Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 536008 (CVE-2012-6684) - <dev-ruby/redcloth-4.2.9-r3: XSS vulnerability (CVE-2012-6684)
Summary: <dev-ruby/redcloth-4.2.9-r3: XSS vulnerability (CVE-2012-6684)
Status: RESOLVED FIXED
Alias: CVE-2012-6684
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-08 10:36 UTC by Agostino Sarubbo
Modified: 2015-08-10 13:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-08 10:36:11 UTC
From ${URL} :

A Cross-Site Scripting (XSS) vulnerability was reported [1],[2] in the RedCloth rubygem.  This has 
not been fixed upstream, but Redmine uses a copy of RedCloth and has a patch [3].

[1] https://gist.github.com/co3k/75b3cb416c342aa1414c
[2] http://co3k.org/blog/redcloth-unfixed-xss-en
[3] http://www.redmine.org/projects/redmine/repository/revisions/2212/diff/trunk/lib/redcloth3.rb


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-10 21:48:44 UTC
CVE-2012-6684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6684):
  Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for
  Ruby and earlier allows remote attackers to inject arbitrary web script or
  HTML via a javascript: URI.
Comment 2 Hans de Graaff gentoo-dev 2015-01-17 11:03:13 UTC
The patch mentioned in the linked bugs is actually for an ancient version of redcloth that is no longer in the tree.

Looking at the dependencies and the upstream developer comment I think we should mask this for removal. All packages that depend on this either do so for optional tests or to generate documentation.

Affected packages:

dev-ruby/coderay
dev-ruby/railties:3.2
dev-ruby/sqlite3
dev-ruby/stringex
dev-ruby/test-unit
www-apps/jekyll
Comment 3 Hans de Graaff gentoo-dev 2015-07-10 06:46:38 UTC
I have now applied a patch from debian that is still pending to be applied upstream.

Arches, please test and mark stable:

=dev-ruby/redcloth-4.2.9-r3
Comment 4 Agostino Sarubbo gentoo-dev 2015-07-10 09:55:04 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-07-10 09:55:19 UTC
x86 stable
Comment 6 Jeroen Roovers gentoo-dev 2015-07-11 06:43:40 UTC
Stable for PPC64.
Comment 7 Jeroen Roovers gentoo-dev 2015-07-11 08:50:19 UTC
Stable for HPPA.
Comment 8 Tobias Klausmann gentoo-dev 2015-07-14 15:31:33 UTC
Stable on alpha (took dev-libs/nspr-4.10.8 along as a dep).
Comment 9 Tobias Klausmann gentoo-dev 2015-07-14 15:32:07 UTC
Gah, wrong bug. disregard #8
Comment 10 Tobias Klausmann gentoo-dev 2015-07-14 15:46:52 UTC
Stable on alpha (for realz, this time).
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-17 13:15:32 UTC
ia64 stable
Comment 12 Markus Meier gentoo-dev 2015-07-17 19:56:28 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-07-23 09:02:09 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-07-23 09:36:34 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 15 Manuel Rüger (RETIRED) gentoo-dev 2015-07-23 12:26:30 UTC
  23 Jul 2015; Manuel Rüger <mrueg@gentoo.org> -redcloth-4.2.9-r1.ebuild:
  Remove vulnerable.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2015-08-10 13:36:17 UTC
Maintainer(s), Thank you for cleanup!

No GLSA's for Cross-Site Scripting (XSS) as per policy. 
Closing noglsa