rails: [CVE-2009-4214] Cross-site scripting (XSS) vulnerability in the strip_tags

Debian Bug report logs - #558685
rails: [CVE-2009-4214] Cross-site scripting (XSS) vulnerability in the strip_tags

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: rails: multiple vulnerabilities

Date: Sun, 29 Nov 2009 15:19:10 -0500

package: rails
version: 2.2.3-1
severity: serious
tags: security

hi,

two security vulnerabilities have been disclosed for rails:

  1. xss (http://www.openwall.com/lists/oss-security/2009/11/27/2)
     - note claimed fixed in version 2.3.5; please check.

  2. cross-site request forgery (http://www.openwall.com/lists/oss-security/2009/11/28/1)
     - note claimed fixed in version 2.2.2, which is already in sid, but
       please check to confirm this is true.

etch/lenny are likely affected, but i haven't personally checked.  please 
determine whether this is true.  if they are affected, these issues seem
severe enough to issue a DSA, so please work with the securitiy team on
that.

thanks,
mike

Message #10 received at 558685@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 558685@bugs.debian.org

Subject: some more information and patch on rails issues

Date: Thu, 24 Dec 2009 12:56:39 +0100

[Message part 1 (text/plain, inline)]

Hi Adam

These issues have been assigned CVE ids, see below:

CVE-2009-4214[0]:
| Cross-site scripting (XSS) vulnerability in the strip_tags function in
| Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
| attackers to inject arbitrary web script or HTML via vectors involving
| non-printing ASCII characters, related to HTML::Tokenizer and
| actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.

CVE-2008-7248[1]:
| Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify
| tokens for requests with certain content types, which allows remote
| attackers to bypass cross-site request forgery (CSRF) protection for
| requests to applications that rely on this protection, as demonstrated
| using text/plain.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

CVE-2008-7248 does not seem to affect lenny since it does not include 'text' in 
the @@unverifiable_types. The upstream patch for this issue is here[2] and 
needs to be included in the sid version.

CVE-2009-4214 affects lenny as well and the upstream patch is here[3], please 
have a deeper look at that change, because I didn't. :)

I guess due to CVE-2009-4214 we could fix this via a DSA. When you prepare the 
updated packages for lenny, please also include a fix for CVE-2009-3086[4].

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214
    http://security-tracker.debian.org/tracker/CVE-2009-4214
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248
    http://security-tracker.debian.org/tracker/CVE-2008-7248
[2] 
http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
[3] 
http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
[4] http://security-tracker.debian.org/tracker/CVE-2009-3086

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 558685@bugs.debian.org (full text, mbox, reply):

From: Ryan Niebur <ryan@debian.org>

To: 564142@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>, 558685@bugs.debian.org

Subject: Re: Bug#564142: RM: rails/2.2.3-1

Date: Sat, 30 Jan 2010 09:47:30 -0800

[Message part 1 (text/plain, inline)]

On Fri, Jan 08, 2010 at 12:13:36AM +0100, Moritz Muehlenhoff wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: rm
> 
> Please remove rails. It has open security issues, which haven't been
> acknowledged for six weeks.
> 

I'll work on NMUs to fix this.

-- 
_________________________
Ryan Niebur
ryanryan52@gmail.com

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 558685@bugs.debian.org (full text, mbox, reply):

From: Micah Anderson <micah@riseup.net>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 558685@bugs.debian.org

Subject: Re: Bug#558685: some more information and patch on rails issues

Date: Sat, 30 Jan 2010 14:40:46 -0500

[Message part 1 (text/plain, inline)]

* Steffen Joeris <steffen.joeris@skolelinux.de> [2010-01-30 17:13-0500]:
> Hi Adam
> 
> These issues have been assigned CVE ids, see below:
> 
> CVE-2009-4214[0]:
> | Cross-site scripting (XSS) vulnerability in the strip_tags function in
> | Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote
> | attackers to inject arbitrary web script or HTML via vectors involving
> | non-printing ASCII characters, related to HTML::Tokenizer and
> | actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
> 
> CVE-2008-7248[1]:
> | Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify
> | tokens for requests with certain content types, which allows remote
> | attackers to bypass cross-site request forgery (CSRF) protection for
> | requests to applications that rely on this protection, as demonstrated
> | using text/plain.
> 
> CVE-2008-7248 does not seem to affect lenny since it does not include 'text' in 
> the @@unverifiable_types. The upstream patch for this issue is here[2] and 
> needs to be included in the sid version.

I can confirm that the lenny version does not include 'text' in the
@@unverifiable_types in the mime_type.rb.

I also can confirm that the sid/squeeze version contains 'text', and
thus they are affected and need updating.

> CVE-2009-4214 affects lenny as well and the upstream patch is here[3], please 
> have a deeper look at that change, because I didn't. :)

I can confirm that this one affects lenny.

