Red Hat Bugzilla – Bug 542786
CVE-2009-4214 rubygem-actionpack: XSS weakness in strip_tags
Last modified: 2016-03-04 07:36:22 EST
Gabe da Silveira found a weakness in the strip_tags
routine in Ruby on Rails. Quoting upstream report
for exact details:
There is a weakness in the strip_tags function in ruby on rails. Due to
a bug in the parsing code inside HTML::Tokenizer regarding non-printable
ascii characters, an attacker can include values which certain browsers
will then evaluate.
The upstream advisory also suggests in its Impact part, that
only Ruby on Rails, when running in Internet Explorer configuration
Applications relying on strip_tags for XSS protection
may be vulnerable to attacks on Internet Explorer users.
Have checked the code latest rubygem-actionpack in Fedora 10
(rubygem-actionpack-2.1.1-3.fc10) and the patch seems to be
Jeroen, David, Mamoru, feel free to close this bug as not an
issue, once you realize / are definitely decided the internet
browsers, as shipped within Fedora (Firefox, Epiphany, Galeon,
WebKit) wouldn't evaluate such "special, non printable ascii
rubygem-actionpack-2.1.1-5.fc10 has been submitted as an update for Fedora 10.
rubygem-actionpack-2.1.1-5.el5 has been submitted as an update for Fedora EPEL 5.
Seems that this also affects F-12/11 (and F-13).
This is CVE-2009-4214:
Cross-site scripting (XSS) vulnerability in the strip_tags function in
Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
attackers to inject arbitrary web script or HTML via vectors involving
non-printing ASCII characters, related to HTML::Tokenizer and
rubygem-actionpack-2.1.1-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-2.1.1-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Even though this may only affect IE users, we should still make sure that the rails we ship has no vulnerabilities, no matter what browser is used with them.
I added the patch to actionpack for F-11 and F-12 and built new packages.
For rawhide, we should update to 2.3.5, though I don't have the energy to fight the tangle that is a rails update right now.
(In reply to comment #8)
> I added the patch to actionpack for F-11 and F-12 and built new packages.
Would you submit push requests on bodhi as security updates?
Duplicate CVE identifier of CVE-2009-4132 has been also assigned
for this issue:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-4214. Reason:
This candidate is a duplicate of CVE-2009-4214. Notes: All CVE users
should reference CVE-2009-4214 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
rubygem-actionpack-2.3.4-3.fc12 has been submitted as an update for Fedora 12.
(In reply to comment #9)
> (In reply to comment #8)
> > I added the patch to actionpack for F-11 and F-12 and built new packages.
> Would you submit push requests on bodhi as security updates?
Rats. Thanks for the reminder - I just submitted requests for them.
rubygem-actionpack-2.3.2-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-2.3.4-3.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #8)
> For rawhide, we should update to 2.3.5, though I don't have the energy to fight
> the tangle that is a rails update right now.
I would really appreciate if someone would upgrade rails to 2.3.5
on rawhide (as I am not familiar with rails)
However anyway let's close this bug. Applied a patch with
F-12: updates released
F-11: updates released
EL-5: updates released