Bug 1036922 (CVE-2013-4491)

Summary: CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, athomas, ayoung, bdunne, bgollahe, bkearney, bleanhar, ccoleman, chrisw, cpelland, dmcphers, drieden, gkotton, gmollett, hhorak, iheim, jdetiber, jfrey, jialiu, jorton, jrafanie, jrusnack, kseifried, lhh, lmeyer, markmc, mmaslano, mmccune, mmcgrath, nobody+bgollahe, obarenbo, rbryant, ruby-maint, sclewis, security-response-team, tdawson, vondruch, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-actionpack 3.2.16, rubygem-actionpack 4.0.2 Doc Type: Bug Fix
Doc Text:
It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-17 05:35:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1036415, 1036420, 1036421, 1037487, 1120007, 1120008, 1159440, 1165370, 1165371    
Bug Blocks: 1000138, 1036411    
Attachments:
Description Flags
Upstream patch for 3.2.x
none
Upstream patch for 4.0.x none

Description Tomas Hoger 2013-12-02 22:19:09 UTC 
Quoting from an upcoming Ruby on Rails security advisory:


Reflective XSS Vulnerability in Ruby on Rails

There is a vulnerability in the internationalization component of Ruby on Rails. Under certain common configurations an attacker can provide specially crafted input which will execute a reflective XSS attack.  This vulnerability has been assigned the CVE identifier CVE-2013-4491.

Versions Affected:  3.0.6 and all later versions.
Not affected:       3.0.5 and earlier 3.0.x versions.
Fixed Versions:     4.0.2, 3.2.16.

The root cause of this issue is a vulnerability in the i18n gem which has been assigned the identifier CVE-2013-4492. For this reason applications are also not affected if they have upgraded to the following i18n versions: 
* i18n-0.6.6 for Rails 4.0.x and 3.2.x applications
* i18n-0.5.1 for Rails 3.1.x and 3.0.x applications

Impact 
------ 
When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string.  Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack.

All users running an affected release should either upgrade or use one of the workarounds immediately. 

Releases 
-------- 
The 4.0.2 and 3.2.16 releases are available at the normal locations. 

Credits 
------- 
Thanks to Peter McLarnan of Matasano Security for reporting the issue to us, and to Sven Fuchs and Christopher Dell for working with us on the fix.
Comment 1 Tomas Hoger 2013-12-02 22:22:20 UTC 
Created attachment 831807 [details]
Upstream patch for 3.2.x
Comment 2 Tomas Hoger 2013-12-02 22:23:22 UTC 
Created attachment 831819 [details]
Upstream patch for 4.0.x
Comment 3 Tomas Hoger 2013-12-04 10:37:48 UTC 
Fixed upstream in 3.2.16 and 4.0.2:

http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
http://seclists.org/oss-sec/2013/q4/401

Upstream commits (3.2 and 4.0):

https://github.com/rails/rails/commit/78790e4bceedc632cb40f9597792d7e27234138a
https://github.com/rails/rails/commit/ec16ba75a5493b9da972eea08bae630eba35b62f
Comment 4 errata-xmlrpc 2013-12-05 22:04:45 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2013:1794 https://rhn.redhat.com/errata/RHSA-2013-1794.html
Comment 5 errata-xmlrpc 2014-01-06 18:04:54 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0008 https://rhn.redhat.com/errata/RHSA-2014-0008.html
Comment 9 Kurt Seifried 2014-11-13 06:18:29 UTC 
Acknowledgements:

Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges  Peter McLarnan as the original reporter.
Comment 10 Martin Prpič 2014-11-14 16:20:49 UTC 
IssueDescription:

It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component.
Comment 11 errata-xmlrpc 2014-11-17 17:09:13 UTC 
This issue has been addressed in the following products:

  Red Hat Subscription Asset Manager 1.4

Via RHSA-2014:1863 https://rhn.redhat.com/errata/RHSA-2014-1863.html