[CVE-2007-3227] XSS vulnerability in to_json

Debian Bug report logs - #429177
[CVE-2007-3227] XSS vulnerability in to_json

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: submit@bugs.debian.org

Subject: [CVE-2007-3227] XSS vulnerability in to_json

Date: Sat, 16 Jun 2007 10:04:30 +0200

Package: rails
Version: 1.2.3-2
Severity: grave
Tags: security upstream

An XSS vulnerability in code that uses to_json has been disclosed:

  <http://dev.rubyonrails.org/ticket/8371>

Please mention the name CVE-2007-3227 in the changelog when fixing
this bug.  Do you think that an upgrade for the stable distribution is
necessary?

Message #10 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Adam Majer <adamm@zombino.com>

To: Florian Weimer <fw@deneb.enyo.de>, 429177@bugs.debian.org

Subject: Re: Bug#429177: [CVE-2007-3227] XSS vulnerability in to_json

Date: Thu, 21 Jun 2007 00:02:21 -0500

Florian Weimer wrote:
> Package: rails
> Version: 1.2.3-2
> Severity: grave
> Tags: security upstream
> 
> An XSS vulnerability in code that uses to_json has been disclosed:
> 
>   <http://dev.rubyonrails.org/ticket/8371>
> 
> Please mention the name CVE-2007-3227 in the changelog when fixing
> this bug.  Do you think that an upgrade for the stable distribution is
> necessary?


I will take a look at it this weekend. Stable may need to be updated as 
well.

Since this is a XSS problem, I don't think it needs a grave severity. 
But then some will argue otherwise. Also, nothing on the "Ruby on Rails 
security announcement list"... hmmmm....

- Adam

Message #15 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Adam Majer <adamm@zombino.com>

Cc: Florian Weimer <fw@deneb.enyo.de>, 429177@bugs.debian.org

Subject: Re: Bug#429177: [CVE-2007-3227] XSS vulnerability in to_json

Date: Thu, 28 Jun 2007 23:46:38 +0200

Adam Majer wrote:
> Florian Weimer wrote:
> >Package: rails
> >Version: 1.2.3-2
> >Severity: grave
> >Tags: security upstream
> >
> >An XSS vulnerability in code that uses to_json has been disclosed:
> >
> >  <http://dev.rubyonrails.org/ticket/8371>
> >
> >Please mention the name CVE-2007-3227 in the changelog when fixing
> >this bug.  Do you think that an upgrade for the stable distribution is
> >necessary?
> 
> I will take a look at it this weekend. Stable may need to be updated as 
> well.
> 
> Since this is a XSS problem, I don't think it needs a grave severity. 
> But then some will argue otherwise. Also, nothing on the "Ruby on Rails 
> security announcement list"... hmmmm....

(Note, I don't know Ruby on Rails). Does the affected function claim to sanitise
potentially harmful characters? If not, sanitising still needs to be done inside
the application using RoR and this is mostly a security-related wishlist
bug, but not an immediate vulnerability.

Cheers,
        Moritz

Message #20 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Adam Majer <adamm@zombino.com>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Florian Weimer <fw@deneb.enyo.de>, 429177@bugs.debian.org

Subject: Re: Bug#429177: [CVE-2007-3227] XSS vulnerability in to_json

Date: Thu, 28 Jun 2007 21:49:23 -0500

Moritz Muehlenhoff wrote:
> Adam Majer wrote:
>> Since this is a XSS problem, I don't think it needs a grave severity. 
>> But then some will argue otherwise. Also, nothing on the "Ruby on Rails 
>> security announcement list"... hmmmm....
> 
> (Note, I don't know Ruby on Rails). Does the affected function claim to sanitise
> potentially harmful characters? If not, sanitising still needs to be done inside
> the application using RoR and this is mostly a security-related wishlist
> bug, but not an immediate vulnerability.

The fix is going to have to be backported to stable and also to sid as 
the current trunk (where patch is) doesn't even contain the same files 
anymore.

JSON is a JavaScript Object Notation (json.org). It is suppose to be 
used as a data interchange format. Data is to be passed to a web 
application's javascript (or something like that - I have not used 
JSON). Anyway, the problem is that the encoding function does NOT encode 
stuff like < or >. If these are not escaped when passed in "encoded" 
JSON, well, you get the XSS problem.

