Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 699840 (CVE-2017-1002201)

Summary: <dev-ruby/haml-5.1.2: improper escaping of user input (CVE-2017-1002201)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://snyk.io/vuln/SNYK-RUBY-HAML-20362
Whiteboard: B2 [glsa+ cve]
Package list:
dev-ruby/haml-5.1.2
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-11-11 16:55:59 UTC
CVE-2017-1002201 (https://nvd.nist.gov/vuln/detail/CVE-2017-1002201):
  In haml versions prior to version 5.0.0.beta.2, when using user input to
  perform tasks on the server, characters like < > " ' must be escaped
  properly. In this case, the ' character was missed. An attacker can
  manipulate the input to introduce additional attributes, potentially
  executing code.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-11-11 16:56:47 UTC
Upstream patch: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
Comment 2 Hans de Graaff gentoo-dev Security 2019-11-11 18:58:58 UTC
All packages in the tree should work with haml:5, so we should mark this as stable and remove haml:4 afterwards.
Comment 3 Agostino Sarubbo gentoo-dev 2019-11-12 10:07:34 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-11-12 15:09:12 UTC
ppc64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-11-13 07:41:34 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2019-11-13 07:45:50 UTC
amd64 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-27 13:06:16 UTC
arm stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 04:03:29 UTC
@maintainer(s), ok to cleanup?
Comment 9 Hans de Graaff gentoo-dev Security 2020-03-19 07:47:49 UTC
Masked for removal in 30 days.
Comment 10 NATTkA bot gentoo-dev 2020-04-06 15:05:14 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2020-05-22 01:38:34 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:21:47 UTC
This issue was resolved and addressed in
 GLSA 202007-27 at https://security.gentoo.org/glsa/202007-27
by GLSA coordinator Sam James (sam_c).