CVE-2012-1098: Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x [check if applies to RoR 2.3]

Debian Bug report logs - #668977
CVE-2012-1098: Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x [check if applies to RoR 2.3]

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2012-1098 / CVE-2012-1099

Date: Fri, 13 Apr 2012 14:24:38 +0200

Package: rails
Severity: grave
Tags: security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664

Cheers,
        Moritz

Message #10 received at 668607@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 668607@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#668607: CVE-2012-1098 / CVE-2012-1099

Date: Fri, 13 Apr 2012 15:55:10 +0200

[Message part 1 (text/plain, inline)]

Hi Moritz,

thanks for reminder.

On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
<muehlenhoff@univention.de> wrote:
> Package: rails
> Severity: grave
> Tags: security
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1

The vulnerable code isn't present in the rail-2.3 (which doesn't mean
that rails 2.3 is not vulnerable, just that we cannot fix that)

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664

I have adapted upstream patch to rails-2.3, the code seems to be
reasonably similar to 3.x.

$ diffstat rails_2.3.5-1.2+squeeze3.debdiff
 changelog                   |    8 +++++++
 patches/CVE-2012-1099.patch |   46 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1
 3 files changed, 55 insertions(+)

debdiff, dsc and debian.tar.gz attached

Ondrej
-- 
Ondřej Surý <ondrej@sury.org>

[rails_2.3.5-1.2+squeeze3.debdiff (application/octet-stream, attachment)]

[rails_2.3.5-1.2+squeeze3.debian.tar.gz (application/x-gzip, attachment)]

[rails_2.3.5-1.2+squeeze3.dsc (application/octet-stream, attachment)]

Message #15 received at 668607-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 668607-close@bugs.debian.org

Subject: Bug#668607: fixed in ruby-actionpack-2.3 2.3.14-3

Date: Fri, 13 Apr 2012 14:51:47 +0000

Source: ruby-actionpack-2.3
Source-Version: 2.3.14-3

We believe that the bug you reported is fixed in the latest version of
ruby-actionpack-2.3, which is due to be installed in the Debian FTP archive:

ruby-actionpack-2.3_2.3.14-3.debian.tar.gz
  to main/r/ruby-actionpack-2.3/ruby-actionpack-2.3_2.3.14-3.debian.tar.gz
ruby-actionpack-2.3_2.3.14-3.dsc
  to main/r/ruby-actionpack-2.3/ruby-actionpack-2.3_2.3.14-3.dsc
ruby-actionpack-2.3_2.3.14-3_all.deb
  to main/r/ruby-actionpack-2.3/ruby-actionpack-2.3_2.3.14-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 668607@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated ruby-actionpack-2.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 13 Apr 2012 15:39:31 +0200
Source: ruby-actionpack-2.3
Binary: ruby-actionpack-2.3
Architecture: source all
Version: 2.3.14-3
Distribution: unstable
Urgency: low
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 ruby-actionpack-2.3 - Controller and View framework used by Rails
Closes: 668607
Changes: 
 ruby-actionpack-2.3 (2.3.14-3) unstable; urgency=low
 .
   * Fix vulnerability for users that generate their own options tags for
     use with the select helper in Ruby On Rails [CVE-2012-1099]
     (Closes: #668607)
Checksums-Sha1: 
 60fba8512b3cb5c6fc890aee5504825fc8aa6224 1674 ruby-actionpack-2.3_2.3.14-3.dsc
 02ef53c4369a84e7d8f0fded2921208623b4c00a 10618 ruby-actionpack-2.3_2.3.14-3.debian.tar.gz
 ffa2be2ed35e4c1339c3d6e79bf4a33ce21ee4cb 367178 ruby-actionpack-2.3_2.3.14-3_all.deb
Checksums-Sha256: 
 d78549402dfc8398d53a972c8217a327d12b840baff9d5d579a824f51164f5f7 1674 ruby-actionpack-2.3_2.3.14-3.dsc
 5cc5a4371905fa9faa448e2f158dde2a28dfb81351180d737d1fe732ed9e05ee 10618 ruby-actionpack-2.3_2.3.14-3.debian.tar.gz
 c1c5dd1f13d8082ac3d69db62780aeb80b33cb2456cd29cde684e5d70bca18ae 367178 ruby-actionpack-2.3_2.3.14-3_all.deb
Files: 
 ff7fb7c89e3ac8d4e253c36103ed6196 1674 ruby optional ruby-actionpack-2.3_2.3.14-3.dsc
 4bddf2c94ac9475eee1a838cabce6921 10618 ruby optional ruby-actionpack-2.3_2.3.14-3.debian.tar.gz
 ee604a885d8341301c384040f3f4d65f 367178 ruby optional ruby-actionpack-2.3_2.3.14-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk+ILxAACgkQ9OZqfMIN8nMpAACdEsxoaSTnocYX/kk3WwP/3qfC
8jUAnjqvV2ebYmrWFx/kbOTU1WBd3r+r
=wMC9
-----END PGP SIGNATURE-----

