Bug 799275 (CVE-2012-1098)

Summary: CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkabrda, katello-internal, lutter, mastahnke, mmorsi, sseago, tkramer, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120301,reported=20120302,source=gentoo,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,cloudformscommon-1/rubygem-activesupport=affected,sam-1/rubygem-activesupport=affected,openshift-1/rubygem-activesupport=affected,fedora-all/rubygem-activesupport=notaffected,epel-5/rubygem-activesupport=notaffected,epel-6/rubygem-activesupport=notaffected,cwe=CWE-79[auto]
Fixed In Version: rubygem-activesupport 3.0.12, rubygem-activesupport 3.1.4, rubygem-activesupport 3.2.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-24 11:24:30 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 799279, 800000, 800015, 800018, 809588    
Bug Blocks: 755014, 767033    

Description Jan Lieskovsky 2012-03-02 05:55:18 EST
A cross-site scripting (XSS) flaw was found in the way the String class, used in Ruby on Rails, performed HTML escaping of SafeBuffer objects, when such objects were manipulated directly via '[]' method or other methods, also returning new instances of SafeBuffer object. By using these methods, such newly returned SafeBuffer instances would be inadvertently marked as HTML safe. If a Ruby on Rails application used SafeBuffer objects this way, a remote attacker could provide a specially-crafted input, which once processed by such SafeBuffer instance would pass the HTML escaping test without further filtering, possibly leading to arbitrary HTML or webscript execution.

References:
[1] http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released
[2] http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913
[3] https://bugs.gentoo.org/show_bug.cgi?id=406547

Proposed upstream patches:
[4] http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-0-safe-buffer-slice.patch?part=3
    (against v3.0 branch)
[5] http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-1-safe-buffer-slice.patch?part=4
    (against v3.1 branch)
[6] http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-2-safe-buffer-slice.patch?part=5
    (against v3.2 branch)
Comment 2 Jan Lieskovsky 2012-03-02 06:25:50 EST
Created rubygem-actionpack tracking bugs for this issue

Affects: fedora-all [bug 799279]
Comment 3 Jan Lieskovsky 2012-03-02 06:37:43 EST
CVE request:
[7] http://www.openwall.com/lists/oss-security/2012/03/02/6
Comment 4 Kurt Seifried 2012-03-02 19:32:17 EST
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/03/1
Comment 5 Jan Lieskovsky 2012-03-05 10:22:28 EST
This issue affects the version of the rubygem-activesupport package, as shipped with Fedora release of 16. Please schedule an update.

--

This issue did NOT affect the version of the rubygem-activesupport package, as shipped with Fedora 15.

This issue did NOT affect the versions of the rubygem-activesupport package, as shipped with Fedora EPEL 6 and Fedora EPEL 5.
Comment 6 Jan Lieskovsky 2012-03-05 10:25:00 EST
Created rubygem-activesupport tracking bugs for this issue

Affects: fedora-16 [bug 800000]
Comment 9 Fedora Update System 2012-03-11 13:01:04 EDT
rubygem-actionpack-3.0.11-2.fc17, rubygem-activesupport-3.0.11-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-03-17 19:40:49 EDT
rubygem-actionpack-3.0.10-3.fc16, rubygem-activesupport-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.