Gabe da Silveira found a weakness in the strip_tags routine in Ruby on Rails. Quoting upstream report for exact details: There is a weakness in the strip_tags function in ruby on rails. Due to a bug in the parsing code inside HTML::Tokenizer regarding non-printable ascii characters, an attacker can include values which certain browsers will then evaluate. References: ----------- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1 CVE Request: ----------- http://www.openwall.com/lists/oss-security/2009/11/27/2
The upstream advisory also suggests in its Impact part, that only Ruby on Rails, when running in Internet Explorer configuration is vulnerable: ============== <quote> Impact ------ Applications relying on strip_tags for XSS protection may be vulnerable to attacks on Internet Explorer users. </quote> Have checked the code latest rubygem-actionpack in Fedora 10 (rubygem-actionpack-2.1.1-3.fc10) and the patch seems to be applicable. Jeroen, David, Mamoru, feel free to close this bug as not an issue, once you realize / are definitely decided the internet browsers, as shipped within Fedora (Firefox, Epiphany, Galeon, WebKit) wouldn't evaluate such "special, non printable ascii characters".
rubygem-actionpack-2.1.1-5.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.fc10
rubygem-actionpack-2.1.1-5.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.el5
Seems that this also affects F-12/11 (and F-13).
This is CVE-2009-4214: ---------------------- Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
rubygem-actionpack-2.1.1-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-2.1.1-5.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Even though this may only affect IE users, we should still make sure that the rails we ship has no vulnerabilities, no matter what browser is used with them. I added the patch to actionpack for F-11 and F-12 and built new packages. For rawhide, we should update to 2.3.5, though I don't have the energy to fight the tangle that is a rails update right now.
(In reply to comment #8) > I added the patch to actionpack for F-11 and F-12 and built new packages. Would you submit push requests on bodhi as security updates?
Duplicate CVE identifier of CVE-2009-4132 has been also assigned for this issue: Name: CVE-2009-4132 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4132 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20091201 Category: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-4214. Reason: This candidate is a duplicate of CVE-2009-4214. Notes: All CVE users should reference CVE-2009-4214 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.
rubygem-actionpack-2.3.4-3.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/rubygem-actionpack-2.3.4-3.fc12
(In reply to comment #9) > (In reply to comment #8) > > I added the patch to actionpack for F-11 and F-12 and built new packages. > > Would you submit push requests on bodhi as security updates? Rats. Thanks for the reminder - I just submitted requests for them.
rubygem-actionpack-2.3.2-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-2.3.4-3.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to comment #8) > For rawhide, we should update to 2.3.5, though I don't have the energy to fight > the tangle that is a rails update right now. I would really appreciate if someone would upgrade rails to 2.3.5 on rawhide (as I am not familiar with rails) However anyway let's close this bug. Applied a patch with rubygem-actionpack-2.3.4-4.fc13. F-13: fixed F-12: updates released F-11: updates released EL-5: updates released Closing.