Bug 542786 (CVE-2009-4214) - CVE-2009-4214 rubygem-actionpack: XSS weakness in strip_tags
Summary: CVE-2009-4214 rubygem-actionpack: XSS weakness in strip_tags
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-4214
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://groups.google.com/group/rubyon...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-30 19:32 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:33 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-01-07 15:19:07 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-11-30 19:32:45 UTC
Gabe da Silveira found a weakness in the strip_tags 
routine in Ruby on Rails. Quoting upstream report
for exact details:

There is a weakness in the strip_tags function in ruby on rails.  Due to
a bug in the parsing code inside HTML::Tokenizer regarding non-printable
ascii characters, an attacker can include values which certain browsers
will then evaluate. 

References:
-----------
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1

CVE Request:
-----------
http://www.openwall.com/lists/oss-security/2009/11/27/2

Comment 1 Jan Lieskovsky 2009-11-30 19:44:39 UTC
The upstream advisory also suggests in its Impact part, that
only Ruby on Rails, when running in Internet Explorer configuration
is vulnerable:
==============

<quote>

Impact
------

Applications relying on strip_tags for XSS protection
may be vulnerable to attacks on Internet Explorer users. 

</quote>

Have checked the code latest rubygem-actionpack in Fedora 10
(rubygem-actionpack-2.1.1-3.fc10) and the patch seems to be 
applicable.

Jeroen, David, Mamoru, feel free to close this bug as not an
issue, once you realize / are definitely decided the internet
browsers, as shipped within Fedora (Firefox, Epiphany, Galeon,
WebKit) wouldn't evaluate such "special, non printable ascii
characters".

Comment 2 Fedora Update System 2009-12-06 18:27:31 UTC
rubygem-actionpack-2.1.1-5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.fc10

Comment 3 Fedora Update System 2009-12-06 18:28:58 UTC
rubygem-actionpack-2.1.1-5.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/rubygem-actionpack-2.1.1-5.el5

Comment 4 Mamoru TASAKA 2009-12-06 18:35:49 UTC
Seems that this also affects F-12/11 (and F-13).

Comment 5 Jan Lieskovsky 2009-12-07 18:39:40 UTC
This is CVE-2009-4214:
----------------------
Cross-site scripting (XSS) vulnerability in the strip_tags function in
Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
attackers to inject arbitrary web script or HTML via vectors involving
non-printing ASCII characters, related to HTML::Tokenizer and
actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

Comment 6 Fedora Update System 2009-12-10 04:00:50 UTC
rubygem-actionpack-2.1.1-5.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2009-12-10 04:12:18 UTC
rubygem-actionpack-2.1.1-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 David Lutterkort 2009-12-11 00:14:35 UTC
Even though this may only affect IE users, we should still make sure that the rails we ship has no vulnerabilities, no matter what browser is used with them.

I added the patch to actionpack for F-11 and F-12 and built new packages.

For rawhide, we should update to 2.3.5, though I don't have the energy to fight the tangle that is a rails update right now.

Comment 9 Mamoru TASAKA 2009-12-12 07:41:55 UTC
(In reply to comment #8)
> I added the patch to actionpack for F-11 and F-12 and built new packages.

Would you submit push requests on bodhi as security updates?

Comment 10 Jan Lieskovsky 2009-12-12 12:04:24 UTC
Duplicate CVE identifier of CVE-2009-4132 has been also assigned
for this issue:

Name: CVE-2009-4132
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4132
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20091201
Category:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-4214. Reason:
This candidate is a duplicate of CVE-2009-4214. Notes: All CVE users
should reference CVE-2009-4214 instead of this candidate. All
references and descriptions in this candidate have been removed to
prevent accidental usage.

Comment 11 Fedora Update System 2009-12-16 19:08:09 UTC
rubygem-actionpack-2.3.4-3.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/rubygem-actionpack-2.3.4-3.fc12

Comment 12 David Lutterkort 2009-12-16 19:10:03 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > I added the patch to actionpack for F-11 and F-12 and built new packages.
> 
> Would you submit push requests on bodhi as security updates?  

Rats. Thanks for the reminder - I just submitted requests for them.

Comment 13 Fedora Update System 2009-12-18 04:35:57 UTC
rubygem-actionpack-2.3.2-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2009-12-18 04:46:01 UTC
rubygem-actionpack-2.3.4-3.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Mamoru TASAKA 2010-01-07 15:19:07 UTC
(In reply to comment #8)
> For rawhide, we should update to 2.3.5, though I don't have the energy to fight
> the tangle that is a rails update right now.  

I would really appreciate if someone would upgrade rails to 2.3.5
on rawhide (as I am not familiar with rails)

However anyway let's close this bug. Applied a patch with
rubygem-actionpack-2.3.4-4.fc13.

F-13: fixed
F-12: updates released
F-11: updates released
EL-5: updates released

Closing.


Note You need to log in before you can comment on or make changes to this bug.