1774081 – (CVE-2019-15587) CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished

Bug 1774081 (CVE-2019-15587) - CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished

Summary: CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-15587
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Red Hat1791636 Red Hat1791637 Red Hat1791638 Red Hat1791639 Red Hat1791640 Red Hat1791641 Red Hat1791642 Red Hat1791643 Red Hat1791644 Red Hat1791645 Red Hat1791646 Red Hat1791647 Red Hat1797919 Red Hat1797920 Red Hat1797921 Red Hat1797922 Red Hat1797923 Red Hat1797924 Engineering1805187 1805200
Blocks:	Embargoed1774086
TreeView+	depends on / blocked

Reported:	2019-11-19 14:18 UTC by msiddiqu
Modified:	2021-12-14 18:47 UTC (History)
CC List:	30 users (show)
Fixed In Version:	rubygem-loofah 2.3.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-27 10:55:41 UTC

Attachments	(Terms of Use)

Description msiddiqu 2019-11-19 14:18:02 UTC

In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Upstream issue: 

https://github.com/flavorjones/loofah/issues/171

References:  

https://hackerone.com/reports/709009
https://www.debian.org/security/2019/dsa-4554
https://www.debian.org/security/2019/dsa-4554
https://www.openwall.com/lists/oss-security/2019/10/22/1

Comment 1 msiddiqu 2019-11-19 14:20:31 UTC

Upstream commit: 

https://github.com/flavorjones/loofah/commit/0c6617af440879ce97440f6eb6c58636456dc8ec

Comment 12 Cedric Buissart 2020-02-20 13:34:13 UTC

Created rubygem-loofah tracking bugs for this issue:

Affects: fedora-all [bug 1805200]

Comment 13 Cedric Buissart 2020-02-20 13:52:44 UTC

Statement:

Supported versions of Satellite 6 contain a vulnerable version of rubygem-loofah. However, it is not possible to inject untrusted SVG files, and thus it is considered that this vulnerability can not be triggered. A future update may fix this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.

bbuckingham
bcourt
bkearney
bmidwood
btotty
dajohnso
dmetzger
gblomqui
gmccullo
gtanzill
hhorak
hhudgeon
jaruga
jhardy
jorton
kdixon
ktdreyer
lavenel
lzap
mmccune
pvalena
rchan
rjerrido
roliveri
ruby-maint
ruby-packagers-sig
simaishi
sokeeffe
vondruch
ytale