Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 728506 (CVE-2020-4054)

Summary: <dev-ruby/sanitize-5.2.1: XSS / filter bypass (CVE-2020-4054)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ruby
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-16 23:51:53 UTC
Description:
"In Sanitize (RubyGem sanitize) greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. 

When HTML is sanitized using Sanitize's "relaxed" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized correctly even if math and svg are not in the allowlist. 

You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, xmp. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. This has been fixed in 5.2.1."
Comment 1 Hans de Graaff gentoo-dev Security 2020-06-17 05:53:46 UTC
sanitize 5.2.1 has been added.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-17 21:09:33 UTC
(In reply to Hans de Graaff from comment #1)
> sanitize 5.2.1 has been added.

Thanks Hans. Please cleanup when you're ready.
Comment 3 Hans de Graaff gentoo-dev Security 2020-07-05 06:56:52 UTC
cleanup done.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-05 09:49:11 UTC
(In reply to Hans de Graaff from comment #3)
> cleanup done.

All done.