Bug 750306 (CVE-2010-1330) - CVE-2010-1330 jruby: XSS in the regular expression engine when processing invalid UTF-8 byte sequences
Summary: CVE-2010-1330 jruby: XSS in the regular expression engine when processing inv...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-1330
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 750310 750311
Blocks: 750308
TreeView+ depends on / blocked
 
Reported: 2011-10-31 16:25 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-08 06:14:47 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1456 normal SHIPPED_LIVE Moderate: JBoss Enterprise SOA Platform 5.2.0 update 2011-11-17 04:54:04 UTC

Description Jan Lieskovsky 2011-10-31 16:25:22 UTC
A cross-site scripting (XSS) flaw was found in the way the regular expression engine of the JRuby, Java implementation of the Ruby programming language, processed certain invalid UTF-8 byte sequences. A remote attacker could use this flaw to execute arbitrary HTML or web script via specially-crafted input provided to an JRuby application.

References:
[1] http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html
[2] https://bugs.gentoo.org/show_bug.cgi?id=317435

Proposed upstream solution (is to upgrage to jcodings-v1.0.3):
[3] http://repo1.maven.org/maven2/org/jruby/jcodings/jcodings/1.0.3/jcodings-1.0.3.jar

Comment 1 Jan Lieskovsky 2011-10-31 16:26:54 UTC
This issue affects the versions of the jcodings package, as shipped with Fedora release of 14 and 15.

--

This issue did NOT affect the versions of the jcodings and jruby packages, as planned to be included into upcoming Fedora release of 16.

Comment 2 Jan Lieskovsky 2011-10-31 16:38:34 UTC
Created jcodings tracking bugs for this issue

Affects: fedora-14 [bug 750310]
Affects: fedora-15 [bug 750311]

Comment 5 errata-xmlrpc 2011-11-16 23:55:08 UTC
This issue has been addressed in following products:

JBoss Enterprise SOA Platform 5.2.0

Via RHSA-2011:1456 https://rhn.redhat.com/errata/RHSA-2011-1456.html


Note You need to log in before you can comment on or make changes to this bug.