The changesets that fixes the problem is at,

  http://dev.rubyonrails.org/changeset/6893
  http://dev.rubyonrails.org/changeset/6894

This is not a problem to backport back to unstable and Etch though.

- Adam

PS. The "security annoucement group" for rails seems to be dead. Or 
maybe they view XSS as not really security related?

http://groups.google.com/group/rubyonrails-security

Message #25 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 429177@bugs.debian.org

Subject: backporting progress

Date: Sun, 7 Oct 2007 01:47:09 +1000

[Message part 1 (text/plain, inline)]

Hi

I was just wondering, what the progress of the backporting effort is.
Does it work for you to backport the changes and upload a new package version 
to unstable?
Thanks in advance for your efforts.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Sheldon Hearn <sheldonh@clue.co.za>

To: 429177@bugs.debian.org

Subject: rails-1.2.4 released

Date: Tue, 9 Oct 2007 09:52:26 +0200

[Message part 1 (text/plain, inline)]

It's possible that no backporting is required for sid, because 
rails-1.2.4 has been released:

http://weblog.rubyonrails.com/2007/10/5/rails-1-2-4-maintenance-release

So that would leave etch the only target, and I'm not even sure if 
rails-1.1.6 had json support.

So that just leaves lenny, and it might be quicker just to wait the 10 
days for it to be promoted from sid to lenny, than to do the work of 
backporting the XSS fix to 1.2.3.

Ciao,
Sheldon.

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Adam Majer <adamm@zombino.com>

To: Sheldon Hearn <sheldonh@clue.co.za>, 429177@bugs.debian.org

Subject: Re: Bug#429177: rails-1.2.4 released

Date: Tue, 09 Oct 2007 12:51:33 -0500

Sheldon Hearn wrote:
> It's possible that no backporting is required for sid, because 
> rails-1.2.4 has been released:
> 
> http://weblog.rubyonrails.com/2007/10/5/rails-1-2-4-maintenance-release

Ha, just as I took the time yesterday to complete the backport to Sid :)

> So that would leave etch the only target, and I'm not even sure if 
> rails-1.1.6 had json support.

It does. But there is another issue that is XSS problematic.

http://dev.rubyonrails.org/ticket/8877

Without this patch, it is possible to inject code under some 
circumstances. The patch is a giant and difficult to get into Sid. The 
to_json patch is very simple in comparison.

To further complicate the problem, upstream is not really 
security-centered. They established a security mailing list to inform 
people about patches, but no posts even though there is a problem of 
to_json and the above XSS. There was also a DoS attack possible (send 
badly formatted XML and rails uses all CPU time) but that was caused on 
a ruby library side..

> So that just leaves lenny, and it might be quicker just to wait the 10 
> days for it to be promoted from sid to lenny, than to do the work of 
> backporting the XSS fix to 1.2.3.

Lenny doesn't matter right now as part of security. This is not a remote 
code execution hence foot-dragging on my part. It is only a XSS that is 
specific to usage of some code in rails. There are ways a web 
application can treat all input data and sanitize it without relying on 
rails/ruby to do it with magic functions.

I'll upload 1.2.4 into Sid later today.

- Adam

Message #40 received at 429177-close@bugs.debian.org (full text, mbox, reply):

From: Adam Majer <adamm@zombino.com>

To: 429177-close@bugs.debian.org

Subject: Bug#429177: fixed in rails 1.2.4-1

Date: Tue, 09 Oct 2007 18:32:03 +0000

Source: rails
Source-Version: 1.2.4-1

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive:

