From the rubyonrails-security list: There is a weakness in the strip_tags function in ruby on rails. Due to a bug in the parsing code inside HTML::Tokenizer regarding non-printable ascii characters, an attacker can include values which certain browsers will then evaluate. Versions Affected: All versions prior to 2.3.4 or 2.2.s Not affected: Applications which do not use strip_tags Fixed Versions: 2.3.5 Impact ------ Applications relying on strip_tags for XSS protection may be vulnerable to attacks on Internet Explorer users. Releases -------- The 2.3.5 releases is available at the normal locations now. Workarounds ----------- Users using strip_tags can pass the resulting output to the regular escaping functionality: <%= h(strip_tag(...)) %> Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset updating the parser and providing an additional unit test. * 2-2-strip_tags.patch - Patch for 2.2 series * 2-3-strip_tags.patch - Patch for 2.3 series Please note that only the 2.2.x and 2.3.x series are supported at present. Users of earlier unsupported releases are advised to upgrade at their earliest convenience. Credits ------- Thanks to Gabe da Silveira for reporting the vulnerability to us and providing the fix.
Created attachment 211294 [details, diff] Patch for Rails 2.2.x
Created attachment 211295 [details, diff] Rails 2.3.x patch
As far as I can tell upstream has only released Rails 2.3.5. If we want to keep the 2.2.x series around we need to patch it ourselves, it seems like.
Arches, please test and mark stable: 2.2 slot: =dev-ruby/actionpack-2.2.3-r1 =dev-ruby/rails-2.2.3-r1 Target keywords : "amd64 ia64 ppc ppc64 sparc x86" 2.3 slot: =dev-ruby/activesupport-2.3.5 =dev-ruby/actionpack-2.3.5 =dev-ruby/activeresource-2.3.5 =dev-ruby/actionmailer-2.3.5 =dev-ruby/activerecord-2.3.5 =dev-ruby/rails-2.3.5 Target keywords : "amd64 ia64 ppc ppc64 sparc x86"
Please also stabilize dev-ruby/rack-1.0.1.
amd64/x86 stable
ppc64 done
ia64/sparc stable
CVE-2009-4214 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4214): Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
Stable for PPC.
GLSA together with #200159, #237385, #247549, #276279, and #283396. Draft alread filed, advisory will be sent tonight.
GLSA 200912-02