Bugzilla – Bug 963328
VUL-0: CVE-2015-7580: rubygem-rails-html-sanitizer: XSS via whitelist sanitizer
Last modified: 2018-07-19 15:05:47 UTC
Created attachment 662972 [details] 1-0-whitelist_sanitizer_xss.patch EMBARGOED via distros CRD: 2016-01-15 bundled in: OBS, Portus Possible XSS vulnerability in rails-html-sanitizer There is a possible XSS vulnerability in the white list sanitizer in the rails-html-sanitizer gem. This vulnerability has been assigned the CVE identifier CVE-2015-7580. Versions Affected: All. Not affected: None. Fixed Versions: v1.0.3 Impact ------ Carefully crafted strings can cause user input to bypass the sanitization in the white list sanitizer which will can lead to an XSS attack. Vulnerable code will look something like this: <%= sanitize user_input, tags: %w(em) %> All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- Putting the following monkey patch in an initializer can help to mitigate the issue: ``` class Rails::Html::PermitScrubber alias :old_scrub :scrub alias :old_skip_node? :skip_node? def scrub(node) if node.cdata? text = node.document.create_text_node node.text node.replace text return CONTINUE end old_scrub node end def skip_node?(node); node.text?; end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-0-whitelist_sanitizer_xss.patch - Patch for 1.0 series Credits ------- Thanks to Arnaud Germis, Nate Clark, and John Colvin for reporting this issue.
bugbot adjusting priority
CRD: 2016-01-25
what does CRD mean?
Public at http://seclists.org/oss-sec/2016/q1/208 (In reply to Jordi Massaguer from comment #3) > what does CRD mean? Coordinated Release Date, as part of the responsible disclosure procedure where vendors will be given advance notice of a vulnerability to get them into a position of having a security response ready, while keeping the patches/issue details embargoed during this period. on the CRD date upstream will make the issue public and vendors can publish updates, thus reducing the time a user may be exposed to a particular vulnerability.
Created attachment 663376 [details] test/reproducer
regarding openSUSE, this package is in Leap
Jürgen, I saw your submission https://build.opensuse.org/request/show/356270 Could you check if fix for bug 963327 and bug 963328 are missing?
This is an autogenerated message for OBS integration: This bug (963328) was mentioned in https://build.opensuse.org/request/show/356287 42.1 / rubygem-rails-html-sanitizer
all submissions done. Assigning to security team.
openSUSE-SU-2016:0356-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 963326,963327,963328 CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580 Sources used: openSUSE Leap 42.1 (src): rubygem-rails-html-sanitizer-1.0.2-5.1
SUSE-SU-2016:0391-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 963326,963327,963328 CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580 Sources used: SUSE Enterprise Storage 2.1 (src): rubygem-rails-html-sanitizer-1.0.2-7.1
released
SUSE-SU-2016:1146-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 963326,963327,963328,963563,963604,963608,963617,963625,963627,969943 CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7578,CVE-2015-7579,CVE-2015-7580,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753,CVE-2016-2098 Sources used: SUSE Linux Enterprise Module for Containers 12 (src): portus-2.0.3-2.4