853628 – (CVE-2013-6416) VUL-0: CVE-2013-6416: rubygem-actionpack: simple_format XSS

Bug 853628 (CVE-2013-6416) - VUL-0: CVE-2013-6416: rubygem-actionpack: simple_format XSS

Summary: VUL-0: CVE-2013-6416: rubygem-actionpack: simple_format XSS

Status:	RESOLVED INVALID

Alias:	CVE-2013-6416

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Jordi Massaguer
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-12-04 13:02 UTC by Alexander Bergmann
Modified:	2013-12-10 12:18 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
patch for 4.0.x (1.11 KB, patch) 2013-12-04 13:03 UTC, Alexander Bergmann	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2013-12-04 13:02:16 UTC

CVE-2013-6416 is public via oss-security.

XSS Vulnerability in simple_format helper

There is a vulnerability in the simple_format helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6416.

Versions Affected: 4.0.0 & 4.0.1
Not affected: Versions prior to 4.0
Fixed Versions: 4.0.2

Impact
------
The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.

All users running an affected release and passing user-controlled html attributes to simple_format should either upgrade or use one of the work arounds immediately.

Releases
--------
The 4.0.2 release is available at the normal locations.

Workarounds
-----------
To work around this issue, take care to escape any user provided data before passing it to simple_format.
For example, instead of:

simple_format(some_text, class: params[:class])

You should use

simple_format(some_text, class: h(params[:class]))

Patches
-------
To aid users who aren't able to upgrade immediately we have provided a patch for the 4.0 release series. It is in git-am format and consists of a single changeset.

* 4-0-simple_format_xss.patch - Patch for 4.0 series

Please note that only the 4.0.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits
-------
Thanks to Kevin Reintjes for reporting the vulnerability to us and helping us work on a fix.

References:
http://permalink.gmane.org/gmane.comp.security.oss.general/11603
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6416
https://bugzilla.redhat.com/show_bug.cgi?id=1036914

Comment 1 Alexander Bergmann 2013-12-04 13:03:03 UTC

Created attachment 570191 [details]
patch for 4.0.x

Comment 2 Jordi Massaguer 2013-12-04 13:09:18 UTC

I am assigning the bug for packaging.

Comment 3 Alexander Bergmann 2013-12-04 13:16:33 UTC

This bug does not affect either SLE or openSUSE products as we're not using the 4.0.x branch yet.

Comment 4 Swamp Workflow Management 2013-12-04 23:00:32 UTC

bugbot adjusting priority

Comment 6 Jordi Massaguer 2013-12-10 12:18:52 UTC

rails 4.0 is not in any SUSE product.