Bugzilla – Bug 963327
VUL-0: CVE-2015-7579: rubygem-rails-html-sanitizer: XSS vulnerability in rails-html-sanitizer
Last modified: 2018-07-19 15:05:43 UTC
Created attachment 662971 [details] Do-not-unescape-already-escaped-HTML-entities.patch EMBARGOED via distros CRD: 2016-01-15 bundled in: OBS, Portus XSS vulnerability in rails-html-sanitizer There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`. This vulnerability has been assigned the CVE identifier CVE-2015-7579. Versions Affected: 1.0.2 Not affected: 1.0.0, 1.0.1 Fixed Versions: 1.0.3 Impact ------ Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's `strip_tags` these entities will be unescaped what may cause a XSS attack if used in combination with `raw` or `html_safe`. For example: strip_tags("<script>alert('XSS')</script>") Would generate: <script>alert('XSS')</script> After the fix it will generate: <script>alert('XSS')</script> All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- If you can't upgrade, please use the following monkey patch in an initializer that is loaded before your application: ``` $ cat config/initializers/strip_tags_fix.rb class ActionView::Base def strip_tags(html) self.class.full_sanitizer.sanitize(html) end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * Do-not-unescape-already-escaped-HTML-entities.patch Credits ------- Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for reporting the problem and working with us to fix it.
bugbot adjusting priority
CRD: 2016-01-25
public at http://seclists.org/oss-sec/2016/q1/205
Created attachment 663375 [details] test/reproducer
regarding openSUSE, this package is in Leap
Jürgen, I saw your submission https://build.opensuse.org/request/show/356270 Could you check if fix for bug 963327 and bug 963328 are missing?
This is an autogenerated message for OBS integration: This bug (963327) was mentioned in https://build.opensuse.org/request/show/356287 42.1 / rubygem-rails-html-sanitizer
all submissions done. Assigning to security-team.
openSUSE-SU-2016:0356-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 963326,963327,963328 CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580 Sources used: openSUSE Leap 42.1 (src): rubygem-rails-html-sanitizer-1.0.2-5.1
SUSE-SU-2016:0391-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 963326,963327,963328 CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580 Sources used: SUSE Enterprise Storage 2.1 (src): rubygem-rails-html-sanitizer-1.0.2-7.1
released
SUSE-SU-2016:1146-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 963326,963327,963328,963563,963604,963608,963617,963625,963627,969943 CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7578,CVE-2015-7579,CVE-2015-7580,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753,CVE-2016-2098 Sources used: SUSE Linux Enterprise Module for Containers 12 (src): portus-2.0.3-2.4