Bug 1774081 (CVE-2019-15587)

Summary: CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, bkearney, bmidwood, btotty, dajohnso, dmetzger, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jaruga, jhardy, jorton, kdixon, ktdreyer, lavenel, lzap, mmccune, pvalena, rchan, rjerrido, roliveri, ruby-maint, ruby-packagers-sig, simaishi, sokeeffe, vondruch, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-loofah 2.3.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:55:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1791636, 1791637, 1791638, 1791639, 1791640, 1791641, 1791642, 1791643, 1791644, 1791645, 1791646, 1791647, 1797919, 1797920, 1797921, 1797922, 1797923, 1797924, 1805187, 1805200    
Bug Blocks: 1774086    

Description msiddiqu 2019-11-19 14:18:02 UTC
In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Upstream issue: 

https://github.com/flavorjones/loofah/issues/171

References:  

https://hackerone.com/reports/709009
https://www.debian.org/security/2019/dsa-4554
https://www.debian.org/security/2019/dsa-4554
https://www.openwall.com/lists/oss-security/2019/10/22/1

Comment 12 Cedric Buissart 2020-02-20 13:34:13 UTC
Created rubygem-loofah tracking bugs for this issue:

Affects: fedora-all [bug 1805200]

Comment 13 Cedric Buissart 2020-02-20 13:52:44 UTC
Statement:

Supported versions of Satellite 6 contain a vulnerable version of rubygem-loofah. However, it is not possible to inject untrusted SVG files, and thus it is considered that this vulnerability can not be triggered. A future update may fix this vulnerability.