A cross-site scripting (XSS) flaw was found in the way the String class, used in Ruby on Rails, performed HTML escaping of SafeBuffer objects, when such objects were manipulated directly via '[]' method or other methods, also returning new instances of SafeBuffer object. By using these methods, such newly returned SafeBuffer instances would be inadvertently marked as HTML safe. If a Ruby on Rails application used SafeBuffer objects this way, a remote attacker could provide a specially-crafted input, which once processed by such SafeBuffer instance would pass the HTML escaping test without further filtering, possibly leading to arbitrary HTML or webscript execution. References: [1] http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released [2] http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913 [3] https://bugs.gentoo.org/show_bug.cgi?id=406547 Proposed upstream patches: [4] http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-0-safe-buffer-slice.patch?part=3 (against v3.0 branch) [5] http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-1-safe-buffer-slice.patch?part=4 (against v3.1 branch) [6] http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-2-safe-buffer-slice.patch?part=5 (against v3.2 branch)
Created rubygem-actionpack tracking bugs for this issue Affects: fedora-all [bug 799279]
CVE request: [7] http://www.openwall.com/lists/oss-security/2012/03/02/6
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/03/1
This issue affects the version of the rubygem-activesupport package, as shipped with Fedora release of 16. Please schedule an update. -- This issue did NOT affect the version of the rubygem-activesupport package, as shipped with Fedora 15. This issue did NOT affect the versions of the rubygem-activesupport package, as shipped with Fedora EPEL 6 and Fedora EPEL 5.
Created rubygem-activesupport tracking bugs for this issue Affects: fedora-16 [bug 800000]
rubygem-actionpack-3.0.11-2.fc17, rubygem-activesupport-3.0.11-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-3.0.10-3.fc16, rubygem-activesupport-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.