Message #20 received at 668607@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Ondřej Surý <ondrej@sury.org>

Cc: Moritz Muehlenhoff <muehlenhoff@univention.de>, 668607@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#668607: CVE-2012-1098 / CVE-2012-1099

Date: Fri, 13 Apr 2012 18:25:47 +0200

[Message part 1 (text/plain, inline)]

Hi,
* Ondřej Surý <ondrej@sury.org> [2012-04-13 15:56]:
> On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
> <muehlenhoff@univention.de> wrote:
> > Package: rails
> > Severity: grave
> > Tags: security
> >
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
> 
> The vulnerable code isn't present in the rail-2.3 (which doesn't mean
> that rails 2.3 is not vulnerable, just that we cannot fix that)
> 
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
> 
> I have adapted upstream patch to rails-2.3, the code seems to be
> reasonably similar to 3.x.
> 
> $ diffstat rails_2.3.5-1.2+squeeze3.debdiff
>  changelog                   |    8 +++++++
>  patches/CVE-2012-1099.patch |   46 ++++++++++++++++++++++++++++++++++++++++++++
>  patches/series              |    1
>  3 files changed, 55 insertions(+)
> 
> debdiff, dsc and debian.tar.gz attached

Looks good. Please go ahead and upload this to security-master.

Thank you!
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 668607@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: 668607@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#668607: CVE-2012-1098 / CVE-2012-1099

Date: Sun, 15 Apr 2012 10:53:12 +0200

On Fri, Apr 13, 2012 at 18:25, Nico Golde <nion@debian.org> wrote:
> Hi,
> * Ondřej Surý <ondrej@sury.org> [2012-04-13 15:56]:
>> On Fri, Apr 13, 2012 at 14:24, Moritz Muehlenhoff
>> <muehlenhoff@univention.de> wrote:
>> > Package: rails
>> > Severity: grave
>> > Tags: security
>> >
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098
>> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
>>
>> The vulnerable code isn't present in the rail-2.3 (which doesn't mean
>> that rails 2.3 is not vulnerable, just that we cannot fix that)
>>
>> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099:
>> > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
>>
>> I have adapted upstream patch to rails-2.3, the code seems to be
>> reasonably similar to 3.x.
>>
>> $ diffstat rails_2.3.5-1.2+squeeze3.debdiff
>>  changelog                   |    8 +++++++
>>  patches/CVE-2012-1099.patch |   46 ++++++++++++++++++++++++++++++++++++++++++++
>>  patches/series              |    1
>>  3 files changed, 55 insertions(+)
>>
>> debdiff, dsc and debian.tar.gz attached
>
> Looks good. Please go ahead and upload this to security-master.

Thanks, uploaded.

For unstable it has been fixed in:
ruby-actionpack-2.3 (2.3.14-3) unstable; urgency=low

  * Fix vulnerability for users that generate their own options tags for
    use with the select helper in Ruby On Rails [CVE-2012-1099]
    (Closes: #668607)

 -- Ondřej Surý <ondrej@debian.org>  Fri, 13 Apr 2012 15:39:31 +0200

O.
-- 
Ondřej Surý <ondrej@sury.org>

Message #40 received at 668977-close@bugs.debian.org (full text, mbox, reply):

From: Christian Hofstaedtler <zeha@debian.org>

To: 668977-close@bugs.debian.org

Subject: Re: #668977: CVE-2012-1098: Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x [check if applies to RoR 2.3]

Date: Wed, 8 Apr 2015 12:12:02 +0200

[Message part 1 (text/plain, inline)]

AFAICT, the version in wheezy has been fixed, and jessie and sid
contain much newer versions (4.x) that should have inherited the fix
upstream a long time ago.

Closing.
-- 
 ,''`.  Christian Hofstaedtler <zeha@debian.org>
: :' :  Debian Developer
`. `'   7D1A CFFA D9E0 806C 9C4C  D392 5C13 D6DB 9305 2E03
  `-

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.