Debian Bug report logs -
#1027153
ruby-rails-html-sanitizer: CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#1027153; Package src:ruby-rails-html-sanitizer.
(Wed, 28 Dec 2022 18:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Team <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Wed, 28 Dec 2022 18:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ruby-rails-html-sanitizer
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for ruby-rails-html-sanitizer.
CVE-2022-23517[0]:
| rails-html-sanitizer is responsible for sanitizing HTML fragments in
| Rails applications. Certain configurations of rails-html-sanitizer
| < 1.4.4 use an inefficient regular expression that is susceptible
| to excessive backtracking when attempting to sanitize certain SVG
| attributes. This may lead to a denial of service through CPU resource
| consumption. This issue has been patched in version 1.4.4.
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w
https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979
CVE-2022-23518[1]:
| rails-html-sanitizer is responsible for sanitizing HTML fragments in
| Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to
| cross-site scripting via data URIs when used in combination with
| Loofah >= 2.1.0. This issue is patched in version 1.4.4.
https://github.com/rails/rails-html-sanitizer/issues/135
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
CVE-2022-23519[2]:
| rails-html-sanitizer is responsible for sanitizing HTML fragments in
| Rails applications. Prior to version 1.4.4, a possible XSS
| vulnerability with certain configurations of Rails::Html::Sanitizer
| may allow an attacker to inject content if the application developer
| has overridden the sanitizer's allowed tags in either of the following
| ways: allow both "math" and "style" elements, or allow both "svg" and
| "style" elements. Code is only impacted if allowed tags are being
| overridden. . This issue is fixed in version 1.4.4. All users
| overriding the allowed tags to include "math" or "svg" and "style"
| should either upgrade or use the following workaround immediately:
| Remove "style" from the overridden allowed tags, or remove "math" and
| "svg" from the overridden allowed tags.
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
CVE-2022-23520[3]:
| rails-html-sanitizer is responsible for sanitizing HTML fragments in
| Rails applications. Prior to version 1.4.4, there is a possible XSS
| vulnerability with certain configurations of Rails::Html::Sanitizer
| due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may
| allow an attacker to inject content if the application developer has
| overridden the sanitizer's allowed tags to allow both "select" and
| "style" elements. Code is only impacted if allowed tags are being
| overridden. This issue is patched in version 1.4.4. All users
| overriding the allowed tags to include both "select" and "style"
| should either upgrade or use this workaround: Remove either "select"
| or "style" from the overridden allowed tags. NOTE: Code is _not_
| impacted if allowed tags are overridden using either the :tags option
| to the Action View helper method sanitize or the :tags option to the
| instance method SafeListSanitizer#sanitize.
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-23517
https://www.cve.org/CVERecord?id=CVE-2022-23517
[1] https://security-tracker.debian.org/tracker/CVE-2022-23518
https://www.cve.org/CVERecord?id=CVE-2022-23518
[2] https://security-tracker.debian.org/tracker/CVE-2022-23519
https://www.cve.org/CVERecord?id=CVE-2022-23519
[3] https://security-tracker.debian.org/tracker/CVE-2022-23520
https://www.cve.org/CVERecord?id=CVE-2022-23520
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 28 Dec 2022 19:45:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Dec 29 16:36:17 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon