Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 406547 (CVE-2012-1098) - <dev-ruby/rails-{3.0.12,3.1.4}: XSS vulnerabilities (CVE-2012-{1098,1099})
Summary: <dev-ruby/rails-{3.0.12,3.1.4}: XSS vulnerabilities (CVE-2012-{1098,1099})
Status: RESOLVED FIXED
Alias: CVE-2012-1098
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://weblog.rubyonrails.org/2012/3/...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-02 08:40 UTC by Hans de Graaff
Modified: 2014-12-14 15:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2012-03-02 08:40:36 UTC
There is a vulnerability in the SafeBuffer#[] in Ruby On Rails where unescaped safe buffers can be marked as safe.

Versions Affected:  All.
Fixed Versions:     3.2.2, 3.1.4, 3.0.12

Impact 
------ 
Due side effects of some optimizations in the String class, users that directly manipulate SafeBuffer objects via `[]` and other methods that return new instances of SafeBuffer may be inadvertently marked as HTML safe.  All users running an affected release should either upgrade or use one of the work arounds immediately. 

This problem manifests itself in forms like this:

  x = 'foo'.html_safe
  x.html_safe?                          # => true
  x.gsub!('f', 'user input').html_safe? # => false
  x[0..-1].html_safe?                   # => true

Or in a shorter form:

  'foo'.html_safe.gsub!('f', 'user input')[0..-1].html_safe? # => true

The fix will make the call to `html_safe?` return a falsey value.  After the patch:

  x = 'foo'.html_safe
  x.html_safe?                          # => true
  x.gsub!('f', 'user input').html_safe? # => false
  x[0..-1].html_safe?                   # => nil

Or in a shorter form:

  'foo'.html_safe.gsub!('f', 'user input')[0..-1].html_safe? # => nil




There is a vulnerability for users that generate their own options tags for use with the select helper in Ruby On Rails.

Versions Affected:  All.
Fixed Versions:     3.2.2, 3.1.4, 3.0.12

Impact 
------ 
When developers generate html options tags manually, user input concatenated with manually built tags may not be escaped and an attacker can inject arbitrary HTML in to the document.

Only manually generated select tag options are impacted, but all users running an affected release should either upgrade or use one of the work arounds immediately.
Comment 1 Hans de Graaff gentoo-dev Security 2012-03-02 08:41:24 UTC
Note that there are no patches for Rails 2.3, which is currently our only stable version. We might have to look into backporting the patches, and in the mean time work on stabling newer versions.
Comment 2 Agostino Sarubbo gentoo-dev 2012-03-02 09:07:34 UTC
The announcement does not mention 2.3 , sure that is affected?
Comment 3 Hans de Graaff gentoo-dev Security 2012-03-02 11:46:03 UTC
(In reply to comment #2)
> The announcement does not mention 2.3 , sure that is affected?

No, I'm not sure. The original announcement says: "Please note that only the  3.2.x, 3.1.x, and 3.0.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible."
Comment 4 Hans de Graaff gentoo-dev Security 2012-03-06 20:10:07 UTC
(In reply to comment #2)
> The announcement does not mention 2.3 , sure that is affected?

I have just verified the code and 2.3.x is also vulnerable. Upstream won't release patches, so we either need to backport ourselves (or find someone who has done that), or stable 3.0.x and drop 2.3.x.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-03-06 20:53:16 UTC
(In reply to comment #4)
> (In reply to comment #2)
> > The announcement does not mention 2.3 , sure that is affected?
> 
> I have just verified the code and 2.3.x is also vulnerable. Upstream won't
> release patches, so we either need to backport ourselves (or find someone
> who has done that), or stable 3.0.x and drop 2.3.x.

Thanks for doing this. FWIW, moving to a supported version would certainly make future security bugs/bumps a lot easier. Having to backport patches is often a never-ending battle which only delays the inevitable upgrade. But that is easy for me to say. ;)
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-03-22 20:09:05 UTC
CVE-2012-1099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1099):
  Cross-site scripting (XSS) vulnerability in
  actionpack/lib/action_view/helpers/form_options_helper.rb in the select
  helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x
  before 3.2.2 allows remote attackers to inject arbitrary web script or HTML
  via vectors involving certain generation of OPTION elements within SELECT
  elements.

CVE-2012-1098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1098):
  Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before
  3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers
  to inject arbitrary web script or HTML via vectors involving a SafeBuffer
  object that is manipulated through certain methods.
Comment 7 Hans de Graaff gentoo-dev Security 2012-04-04 10:00:19 UTC
Rails 3.0.12 is now in the tree.
Comment 8 Hans de Graaff gentoo-dev Security 2012-04-04 11:55:11 UTC
Rails 3.1.4 is now in the tree.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-04-04 21:56:41 UTC
Great, thank you. Shall we move forward and stabilize =dev-ruby/rails-3.0.12?
Comment 10 Hans de Graaff gentoo-dev Security 2012-04-10 18:44:30 UTC
(In reply to comment #9)
> Great, thank you. Shall we move forward and stabilize =dev-ruby/rails-3.0.12?

Yes, but that stabilization is quite involved. I'll file separate bugs for some of the components and include a final stabilization list here.
Comment 11 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 20:01:04 UTC
@maintainers: so about that stable list...
Comment 12 Hans de Graaff gentoo-dev Security 2013-10-20 08:45:24 UTC
(In reply to Chris Reffett from comment #11)
> @maintainers: so about that stable list...

Hmm, it looks like at the time I gave the wrong response to comment 9. The correct response should have been: "No, we don't have any Rails 3.0 version stable."

I think this bug can just be closed now. All affected slots are either already marked stable or don't have any stable versions.
Comment 13 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-09 01:37:52 UTC
Isn't 2.3.18 still affected, though?
Comment 14 Hans de Graaff gentoo-dev Security 2013-12-15 10:34:07 UTC
(In reply to Chris Reffett from comment #13)
> Isn't 2.3.18 still affected, though?

Yes, it looks like we never actually went looking for a patch. Rails 2.3 was already on our shortlist to be removed due to being ruby18-only. I have now masked it.
Comment 15 Jeremy Huddleston Sequoia 2013-12-19 02:39:51 UTC
(In reply to Hans de Graaff from comment #14)
> (In reply to Chris Reffett from comment #13)
> > Isn't 2.3.18 still affected, though?
> 
> Yes, it looks like we never actually went looking for a patch. Rails 2.3 was
> already on our shortlist to be removed due to being ruby18-only. I have now
> masked it.

And yet you have not marked anything else stable, so this breaks installs that are not accepting unstable keywords.
Comment 16 Hans de Graaff gentoo-dev Security 2013-12-22 13:09:09 UTC
(In reply to Jeremy Huddleston from comment #15)

> And yet you have not marked anything else stable, so this breaks installs
> that are not accepting unstable keywords.

What specific problem is this causing for you?
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-14 15:06:20 UTC
Closing noglsa since ~arch only branches were updated and stable branch was removed from tree (no GLSA for the stable branch since it is XSS)