rails_1.2.4-1.diff.gz
  to pool/main/r/rails/rails_1.2.4-1.diff.gz
rails_1.2.4-1.dsc
  to pool/main/r/rails/rails_1.2.4-1.dsc
rails_1.2.4-1_all.deb
  to pool/main/r/rails/rails_1.2.4-1_all.deb
rails_1.2.4.orig.tar.gz
  to pool/main/r/rails/rails_1.2.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 429177@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Majer <adamm@zombino.com> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 08 Oct 2007 11:27:25 -0500
Source: rails
Binary: rails
Architecture: source all
Version: 1.2.4-1
Distribution: unstable
Urgency: low
Maintainer: Adam Majer <adamm@zombino.com>
Changed-By: Adam Majer <adamm@zombino.com>
Description: 
 rails      - MVC ruby based framework geared for web application development
Closes: 429177
Changes: 
 rails (1.2.4-1) unstable; urgency=low
 .
   * New upstream release. Fixes at least 2 XSS bugs.
     + Secure #sanitize, #strip_tags, and #strip_links helpers against
     xss attacks. Upstream changeset 7589
     + to_json did not escape values which allows for XSS. Applied
     upstream changesets 6893, 6894. This bug as also been assigned
     designation CVE-2007-3227 (closes: #429177)
   * Add dependency on Sqlite3 as ActiveRecord supports this DB as
     well
   * Add dependency on libmocha which is needed by some unit tests
Files: 
 b73923f4639c2afd4909ba140b77ce97 607 web optional rails_1.2.4-1.dsc
 f252dac383d3d8a8bcab0f2f81ad2fa0 1596239 web optional rails_1.2.4.orig.tar.gz
 7b5d62cd3c359ad2570f223729b3a3ae 27130 web optional rails_1.2.4-1.diff.gz
 4ba82161b80044ded100516688fd6efc 2283342 web optional rails_1.2.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHC8Xl73/bNdaAYUURAthMAJ9nERGJOOhRDRZsC4gjeM/0hUbjKgCgkBO7
Lkb9CrtTnLIapvOtg9BTtvQ=
=Gt2c
-----END PGP SIGNATURE-----

Message #45 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Sheldon Hearn <sheldonh@clue.co.za>

To: 429177@bugs.debian.org

Subject: CVE-2007-3227 only fixed in 1.2.5

Date: Mon, 22 Oct 2007 12:04:15 +0200

[Message part 1 (text/plain, inline)]

The good news is, upstream seems to have taken disclosure complaints to 
heart, and is now posting security advisories to the 
rubyonrails-security Google Group:

The bad news is, it looks like CVE-2007-3227 is only fixed properly in 
rails-1.2.5:
 
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/225dcc61aaefad42

Ciao,
Sheldon.

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Sheldon Hearn <sheldonh@clue.co.za>, 429177@bugs.debian.org

Subject: Re: Bug#429177: CVE-2007-3227 only fixed in 1.2.5

Date: Mon, 22 Oct 2007 13:58:43 +0200

[Message part 1 (text/plain, inline)]

Hi Sheldon,
* Sheldon Hearn <sheldonh@clue.co.za> [2007-10-22 12:14]:
> The good news is, upstream seems to have taken disclosure complaints to 
> heart, and is now posting security advisories to the 
> rubyonrails-security Google Group:
> 
> The bad news is, it looks like CVE-2007-3227 is only fixed properly in 
> rails-1.2.5:
>  
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/225dcc61aaefad42

Why do you think so? The post does not say more than it is 
recomment to install 1.2.5 because of CVE-2007-3227 but the 
1.2.4 rails package in Debian includes debian/patches/changeset_r6893
which was the upstream changeset fixing this:
http://dev.rubyonrails.org/changeset/6893

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #55 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Sheldon Hearn <sheldonh@clue.co.za>

To: 429177@bugs.debian.org

Subject: Re: Bug#429177: CVE-2007-3227 only fixed in 1.2.5

Date: Mon, 22 Oct 2007 14:17:37 +0200

[Message part 1 (text/plain, inline)]

On Monday 22 October 2007 13:58:43 Nico Golde wrote:
> > The bad news is, it looks like CVE-2007-3227 is only fixed properly
> > in rails-1.2.5:
> >
> > http://groups.google.com/group/rubyonrails-security/browse_thread/t
> >hread/225dcc61aaefad42
>
> Why do you think so?

I think so because DHH is a core Rails developer, and his post said that 
1.2.5 closes a JSON XSS vulnerability, and that we should see 
CVE-2007-3227 for more information on the problem.

See also:

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/034c7766ca4d5505

which states:

"The rails core team has released ruby on rails 1.2.5 to address a 
 potential XSS exploit with our json serialization. The CVE Identifier 
 for this problem is CVE-2007-3227"

In other words, I don't think rails-1.2.4 fully addressed the issue.

