Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 182223

Summary: dev-ruby/activesupport <= 1.4.2 "to_json" Cross-Site Scripting (CVE-2007-3227)
Product: Gentoo Security Reporter: Pierre-Yves Rofes (RETIRED) <py>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: rajiv, ruby
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/25699/
Whiteboard: B4 [glsa] p-y
Package list:
Runtime testing required: ---
Bug Depends on: 194838, 195315    
Bug Blocks:    

Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-16 15:04:28 UTC
BCC has reported a vulnerability in Ruby on Rails, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "to_json" function is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in version 1.2.3. Other versions may also be affected.

Solution:
Fixed in the SVN repository (Changeset 6893/6894).
http://dev.rubyonrails.org/changeset/6893
http://dev.rubyonrails.org/changeset/6894
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-16 15:06:16 UTC
setting status and cc'ing herd. ruby, please advise.
Comment 2 Josh Nichols (RETIRED) gentoo-dev 2007-06-19 13:09:12 UTC
This is affecting dev-ruby/activesupport specifically.

Currently, we package rails and company from gem files. The issue here is that we don't really have much room to patch, without mangling the gem, and reassembling it. I poked around at doing that before, but didn't have much luck with reassembling.

Another approach would be to switch to source, and do 'rake gem' to generate the gem as upstream would do. The only issue here is that the tgz download for activesupport doesn't actually include the Rakefile needed to do that kind of thing. To get around that, theoretically, should be able to take a svn 'snapshot' of the 1.2.3 release tag, and go from there.
Comment 3 Hans de Graaff gentoo-dev 2007-06-21 17:52:01 UTC
I haven't seen any mention of this bug on the rails-core mailing list, nor on the rails mailing list. So while it is considered a bug, upstream doesn't really seem to consider it a security issue. Last time there was a security issue the Rails team was pretty quick in releasing a new version. That's not to say we shouldn't fix this, but the sense of urgency seems to be low.

Original bug report here: http://dev.rubyonrails.org/ticket/8371
Comment 4 Richard Brown (RETIRED) gentoo-dev 2007-06-22 19:50:05 UTC
The patch also won't apply to 1.4.2, because they've restructured the code in that area.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-23 18:07:00 UTC
Seems like it would be best to wait for upstream. ruby please comment once a fix has been released.
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-22 18:59:39 UTC
According to http://dev.rubyonrails.org/ticket/8371, bug has been fixed upstream.
In the meanwhile, version 1.3.1 seems stable on all arches. Is this fixed in this versions so we can move directly to the glsa vote? Ruby, please advise.
Comment 7 Richard Brown (RETIRED) gentoo-dev 2007-09-22 21:14:35 UTC
version 1.2.3 refers to rails itself. The version of activesupport that was released for that version was 1.4.2, they still haven't released a fixed version.
Comment 8 Hans de Graaff gentoo-dev 2007-10-05 09:58:14 UTC
Rails 1.2.4 just got released that allegedly fixes this issue:

* Changed the JSON encoding algorithms to avoid otential XSS issues when using ActiveRecord::Base#to_json
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-10-05 12:26:15 UTC
ruby, please advise.
Comment 10 Hans de Graaff gentoo-dev 2007-10-06 16:38:58 UTC
Rails 1.2.4 is now in the tree, but I would prefer to wait at least a week before starting to make it stable and thus resolve this security bug. Breaking people's web services seems to be worse than fixing this bug one week sooner.
Comment 11 Hans de Graaff gentoo-dev 2007-10-10 05:35:19 UTC
Rails 1.2.4 fixes more security issues than just the JSON problem, see bug #195315
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-14 07:39:29 UTC
Hans, is it ready for stable marking now?
Comment 13 Hans de Graaff gentoo-dev 2007-10-14 08:03:51 UTC
We should be marking rails 1.2.5 stable, and this is tracked in #195315. We should probably close this bug and track the issue on the Rails 1.2.5 bug. My current plan is to ask for stabilization of 1.2.5 on Monday morning unless something comes up in the meantime.
Comment 14 Hans de Graaff gentoo-dev 2007-10-16 06:57:35 UTC

*** This bug has been marked as a duplicate of bug 195315 ***
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2007-10-16 07:12:30 UTC
Please don't close security bugs, even if they might be redundant. We need them open to handle advisories.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-14 21:22:57 UTC
GLSA 200711-17, sorry for the delay.