Debian Bug report logs -
#429177
[CVE-2007-3227] XSS vulnerability in to_json
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 16 Jun 2007 08:06:01 UTC
Severity: grave
Tags: security, upstream
Found in version rails/1.2.3-2
Fixed in version rails/1.2.4-1
Done: Adam Majer <adamm@zombino.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
New Bug report received and forwarded. Copy sent to Adam Majer <adamm@zombino.com>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: rails
Version: 1.2.3-2
Severity: grave
Tags: security upstream
An XSS vulnerability in code that uses to_json has been disclosed:
<http://dev.rubyonrails.org/ticket/8371>
Please mention the name CVE-2007-3227 in the changelog when fixing
this bug. Do you think that an upgrade for the stable distribution is
necessary?
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Adam Majer <adamm@zombino.com>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 429177@bugs.debian.org (full text, mbox, reply):
Florian Weimer wrote:
> Package: rails
> Version: 1.2.3-2
> Severity: grave
> Tags: security upstream
>
> An XSS vulnerability in code that uses to_json has been disclosed:
>
> <http://dev.rubyonrails.org/ticket/8371>
>
> Please mention the name CVE-2007-3227 in the changelog when fixing
> this bug. Do you think that an upgrade for the stable distribution is
> necessary?
I will take a look at it this weekend. Stable may need to be updated as
well.
Since this is a XSS problem, I don't think it needs a grave severity.
But then some will argue otherwise. Also, nothing on the "Ruby on Rails
security announcement list"... hmmmm....
- Adam
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(full text, mbox, link).
Message #15 received at 429177@bugs.debian.org (full text, mbox, reply):
Adam Majer wrote:
> Florian Weimer wrote:
> >Package: rails
> >Version: 1.2.3-2
> >Severity: grave
> >Tags: security upstream
> >
> >An XSS vulnerability in code that uses to_json has been disclosed:
> >
> > <http://dev.rubyonrails.org/ticket/8371>
> >
> >Please mention the name CVE-2007-3227 in the changelog when fixing
> >this bug. Do you think that an upgrade for the stable distribution is
> >necessary?
>
> I will take a look at it this weekend. Stable may need to be updated as
> well.
>
> Since this is a XSS problem, I don't think it needs a grave severity.
> But then some will argue otherwise. Also, nothing on the "Ruby on Rails
> security announcement list"... hmmmm....
(Note, I don't know Ruby on Rails). Does the affected function claim to sanitise
potentially harmful characters? If not, sanitising still needs to be done inside
the application using RoR and this is mostly a security-related wishlist
bug, but not an immediate vulnerability.
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Adam Majer <adamm@zombino.com>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #20 received at 429177@bugs.debian.org (full text, mbox, reply):
Moritz Muehlenhoff wrote:
> Adam Majer wrote:
>> Since this is a XSS problem, I don't think it needs a grave severity.
>> But then some will argue otherwise. Also, nothing on the "Ruby on Rails
>> security announcement list"... hmmmm....
>
> (Note, I don't know Ruby on Rails). Does the affected function claim to sanitise
> potentially harmful characters? If not, sanitising still needs to be done inside
> the application using RoR and this is mostly a security-related wishlist
> bug, but not an immediate vulnerability.
The fix is going to have to be backported to stable and also to sid as
the current trunk (where patch is) doesn't even contain the same files
anymore.
JSON is a JavaScript Object Notation (json.org). It is suppose to be
used as a data interchange format. Data is to be passed to a web
application's javascript (or something like that - I have not used
JSON). Anyway, the problem is that the encoding function does NOT encode
stuff like < or >. If these are not escaped when passed in "encoded"
JSON, well, you get the XSS problem.
The changesets that fixes the problem is at,
http://dev.rubyonrails.org/changeset/6893
http://dev.rubyonrails.org/changeset/6894
This is not a problem to backport back to unstable and Etch though.
- Adam
PS. The "security annoucement group" for rails seems to be dead. Or
maybe they view XSS as not really security related?
http://groups.google.com/group/rubyonrails-security
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(full text, mbox, link).
Message #25 received at 429177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
I was just wondering, what the progress of the backporting effort is.
Does it work for you to backport the changes and upload a new package version
to unstable?
Thanks in advance for your efforts.
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Sheldon Hearn <sheldonh@clue.co.za>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(full text, mbox, link).
Message #30 received at 429177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
It's possible that no backporting is required for sid, because
rails-1.2.4 has been released:
http://weblog.rubyonrails.com/2007/10/5/rails-1-2-4-maintenance-release
So that would leave etch the only target, and I'm not even sure if
rails-1.1.6 had json support.
So that just leaves lenny, and it might be quicker just to wait the 10
days for it to be promoted from sid to lenny, than to do the work of
backporting the XSS fix to 1.2.3.
Ciao,
Sheldon.
