Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 764320 (CVE-2020-8264)

Summary: <dev-ruby/actionpack-6.0.3.4: XSS vulnerability (CVE-2020-8264)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ruby
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 14:35:31 UTC 
Description:
"In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware."

See also: https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ
Comment 1 NATTkA bot gentoo-dev 2021-01-07 14:36:51 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-01-07 14:40:56 UTC 
Sanity check failed:

> dev-ruby/actionpack-6.0.3.4
>   bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby26(-)]
>   bdepend amd64 stable profile default/linux/amd64/17.1 (14 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby26(-)]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
>   rdepend amd64 stable profile default/linux/amd64/17.1 (14 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
Comment 3 Hans de Graaff gentoo-dev Security 2021-01-10 08:03:55 UTC 
Not sure what the point of the package list is here. There are no vulnerable versions in the tree anymore so it looks like we are done here.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-10 14:14:21 UTC 
(In reply to Hans de Graaff from comment #3)
> Not sure what the point of the package list is here. There are no vulnerable
> versions in the tree anymore so it looks like we are done here.

Sorry, you're right, only 6.x is vulnerable anyway. Thank you.