Bugzilla – Bug 1085967
VUL-1: CVE-2018-8048: rubygem-loofah: XSS Vulnerability due to unescaped characters by libcxml2
Last modified: 2020-04-29 12:45:35 UTC
*# CVE-2018-8048 - Loofah XSS Vulnerability* This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team. *## Severity* Medium (6.7) *## Description* Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. Report: https://github.com/flavorjones/loofah/issues/144 *## Affected Versions* Loofah < 2.2.1, but only: * when running on MRI or RBX, * in combination with libxml2 >= 2.9.2. Please note: JRuby users are not affected. *## Mitigation* Upgrade to Loofah 2.2.1. *## History of this public disclosure* 2018-03-19: Initial vulnerability report published Fixed by: https://github.com/flavorjones/loofah/commit/4a08c25a603654f2fc505a7d2bf0c35a39870ad7 Used in: Storage_3 SUSE:SLE-12:Update Storage_4 SUSE:SLE-12:Update OpenStack-Cloud_6 SUSE:SLE-12:Update OpenStack-Cloud_7 SUSE:SLE-12:Update I don't know if they use the libxml2 of SUSE:SLE-12:Update or SUSE:SLE-12-SP2:Update. Only SUSE:SLE-12-SP2:Update has a libxml2 that makes it problematic, but we should patch it anyway. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8048 http://seclists.org/oss-sec/2018/q1/253
SUSE-SU-2018:1082-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1085967,1086598 CVE References: CVE-2018-3741,CVE-2018-8048 Sources used: SUSE CaaS Platform ALL (src): sles12-velum-image-2.0.1-2.7.3
the maintenance under testing in https://maintenance.suse.de/incident/9348 seems to break this: Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: [29829] ! Unable to load application: LoadError: cannot load such file -- loofah/html5/libxml2_workarounds Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- loofah/html5/libxml2_workarounds (LoadError) Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/loofah-2.0.2/lib/loofah.rb:9:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/rails-html-sanitizer-1.0.3/lib/rails-html-sanitizer.rb:2:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers/sanitize_helper.rb:3:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers/text_helper.rb:32:in `<module:TextHelper>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers/text_helper.rb:29:in `<module:Helpers>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers/text_helper.rb:6:in `<module:ActionView>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers/text_helper.rb:4:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers/form_tag_helper.rb:18:in `<module:FormTagHelper>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers/form_tag_helper.rb:14:in `<module:Helpers>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers/form_tag_helper.rb:8:in `<module:ActionView>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers/form_tag_helper.rb:6:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers/form_helper.rb:4:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers.rb:50:in `<module:Helpers>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers.rb:4:in `<module:ActionView>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/actionview-4.2.9/lib/action_view/helpers.rb:3:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sprockets-rails-2.3.1/lib/sprockets/rails/legacy_asset_tag_helper.rb:7:in `<module:LegacyAssetTagHelper>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sprockets-rails-2.3.1/lib/sprockets/rails/legacy_asset_tag_helper.rb:6:in `<module:Rails>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sprockets-rails-2.3.1/lib/sprockets/rails/legacy_asset_tag_helper.rb:4:in `<module:Sprockets>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sprockets-rails-2.3.1/lib/sprockets/rails/legacy_asset_tag_helper.rb:3:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sprockets-rails-2.3.1/lib/sprockets/rails/helper.rb:54:in `<module:Helper>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sprockets-rails-2.3.1/lib/sprockets/rails/helper.rb:7:in `<module:Rails>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sprockets-rails-2.3.1/lib/sprockets/rails/helper.rb:6:in `<module:Sprockets>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sprockets-rails-2.3.1/lib/sprockets/rails/helper.rb:5:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sprockets-rails-2.3.1/lib/sprockets/railtie.rb:6:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sass-rails-5.0.3/lib/sass/rails/railtie.rb:3:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sass-rails-5.0.3/lib/sass/rails.rb:11:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/gems/2.1.0/gems/sass-rails-5.0.3/lib/sass-rails.rb:1:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /opt/dell/crowbar_framework/config/boot.rb:37:in `<top (required)>' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' Nov 19 13:17:21 crowbar.vf2.cloud.suse.de puma[29829]: from /usr/lib64/ruby/2.1.0/rubygems/core_ext/kernel_require.rb:55:in `require' it looks like the new file that is added by this patch isn't properly packaged in the update. All Cloud CI jobs are failing on this. please remove it from the update test channels.
SUSE-SU-2019:0394-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1085967,1113969 CVE References: CVE-2018-16468,CVE-2018-8048 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): rubygem-loofah-2.0.2-3.5.1 SUSE OpenStack Cloud 7 (src): rubygem-loofah-2.0.2-3.5.1 SUSE Enterprise Storage 4 (src): rubygem-loofah-2.0.2-3.5.1
Done