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Adam Majer <adamm@zombino.com>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #35 received at 429177@bugs.debian.org (full text, mbox, reply):
Sheldon Hearn wrote:
> It's possible that no backporting is required for sid, because
> rails-1.2.4 has been released:
>
> http://weblog.rubyonrails.com/2007/10/5/rails-1-2-4-maintenance-release
Ha, just as I took the time yesterday to complete the backport to Sid :)
> So that would leave etch the only target, and I'm not even sure if
> rails-1.1.6 had json support.
It does. But there is another issue that is XSS problematic.
http://dev.rubyonrails.org/ticket/8877
Without this patch, it is possible to inject code under some
circumstances. The patch is a giant and difficult to get into Sid. The
to_json patch is very simple in comparison.
To further complicate the problem, upstream is not really
security-centered. They established a security mailing list to inform
people about patches, but no posts even though there is a problem of
to_json and the above XSS. There was also a DoS attack possible (send
badly formatted XML and rails uses all CPU time) but that was caused on
a ruby library side..
> So that just leaves lenny, and it might be quicker just to wait the 10
> days for it to be promoted from sid to lenny, than to do the work of
> backporting the XSS fix to 1.2.3.
Lenny doesn't matter right now as part of security. This is not a remote
code execution hence foot-dragging on my part. It is only a XSS that is
specific to usage of some code in rails. There are ways a web
application can treat all input data and sanitize it without relying on
rails/ruby to do it with magic functions.
I'll upload 1.2.4 into Sid later today.
- Adam
Reply sent to Adam Majer <adamm@zombino.com>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #40 received at 429177-close@bugs.debian.org (full text, mbox, reply):
Source: rails
Source-Version: 1.2.4-1
We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive:
rails_1.2.4-1.diff.gz
to pool/main/r/rails/rails_1.2.4-1.diff.gz
rails_1.2.4-1.dsc
to pool/main/r/rails/rails_1.2.4-1.dsc
rails_1.2.4-1_all.deb
to pool/main/r/rails/rails_1.2.4-1_all.deb
rails_1.2.4.orig.tar.gz
to pool/main/r/rails/rails_1.2.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 429177@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Majer <adamm@zombino.com> (supplier of updated rails package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 08 Oct 2007 11:27:25 -0500
Source: rails
Binary: rails
Architecture: source all
Version: 1.2.4-1
Distribution: unstable
Urgency: low
Maintainer: Adam Majer <adamm@zombino.com>
Changed-By: Adam Majer <adamm@zombino.com>
Description:
rails - MVC ruby based framework geared for web application development
Closes: 429177
Changes:
rails (1.2.4-1) unstable; urgency=low
.
* New upstream release. Fixes at least 2 XSS bugs.
+ Secure #sanitize, #strip_tags, and #strip_links helpers against
xss attacks. Upstream changeset 7589
+ to_json did not escape values which allows for XSS. Applied
upstream changesets 6893, 6894. This bug as also been assigned
designation CVE-2007-3227 (closes: #429177)
* Add dependency on Sqlite3 as ActiveRecord supports this DB as
well
* Add dependency on libmocha which is needed by some unit tests
Files:
b73923f4639c2afd4909ba140b77ce97 607 web optional rails_1.2.4-1.dsc
f252dac383d3d8a8bcab0f2f81ad2fa0 1596239 web optional rails_1.2.4.orig.tar.gz
7b5d62cd3c359ad2570f223729b3a3ae 27130 web optional rails_1.2.4-1.diff.gz
4ba82161b80044ded100516688fd6efc 2283342 web optional rails_1.2.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHC8Xl73/bNdaAYUURAthMAJ9nERGJOOhRDRZsC4gjeM/0hUbjKgCgkBO7
Lkb9CrtTnLIapvOtg9BTtvQ=
=Gt2c
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Sheldon Hearn <sheldonh@clue.co.za>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(full text, mbox, link).
Message #45 received at 429177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
The good news is, upstream seems to have taken disclosure complaints to
heart, and is now posting security advisories to the
rubyonrails-security Google Group:
The bad news is, it looks like CVE-2007-3227 is only fixed properly in
rails-1.2.5:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/225dcc61aaefad42
Ciao,
Sheldon.
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(full text, mbox, link).
Message #50 received at 429177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Sheldon,
* Sheldon Hearn <sheldonh@clue.co.za> [2007-10-22 12:14]:
> The good news is, upstream seems to have taken disclosure complaints to
> heart, and is now posting security advisories to the
> rubyonrails-security Google Group:
>
> The bad news is, it looks like CVE-2007-3227 is only fixed properly in
> rails-1.2.5:
>
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/225dcc61aaefad42
Why do you think so? The post does not say more than it is
recomment to install 1.2.5 because of CVE-2007-3227 but the
1.2.4 rails package in Debian includes debian/patches/changeset_r6893
which was the upstream changeset fixing this:
http://dev.rubyonrails.org/changeset/6893
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Sheldon Hearn <sheldonh@clue.co.za>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(full text, mbox, link).
