Bug 799275 (CVE-2012-1098)

Summary: CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkabrda, katello-internal, lutter, mastahnke, mmorsi, sseago, tkramer, vanmeeuwen+fedora, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-activesupport 3.0.12, rubygem-activesupport 3.1.4, rubygem-activesupport 3.2.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-24 15:24:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 799279, 800000, 800015, 800018, 809588    
Bug Blocks: 755014, 767033    

Description Jan Lieskovsky 2012-03-02 10:55:18 UTC 
A cross-site scripting (XSS) flaw was found in the way the String class, used in Ruby on Rails, performed HTML escaping of SafeBuffer objects, when such objects were manipulated directly via '[]' method or other methods, also returning new instances of SafeBuffer object. By using these methods, such newly returned SafeBuffer instances would be inadvertently marked as HTML safe. If a Ruby on Rails application used SafeBuffer objects this way, a remote attacker could provide a specially-crafted input, which once processed by such SafeBuffer instance would pass the HTML escaping test without further filtering, possibly leading to arbitrary HTML or webscript execution.

References:
[1] http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released
[2] http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913
[3] https://bugs.gentoo.org/show_bug.cgi?id=406547

Proposed upstream patches:
[4] http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-0-safe-buffer-slice.patch?part=3
    (against v3.0 branch)
[5] http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-1-safe-buffer-slice.patch?part=4
    (against v3.1 branch)
[6] http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-2-safe-buffer-slice.patch?part=5
    (against v3.2 branch)
Comment 2 Jan Lieskovsky 2012-03-02 11:25:50 UTC 
Created rubygem-actionpack tracking bugs for this issue

Affects: fedora-all [bug 799279]
Comment 3 Jan Lieskovsky 2012-03-02 11:37:43 UTC 
CVE request:
[7] http://www.openwall.com/lists/oss-security/2012/03/02/6
Comment 4 Kurt Seifried 2012-03-03 00:32:17 UTC 
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/03/1
Comment 5 Jan Lieskovsky 2012-03-05 15:22:28 UTC 
This issue affects the version of the rubygem-activesupport package, as shipped with Fedora release of 16. Please schedule an update.

--

This issue did NOT affect the version of the rubygem-activesupport package, as shipped with Fedora 15.

This issue did NOT affect the versions of the rubygem-activesupport package, as shipped with Fedora EPEL 6 and Fedora EPEL 5.
Comment 6 Jan Lieskovsky 2012-03-05 15:25:00 UTC 
Created rubygem-activesupport tracking bugs for this issue

Affects: fedora-16 [bug 800000]
Comment 9 Fedora Update System 2012-03-11 17:01:04 UTC 
rubygem-actionpack-3.0.11-2.fc17, rubygem-activesupport-3.0.11-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-03-17 23:40:49 UTC 
rubygem-actionpack-3.0.10-3.fc16, rubygem-activesupport-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.