1774081 – (CVE-2019-15587) CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished

Bug 1774081 (CVE-2019-15587) - CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished

Summary: CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-15587
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1791636 1791637 1791638 1791639 1791640 1791641 1791642 1791643 1791644 1791645 1791646 1791647 1797919 1797920 1797921 1797922 1797923 1797924 1805187 1805200
Blocks:	1774086
TreeView+	depends on / blocked

Reported:	2019-11-19 14:18 UTC by msiddiqu
Modified:	2021-12-14 18:47 UTC (History)
CC List:	30 users (show)
Fixed In Version:	rubygem-loofah 2.3.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-27 10:55:41 UTC
Embargoed:

Attachments	(Terms of Use)

Description msiddiqu 2019-11-19 14:18:02 UTC

In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Upstream issue: 

https://github.com/flavorjones/loofah/issues/171

References:  

https://hackerone.com/reports/709009
https://www.debian.org/security/2019/dsa-4554
https://www.debian.org/security/2019/dsa-4554
https://www.openwall.com/lists/oss-security/2019/10/22/1

Comment 1 msiddiqu 2019-11-19 14:20:31 UTC

Upstream commit: 

https://github.com/flavorjones/loofah/commit/0c6617af440879ce97440f6eb6c58636456dc8ec

Comment 12 Cedric Buissart 2020-02-20 13:34:13 UTC

Created rubygem-loofah tracking bugs for this issue:

Affects: fedora-all [bug 1805200]

Comment 13 Cedric Buissart 2020-02-20 13:52:44 UTC

Statement:

Supported versions of Satellite 6 contain a vulnerable version of rubygem-loofah. However, it is not possible to inject untrusted SVG files, and thus it is considered that this vulnerability can not be triggered. A future update may fix this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.

bbuckingham
bcourt
bkearney
bmidwood
btotty
dajohnso
dmetzger
gblomqui
gmccullo
gtanzill
hhorak
hhudgeon
jaruga
jhardy
jorton
kdixon
ktdreyer
lavenel
lzap
mmccune
pvalena
rchan
rjerrido
roliveri
ruby-maint
ruby-packagers-sig
simaishi
sokeeffe
vondruch
ytale