Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 536008 (CVE-2012-6684)

Summary: <dev-ruby/redcloth-4.2.9-r3: XSS vulnerability (CVE-2012-6684)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1179870
Whiteboard: B4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-01-08 10:36:11 UTC
From ${URL} :

A Cross-Site Scripting (XSS) vulnerability was reported [1],[2] in the RedCloth rubygem.  This has 
not been fixed upstream, but Redmine uses a copy of RedCloth and has a patch [3].

[1] https://gist.github.com/co3k/75b3cb416c342aa1414c
[2] http://co3k.org/blog/redcloth-unfixed-xss-en
[3] http://www.redmine.org/projects/redmine/repository/revisions/2212/diff/trunk/lib/redcloth3.rb


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-10 21:48:44 UTC
CVE-2012-6684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6684):
  Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for
  Ruby and earlier allows remote attackers to inject arbitrary web script or
  HTML via a javascript: URI.
Comment 2 Hans de Graaff gentoo-dev Security 2015-01-17 11:03:13 UTC
The patch mentioned in the linked bugs is actually for an ancient version of redcloth that is no longer in the tree.

Looking at the dependencies and the upstream developer comment I think we should mask this for removal. All packages that depend on this either do so for optional tests or to generate documentation.

Affected packages:

dev-ruby/coderay
dev-ruby/railties:3.2
dev-ruby/sqlite3
dev-ruby/stringex
dev-ruby/test-unit
www-apps/jekyll
Comment 3 Hans de Graaff gentoo-dev Security 2015-07-10 06:46:38 UTC
I have now applied a patch from debian that is still pending to be applied upstream.

Arches, please test and mark stable:

=dev-ruby/redcloth-4.2.9-r3
Comment 4 Agostino Sarubbo gentoo-dev 2015-07-10 09:55:04 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-07-10 09:55:19 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-11 06:43:40 UTC
Stable for PPC64.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-07-11 08:50:19 UTC
Stable for HPPA.
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 15:31:33 UTC
Stable on alpha (took dev-libs/nspr-4.10.8 along as a dep).
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 15:32:07 UTC
Gah, wrong bug. disregard #8
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2015-07-14 15:46:52 UTC
Stable on alpha (for realz, this time).
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-17 13:15:32 UTC
ia64 stable
Comment 12 Markus Meier gentoo-dev 2015-07-17 19:56:28 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-07-23 09:02:09 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-07-23 09:36:34 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Manuel Rüger (RETIRED) gentoo-dev 2015-07-23 12:26:30 UTC
  23 Jul 2015; Manuel Rüger <mrueg@gentoo.org> -redcloth-4.2.9-r1.ebuild:
  Remove vulnerable.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-08-10 13:36:17 UTC
Maintainer(s), Thank you for cleanup!

No GLSA's for Cross-Site Scripting (XSS) as per policy. 
Closing noglsa