Bug 542786 - (CVE-2009-4214) CVE-2009-4214 rubygem-actionpack: XSS weakness in strip_tags
CVE-2009-4214 rubygem-actionpack: XSS weakness in strip_tags
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://groups.google.com/group/rubyon...
impact=low,source=osssecurity,reporte...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-30 14:32 EST by Jan Lieskovsky
Modified: 2016-03-04 07:36 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-07 10:19:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-11-30 14:32:45 EST
Gabe da Silveira found a weakness in the strip_tags 
routine in Ruby on Rails. Quoting upstream report
for exact details:

There is a weakness in the strip_tags function in ruby on rails.  Due to
a bug in the parsing code inside HTML::Tokenizer regarding non-printable
ascii characters, an attacker can include values which certain browsers
will then evaluate. 

References:
-----------
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1

CVE Request:
-----------
http://www.openwall.com/lists/oss-security/2009/11/27/2
Comment 1 Jan Lieskovsky 2009-11-30 14:44:39 EST
The upstream advisory also suggests in its Impact part, that
only Ruby on Rails, when running in Internet Explorer configuration
is vulnerable:
==============

<quote>

Impact
------

Applications relying on strip_tags for XSS protection
may be vulnerable to attacks on Internet Explorer users. 

</quote>

Have checked the code latest rubygem-actionpack in Fedora 10
(rubygem-actionpack-2.1.1-3.fc10) and the patch seems to be 
applicable.

Jeroen, David, Mamoru, feel free to close this bug as not an
issue, once you realize / are definitely decided the internet
browsers, as shipped within Fedora (Firefox, Epiphany, Galeon,
WebKit) wouldn't evaluate such "special, non printable ascii
characters".
Comment 2 Fedora Update System 2009-12-06 13:27:31 EST
rubygem-actionpack-2.1.1-5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.fc10
Comment 3 Fedora Update System 2009-12-06 13:28:58 EST
rubygem-actionpack-2.1.1-5.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.el5
Comment 4 Mamoru TASAKA 2009-12-06 13:35:49 EST
Seems that this also affects F-12/11 (and F-13).
Comment 5 Jan Lieskovsky 2009-12-07 13:39:40 EST
This is CVE-2009-4214:
----------------------
Cross-site scripting (XSS) vulnerability in the strip_tags function in
Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
attackers to inject arbitrary web script or HTML via vectors involving
non-printing ASCII characters, related to HTML::Tokenizer and
actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
Comment 6 Fedora Update System 2009-12-09 23:00:50 EST
rubygem-actionpack-2.1.1-5.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-12-09 23:12:18 EST
rubygem-actionpack-2.1.1-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 David Lutterkort 2009-12-10 19:14:35 EST
Even though this may only affect IE users, we should still make sure that the rails we ship has no vulnerabilities, no matter what browser is used with them.

I added the patch to actionpack for F-11 and F-12 and built new packages.

For rawhide, we should update to 2.3.5, though I don't have the energy to fight the tangle that is a rails update right now.
Comment 9 Mamoru TASAKA 2009-12-12 02:41:55 EST
(In reply to comment #8)
> I added the patch to actionpack for F-11 and F-12 and built new packages.

Would you submit push requests on bodhi as security updates?
Comment 10 Jan Lieskovsky 2009-12-12 07:04:24 EST
Duplicate CVE identifier of CVE-2009-4132 has been also assigned
for this issue:

Name: CVE-2009-4132
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4132
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20091201
Category:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-4214. Reason:
This candidate is a duplicate of CVE-2009-4214. Notes: All CVE users
should reference CVE-2009-4214 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.
Comment 11 Fedora Update System 2009-12-16 14:08:09 EST
rubygem-actionpack-2.3.4-3.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/rubygem-actionpack-2.3.4-3.fc12
Comment 12 David Lutterkort 2009-12-16 14:10:03 EST
(In reply to comment #9)
> (In reply to comment #8)
> > I added the patch to actionpack for F-11 and F-12 and built new packages.
> 
> Would you submit push requests on bodhi as security updates?  

Rats. Thanks for the reminder - I just submitted requests for them.
Comment 13 Fedora Update System 2009-12-17 23:35:57 EST
rubygem-actionpack-2.3.2-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2009-12-17 23:46:01 EST
rubygem-actionpack-2.3.4-3.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Mamoru TASAKA 2010-01-07 10:19:07 EST
(In reply to comment #8)
> For rawhide, we should update to 2.3.5, though I don't have the energy to fight
> the tangle that is a rails update right now.  

I would really appreciate if someone would upgrade rails to 2.3.5
on rawhide (as I am not familiar with rails)

However anyway let's close this bug. Applied a patch with
rubygem-actionpack-2.3.4-4.fc13.

F-13: fixed
F-12: updates released
F-11: updates released
EL-5: updates released

Closing.

Note You need to log in before you can comment on or make changes to this bug.