Bug 1365008 (CVE-2016-6316)

Summary: CVE-2016-6316 rubygem-actionview: cross-site scripting flaw in Action View
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkearney, cbillett, ccoleman, dedgar, dmcphers, hhorak, jgoulding, jialiu, joelsmith, jokerman, jorton, katello-bugs, kseifried, lmeyer, mmccomas, ruby-maint, security-response-team, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-actionview 5.0.0.1, rubygem-actionview 4.2.7.1, rubygem-actionpack 3.2.22.3 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting (XSS) attack.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-13 11:19:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1366480, 1367062, 1367063, 1367064, 1367065, 1367066, 1367067, 1367068, 1367069, 1381410    
Bug Blocks: 1365019    
Attachments:
Description Flags
3-2-attribute-xss.patch
none
4-2-attribute-xss.patch
none
5-0-attribute-xss.patch none

Description Martin Prpič 2016-08-08 11:08:37 UTC
A cross-site scripting flaw was found in Action View. Text declared as "HTML safe" will not have quotes escaped when used as attribute values in tag helpers.

Comment 1 Martin Prpič 2016-08-08 11:08:43 UTC
Acknowledgments:

Name: the Ruby on Rails project
Upstream: Andrew Carpenter (Critical Juncture)

Comment 2 Martin Prpič 2016-08-08 11:09:27 UTC
Created attachment 1188633 [details]
3-2-attribute-xss.patch

Comment 3 Martin Prpič 2016-08-08 11:09:30 UTC
Created attachment 1188634 [details]
4-2-attribute-xss.patch

Comment 4 Martin Prpič 2016-08-08 11:09:33 UTC
Created attachment 1188635 [details]
5-0-attribute-xss.patch

Comment 6 Martin Prpič 2016-08-12 06:01:18 UTC
Created rubygem-actionview tracking bugs for this issue:

Affects: fedora-all [bug 1366480]

Comment 7 Martin Prpič 2016-08-12 06:01:48 UTC
External References:

https://groups.google.com/forum/#!msg/rubyonrails-security/I-VWr034ouk/gGu2FrCwDAAJ

Comment 16 errata-xmlrpc 2016-09-13 11:11:04 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2016:1858 https://rhn.redhat.com/errata/RHSA-2016-1858.html

Comment 17 errata-xmlrpc 2016-09-13 11:11:28 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS

Via RHSA-2016:1857 https://rhn.redhat.com/errata/RHSA-2016-1857.html

Comment 18 errata-xmlrpc 2016-09-13 11:11:51 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2016:1856 https://rhn.redhat.com/errata/RHSA-2016-1856.html

Comment 19 errata-xmlrpc 2016-09-13 11:12:15 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS

Via RHSA-2016:1855 https://rhn.redhat.com/errata/RHSA-2016-1855.html