Bug 1036914 (CVE-2013-6416)

Summary: CVE-2013-6416 rubygem-actionpack: simple_format XSS
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bgollahe, drieden, hhorak, jorton, jrusnack, jstribny, mmaslano, nobody+bgollahe, ruby-maint, security-response-team, tdawson, tkramer, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-actionpack 4.0.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-16 14:59:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1036421    
Bug Blocks: 1036411    
Attachments:
Description Flags
Upstream patch for 4.0.x none

Description Tomas Hoger 2013-12-02 21:47:29 UTC 
Quoting from an upcoming Ruby on Rails security advisory:


XSS Vulnerability in simple_format helper 

There is a vulnerability in the simple_format helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6416.

Versions Affected:  4.0.0 & 4.0.1
Not affected:       Versions prior to 4.0
Fixed Versions:     4.0.2

Impact 
------ 
The simple_format helper converts user supplied text into html text which is intended to be safe for display.  A change  made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly.  As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.

All users running an affected release and passing user-controlled html attributes to simple_format should either upgrade or use one of the work arounds immediately. 

Releases 
-------- 
The 4.0.2 release is available at the normal locations. 

Credits 
------- 
Thanks to Kevin Reintjes for reporting the vulnerability to us and helping us work on a fix.
Comment 1 Tomas Hoger 2013-12-02 21:49:45 UTC 
Created attachment 831793 [details]
Upstream patch for 4.0.x
Comment 2 Tomas Hoger 2013-12-04 10:36:27 UTC 
Fixed upstream in 4.0.2:

http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
http://seclists.org/oss-sec/2013/q4/404

Upstream commit:

https://github.com/rails/rails/commit/4b4f5847f64f81c961625e647711ef9f6ad1a454
Comment 3 Tomas Hoger 2013-12-16 14:59:59 UTC 
This issue only affected Ruby on Rails 4.0, which is not shipped as part of any Red Hat product.

Statement:

Not vulnerable. This issue did not affect the versions of rubygem-actionpack as shipped with various Red Hat products.