Bugzilla – Bug 802406
VUL-0: CVE-2013-0256: rubygem-rdoc: XSS exploit of RDoc documentation generated by rdoc
Last modified: 2015-02-04 15:32:58 UTC
is public via http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/ ........ quoting ......... RDoc documentation generated by rdoc bundled with ruby are vulnerable to an XSS exploit. All ruby users are recommended to update ruby to newer version which includes security-fixed RDoc. If you are publishing RDoc documentation generated by rdoc, you are recommended to apply a patch for the documentaion or re-generate it with security-fixed RDoc. Impact RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may lead to cookie disclosure to third parties. Details The exploit exists in darkfish.js which is copied from the RDoc install location to the generated documentation. RDoc is a static documentation generation tool. Patching the library itself is insufficient to correct this exploit. Those hosting rdoc documentation will need to apply the following patch. Solution Please apply the following patch to rdoc documatation. If applied while ignoring whitespace, this patch will correct all affected versions: diff --git darkfish.js darkfish.js index 4be722f..f26fd45 100644 --- darkfish.js +++ darkfish.js @@ -109,13 +109,15 @@ function hookSearch() { function highlightTarget( anchor ) { console.debug( "Highlighting target '%s'.", anchor ); - $("a[name=" + anchor + "]").each( function() { - if ( !$(this).parent().parent().hasClass('target-section') ) { - console.debug( "Wrapping the target-section" ); - $('div.method-detail').unwrap( 'div.target-section' ); - $(this).parent().wrap( '<div class="target-section"></div>' ); - } else { - console.debug( "Already wrapped." ); + $("a[name]").each( function() { + if ( $(this).attr("name") == anchor ) { + if ( !$(this).parent().parent().hasClass('target-section') ) { + console.debug( "Wrapping the target-section" ); + $('div.method-detail').unwrap( 'div.target-section' ); + $(this).parent().wrap( '<div class="target-section"></div>' ); + } else { + console.debug( "Already wrapped." ); + } } }); }; And, if you are using ruby 1.9, please update ruby-1.9.3 patchlevel 385. If you are using ruby 2.0.0 rc1 or prior or ruby trunk, please update to ruby 2.0.0 rc2 or trunk revision 39102 or later. You can also update RDoc itself with rubygems to RDoc 3.12.1 or RDoc 4.0.0.rc.2. Affected versions All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 383 All ruby 2.0 versions prior to ruby 2.0.0 rc2 or prior to trunk revision 39102 Credit This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>. This vulnerability has been assigned the CVE identifier CVE-2013-0256.
https://github.com/rdoc/rdoc/commit/ffa87887ee0517793df7541629a470e331f9fe60
bugbot adjusting priority
From: Eric Hodel <drbrain@segment7.net> RDoc 3.9.5, 3.12.1 and 4.0.0.rc.2 have also been released http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2
The SWAMPID for this issue is 51096. This issue was rated as moderate. Please submit fixed packages until 2013-02-21. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
This is an autogenerated message for OBS integration: This bug (802406) was mentioned in https://build.opensuse.org/request/show/154919 Factory / ruby19 https://build.opensuse.org/request/show/154920 Maintenance /
submitted
openSUSE-SU-2013:0303-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 802406 CVE References: CVE-2013-0256 Sources used: openSUSE 12.2 (src): rubygem-rdoc-3.12.1-2.4.1 openSUSE 12.1 (src): rubygem-rdoc-2.5.11-3.4.1
24436 24437
rubygem-rdoc parts are released. lets close
openSUSE-SU-2013:0376-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 783511,789983,791199,802406 CVE References: CVE-2012-4464,CVE-2012-4466,CVE-2012-4522,CVE-2012-5371,CVE-2013-0256 Sources used: openSUSE 12.2 (src): ruby19-1.9.3.p385-3.18.1
Update released for: rubygem-rdoc Products: SLE-SLMS 1.2 (x86_64) SLE-WEBYAST 1.2 (i386, ia64, ppc64, s390x, x86_64)
Update released for: rubygem-rdoc, rubygem-rdoc-doc, rubygem-rdoc-testsuite Products: SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
Update released for: ruby19, ruby19-debuginfo, ruby19-debugsource, ruby19-devel, ruby19-devel-extra, ruby19-doc-ri, ruby19-tk Products: SLE-STUDIOONSITE 1.3 (x86_64)