVE-2022-32224 brings in a bad regression for users, > > esp because of the newly added yaml_column_permitted_classes array - > > mostly because it didn't have an explicit entry for "Symbol". It's > > still being investigated and fixed but this regression is known. > > 6.1.6.1, which is a security upload (to unstable) also brings in a > > regression. I was waiting for the results of the unstable upload to > > decide whether to backport this for LTS/ETLS but since you have > > uploaded it already, I wonder if you checked for this? Did you > > reverse-build the affected components? Did you try this update with > > some application? > > I relied on https://wiki.debian.org/LTS/TestSuites/rails. And pulled > couple of random rails apps from Internet to run with my build. It was > ok for me. Sure I will look at this more. > > > I have an unverified fix but I need to inject this in unstable first > > to be actually able to tell if that works for other releases or not. > > ACK > > > That said, I'm going to take care of rails for Bullseye (since you > > haven't yet - which was supposed to happen first. :)) > > I saw someone working on rails in ruby-team. > https://lists.debian.org/debian-ruby/2022/08/msg00071.html > Assumed, there will be also an upload for buster. ^^^^^^ Oops bullseye