Bug 1036914 (CVE-2013-6416)

Summary: CVE-2013-6416 rubygem-actionpack: simple_format XSS
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bgollahe, drieden, hhorak, jorton, jrusnack, jstribny, mmaslano, nobody+bgollahe, ruby-maint, security-response-team, tdawson, tkramer, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: rubygem-actionpack 4.0.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-16 14:59:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1036421    
Bug Blocks: 1036411    
Description Flags
Upstream patch for 4.0.x none

Description Tomas Hoger 2013-12-02 21:47:29 UTC
Quoting from an upcoming Ruby on Rails security advisory:

XSS Vulnerability in simple_format helper 

There is a vulnerability in the simple_format helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6416.

Versions Affected:  4.0.0 & 4.0.1
Not affected:       Versions prior to 4.0
Fixed Versions:     4.0.2

The simple_format helper converts user supplied text into html text which is intended to be safe for display.  A change  made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly.  As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.

All users running an affected release and passing user-controlled html attributes to simple_format should either upgrade or use one of the work arounds immediately. 

The 4.0.2 release is available at the normal locations. 

Thanks to Kevin Reintjes for reporting the vulnerability to us and helping us work on a fix.

Comment 1 Tomas Hoger 2013-12-02 21:49:45 UTC
Created attachment 831793 [details]
Upstream patch for 4.0.x

Comment 3 Tomas Hoger 2013-12-16 14:59:59 UTC
This issue only affected Ruby on Rails 4.0, which is not shipped as part of any Red Hat product.


Not vulnerable. This issue did not affect the versions of rubygem-actionpack as shipped with various Red Hat products.