764320 – (CVE-2020-8264) <dev-ruby/actionpack-6.0.3.4: XSS vulnerability (CVE-2020-8264)

Bug 764320 (CVE-2020-8264) - <dev-ruby/actionpack-6.0.3.4: XSS vulnerability (CVE-2020-8264)

Summary: <dev-ruby/actionpack-6.0.3.4: XSS vulnerability (CVE-2020-8264)

Status:	RESOLVED FIXED

Alias:	CVE-2020-8264

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://groups.google.com/g/rubyonrai...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2021-01-07 14:35 UTC by Sam James
Modified:	2021-01-10 14:14 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Flags:	nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-01-07 14:35:31 UTC

Description:
"In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware."

See also: https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ

Comment 1 NATTkA bot gentoo-dev

2021-01-07 14:36:51 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-ruby/actionpack-6.0.34

Comment 2 NATTkA bot gentoo-dev

2021-01-07 14:40:56 UTC

Sanity check failed:

> dev-ruby/actionpack-6.0.3.4
>   bdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby26(-)]
>   bdepend amd64 stable profile default/linux/amd64/17.1 (14 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activemodel-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/railties-6.0.3.4[ruby_targets_ruby26(-)]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (3 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]
>   rdepend amd64 stable profile default/linux/amd64/17.1 (14 total)
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/actionview-6.0.3.4[ruby_targets_ruby26(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby25(-)]
>     ~dev-ruby/activesupport-6.0.3.4[ruby_targets_ruby26(-)]

Comment 3 Hans de Graaff gentoo-dev

2021-01-10 08:03:55 UTC

Not sure what the point of the package list is here. There are no vulnerable versions in the tree anymore so it looks like we are done here.

Comment 4 Sam James archtester

2021-01-10 14:14:21 UTC

(In reply to Hans de Graaff from comment #3)
> Not sure what the point of the package list is here. There are no vulnerable
> versions in the tree anymore so it looks like we are done here.

Sorry, you're right, only 6.x is vulnerable anyway. Thank you.