Message #55 received at 429177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Monday 22 October 2007 13:58:43 Nico Golde wrote:
> > The bad news is, it looks like CVE-2007-3227 is only fixed properly
> > in rails-1.2.5:
> >
> > http://groups.google.com/group/rubyonrails-security/browse_thread/t
> >hread/225dcc61aaefad42
>
> Why do you think so?
I think so because DHH is a core Rails developer, and his post said that
1.2.5 closes a JSON XSS vulnerability, and that we should see
CVE-2007-3227 for more information on the problem.
See also:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/034c7766ca4d5505
which states:
"The rails core team has released ruby on rails 1.2.5 to address a
potential XSS exploit with our json serialization. The CVE Identifier
for this problem is CVE-2007-3227"
In other words, I don't think rails-1.2.4 fully addressed the issue.
Ciao,
Sheldon.
--
Sheldon Hearn
IT Director
Clue Technologies (PTY) Ltd
Web: http://www.clue.co.za/
Mail: sheldonh@clue.co.za
Office: +27-21-913-8840
Mobile: +27-83-564-3276
Timezone: SAST (+0200)
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(full text, mbox, link).
Message #60 received at 429177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Sheldon,
* Sheldon Hearn <sheldonh@clue.co.za> [2007-10-22 14:22]:
> On Monday 22 October 2007 13:58:43 Nico Golde wrote:
> > > The bad news is, it looks like CVE-2007-3227 is only fixed properly
> > > in rails-1.2.5:
> > >
> > > http://groups.google.com/group/rubyonrails-security/browse_thread/t
> > >hread/225dcc61aaefad42
> >
> > Why do you think so?
>
> I think so because DHH is a core Rails developer, and his post said that
> 1.2.5 closes a JSON XSS vulnerability, and that we should see
> CVE-2007-3227 for more information on the problem.
[...]
> "The rails core team has released ruby on rails 1.2.5 to address a
> potential XSS exploit with our json serialization. The CVE Identifier
> for this problem is CVE-2007-3227"
>
> In other words, I don't think rails-1.2.4 fully addressed the issue.
Huh? Who said this? We have 1.2.4 but we ship an extra patch
which is not included in 1.2.4 to fix this so I don't see
the point.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Sheldon Hearn <sheldonh@clue.co.za>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(full text, mbox, link).
Message #65 received at 429177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Monday 22 October 2007 14:32:15 you wrote:
> Huh? Who said this? We have 1.2.4 but we ship an extra patch
> which is not included in 1.2.4 to fix this so I don't see
> the point.
I wasn't aware of the additional patch you included.
Thanks,
Sheldon.
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Adam Majer <adamm@zombino.com>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #70 received at 429177@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sheldon Hearn wrote:
> The good news is, upstream seems to have taken disclosure complaints to
> heart, and is now posting security advisories to the
> rubyonrails-security Google Group:
>
> The bad news is, it looks like CVE-2007-3227 is only fixed properly in
> rails-1.2.5:
>
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/225dcc61aaefad42
Yes, I know. I've been trying to upload it for last week but my GPG key
expired and Debian is *really slow* at updating it so I can upload
again. Blah.
I just made it available on my people.debian.org site.
http://people.debian.org/~adamm/packages/
We'll have to see how slow the Debian GPG key-update process actually is....
- -Adam
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHHNNR73/bNdaAYUURAtkOAJ9T/vZnXluYQhXsiLosW6jqYTYyJQCggZPx
BBpOta5LpTG25m7xYkE2ORU=
=z31l
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Adam Majer <adamm@zombino.com>
:
Bug#429177
; Package rails
.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@riseup.net>
:
Extra info received and forwarded to list. Copy sent to Adam Majer <adamm@zombino.com>
.
(full text, mbox, link).
Message #75 received at 429177@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Due to the security nature of this fix (resolves 3 CVEs), I am going to
upload this to the archive for you. I've changed the severity to high
and will upload the package immediately, please use severity 'high' on
all future security uploads.
In the future its probably best if there is a security issue in the
package to ask someone in the debian testing team to sponsor your upload
if you cannot.
>> So that just leaves lenny, and it might be quicker just to wait the 10
>> days for it to be promoted from sid to lenny, than to do the work of
>> backporting the XSS fix to 1.2.3.
>Lenny doesn't matter right now as part of security. This is not a remote
>code execution hence foot-dragging on my part. It is only a XSS that is
>specific to usage of some code in rails. There are ways a web
>application can treat all input data and sanitize it without relying on
>rails/ruby to do it with magic functions.
Actually, Lenny *does* matter in terms of security, that is the whole
point of the testing security team.
Micah
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 13 Dec 2007 07:28:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:15:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.