It also affects the sid/squeeze version, so this will need to be updated
as well.

> I guess due to CVE-2009-4214 we could fix this via a DSA. When you prepare the 
> updated packages for lenny, please also include a fix for CVE-2009-3086[4].

Sounds like a DSA for Lenny which hits both CVEs, as well as an upload
to sid, with urgency=high, seems to be the name of the game here.

micah

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 558685@bugs.debian.org (full text, mbox, reply):

From: Adam Majer <adamm@zombino.com>

To: Ryan Niebur <ryan@debian.org>, 558685@bugs.debian.org

Subject: Re: Bug#558685: Bug#564142: RM: rails/2.2.3-1

Date: Sat, 30 Jan 2010 14:56:20 -0600

On Sat, Jan 30, 2010 at 09:47:30AM -0800, Ryan Niebur wrote:
> On Fri, Jan 08, 2010 at 12:13:36AM +0100, Moritz Muehlenhoff wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: rm
> > 
> > Please remove rails. It has open security issues, which haven't been
> > acknowledged for six weeks.
> > 
> 
> I'll work on NMUs to fix this.

Well, it's just a very simple fix for Sid. I kind of overlooked and
forgotten about this for some time. If you haven't done anything, I
can upload the sid fix now.

- Adam

Message #30 received at 558685-close@bugs.debian.org (full text, mbox, reply):

From: Adam Majer <adamm@zombino.com>

To: 558685-close@bugs.debian.org

Subject: Bug#558685: fixed in rails 2.2.3-2

Date: Sat, 30 Jan 2010 22:48:03 +0000

Source: rails
Source-Version: 2.2.3-2

We believe that the bug you reported is fixed in the latest version of
rails, which is due to be installed in the Debian FTP archive:

rails_2.2.3-2.diff.gz
  to main/r/rails/rails_2.2.3-2.diff.gz
rails_2.2.3-2.dsc
  to main/r/rails/rails_2.2.3-2.dsc
rails_2.2.3-2_all.deb
  to main/r/rails/rails_2.2.3-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 558685@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Majer <adamm@zombino.com> (supplier of updated rails package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 30 Jan 2010 15:43:08 -0600
Source: rails
Binary: rails
Architecture: source all
Version: 2.2.3-2
Distribution: unstable
Urgency: high
Maintainer: Adam Majer <adamm@zombino.com>
Changed-By: Adam Majer <adamm@zombino.com>
Description: 
 rails      - MVC ruby based framework geared for web application development
Closes: 558685
Changes: 
 rails (2.2.3-2) unstable; urgency=high
 .
   * Make sure strip_tags removes tags which start with a non-printable
     character. (closes: #558685) [CVE-2009-4214]
   * Merge in a few additional encoding changes.
Checksums-Sha1: 
 e8ce4d2bf949ca98bc241c03cafb7df80612a53e 1253 rails_2.2.3-2.dsc
 483620fbdf804d74f72ba3f25a7397590006bcd2 15141 rails_2.2.3-2.diff.gz
 363891c36b570d35ec1f109a5870e1df62cc4351 3434778 rails_2.2.3-2_all.deb
Checksums-Sha256: 
 b6f9bce4d5f7dc69f4bbf250b0d5d12c7a616c656904bcccd189b72ecc1b9963 1253 rails_2.2.3-2.dsc
 b067ee68c358b96b11f298bfa9adbbea9eb53ca3270f5b0a2610c7993efa361c 15141 rails_2.2.3-2.diff.gz
 eaa7a47ede44975e409637f68d785148f9b12c9dccb3bf3be4d455c250323231 3434778 rails_2.2.3-2_all.deb
Files: 
 009ba0a09196e9e5b47db683cc11887c 1253 ruby optional rails_2.2.3-2.dsc
 d9fa90d78db3b4907d7b6c285117378a 15141 ruby optional rails_2.2.3-2.diff.gz
 0a49ba2c98416af5a02558c8d549d9ed 3434778 ruby optional rails_2.2.3-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktksZwACgkQ73/bNdaAYUXk6QCguASjQssjeWmXykKso+W82GHt
u1MAoLd97q4p+YtseYVW/dlaKRF0SUQG
=CPve
-----END PGP SIGNATURE-----

Message #35 received at 558685@bugs.debian.org (full text, mbox, reply):

From: Adam Majer <adamm@zombino.com>

To: 558685@bugs.debian.org

Subject: Re: Bug#558685: Bug#564142: RM: rails/2.2.3-1

Date: Sat, 30 Jan 2010 17:50:18 -0600

retitle 558685 rails: [CVE-2009-4214] Cross-site scripting (XSS) vulnerability in the strip_tags
thanks

Only CVE-2009-4214 is applicable.

CVE-2008-7248 was fixed in 2.1.0-6. Sid is not affected by this.



- Adam

Send a report that this bug log contains spam.