Ciao,
Sheldon.
-- 
Sheldon Hearn
IT Director
Clue Technologies (PTY) Ltd

Web:		http://www.clue.co.za/
Mail:		sheldonh@clue.co.za
Office:		+27-21-913-8840
Mobile:		+27-83-564-3276
Timezone:	SAST (+0200)

[signature.asc (application/pgp-signature, inline)]

Message #60 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Sheldon Hearn <sheldonh@clue.co.za>, 429177@bugs.debian.org

Subject: Re: Bug#429177: CVE-2007-3227 only fixed in 1.2.5

Date: Mon, 22 Oct 2007 14:32:15 +0200

[Message part 1 (text/plain, inline)]

Hi Sheldon,
* Sheldon Hearn <sheldonh@clue.co.za> [2007-10-22 14:22]:
> On Monday 22 October 2007 13:58:43 Nico Golde wrote:
> > > The bad news is, it looks like CVE-2007-3227 is only fixed properly
> > > in rails-1.2.5:
> > >
> > > http://groups.google.com/group/rubyonrails-security/browse_thread/t
> > >hread/225dcc61aaefad42
> >
> > Why do you think so?
> 
> I think so because DHH is a core Rails developer, and his post said that 
> 1.2.5 closes a JSON XSS vulnerability, and that we should see 
> CVE-2007-3227 for more information on the problem.
[...] 
> "The rails core team has released ruby on rails 1.2.5 to address a 
>  potential XSS exploit with our json serialization. The CVE Identifier 
>  for this problem is CVE-2007-3227"
> 
> In other words, I don't think rails-1.2.4 fully addressed the issue.

Huh? Who said this? We have 1.2.4 but we ship an extra patch 
which is not included in 1.2.4 to fix this so I don't see 
the point.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #65 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Sheldon Hearn <sheldonh@clue.co.za>

To: 429177@bugs.debian.org

Subject: Re: Bug#429177: CVE-2007-3227 only fixed in 1.2.5

Date: Mon, 22 Oct 2007 14:38:38 +0200

[Message part 1 (text/plain, inline)]

On Monday 22 October 2007 14:32:15 you wrote:
> Huh? Who said this? We have 1.2.4 but we ship an extra patch
> which is not included in 1.2.4 to fix this so I don't see
> the point.

I wasn't aware of the additional patch you included.

Thanks,
Sheldon.

[signature.asc (application/pgp-signature, inline)]

Message #70 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Adam Majer <adamm@zombino.com>

To: Sheldon Hearn <sheldonh@clue.co.za>, 429177@bugs.debian.org

Subject: Re: Bug#429177: CVE-2007-3227 only fixed in 1.2.5

Date: Mon, 22 Oct 2007 11:44:01 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sheldon Hearn wrote:
> The good news is, upstream seems to have taken disclosure complaints to 
> heart, and is now posting security advisories to the 
> rubyonrails-security Google Group:
> 
> The bad news is, it looks like CVE-2007-3227 is only fixed properly in 
> rails-1.2.5:
>  
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/225dcc61aaefad42

Yes, I know. I've been trying to upload it for last week but my GPG key
expired and Debian is *really slow* at updating it so I can upload
again. Blah.

I just made it available on my people.debian.org site.

http://people.debian.org/~adamm/packages/

We'll have to see how slow the Debian GPG key-update process actually is....

- -Adam
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHHNNR73/bNdaAYUURAtkOAJ9T/vZnXluYQhXsiLosW6jqYTYyJQCggZPx
BBpOta5LpTG25m7xYkE2ORU=
=z31l
-----END PGP SIGNATURE-----

Message #75 received at 429177@bugs.debian.org (full text, mbox, reply):

From: Micah Anderson <micah@riseup.net>

To: 429177@bugs.debian.org

Subject: I will upload this for you

Date: Wed, 14 Nov 2007 19:09:27 -0500

[Message part 1 (text/plain, inline)]

Due to the security nature of this fix (resolves 3 CVEs), I am going to
upload this to the archive for you. I've changed the severity to high
and will upload the package immediately, please use severity 'high' on
all future security uploads.

In the future its probably best if there is a security issue in the
package to ask someone in the debian testing team to sponsor your upload
if you cannot.

>> So that just leaves lenny, and it might be quicker just to wait the 10 
>> days for it to be promoted from sid to lenny, than to do the work of 
>> backporting the XSS fix to 1.2.3.

>Lenny doesn't matter right now as part of security. This is not a remote 
>code execution hence foot-dragging on my part. It is only a XSS that is 
>specific to usage of some code in rails. There are ways a web 
>application can treat all input data and sanitize it without relying on 
>rails/ruby to do it with magic functions.

Actually, Lenny *does* matter in terms of security, that is the whole
point of the testing security team. 

Micah

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.