Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 462452 (CVE-2013-1854) - <dev-ruby/rails-2.3.18: Multiple Vulnerabilities (CVE-2013-{1854,1855,1856,1857})
Summary: <dev-ruby/rails-2.3.18: Multiple Vulnerabilities (CVE-2013-{1854,1855,1856,18...
Status: RESOLVED FIXED
Alias: CVE-2013-1854
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52656/
Whiteboard: B3 [glsa]
Keywords:
: 462474 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-03-20 09:54 UTC by Agostino Sarubbo
Modified: 2016-08-11 11:21 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-20 09:54:50 UTC
From ${URL} :

Description
Multiple vulnerabilities have been reported in Ruby on Rails, which can be exploited by malicious 
people to conduct cross-site scripting attacks and cause a DoS (Denial of Service).

1) An error when handling keys to a hash in Active Record can be exploited to potentially convert 
hash keys to symbols and cause a DoS condition.

2) Certain input is not properly sanitised in the "sanitize_css" method in Action Pack before being 
returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's 
browser session in context of an affected site.

3) An error when parsing XML entities via ActiveSupport::XmlMini_JDOM in ActiveSupport can 
potentially be exploited to e.g. disclose contents of certain local files or cause a DoS condition 
by sending specially crafted XML data including external entity references.

Successful exploitation of this vulnerability requires a JRuby application using the JDOM backend.

This vulnerability is reported in versions 3.0.0 and later.

4) The sanitize helper within the HTML module does not properly verify allowed protocols, which can 
be exploited to execute arbitrary HTML and script code in a user's browser session in context of an 
affected site.

The vulnerabilities #1, #2, and #4 are reported in versions prior to 3.2.13, 3.1.12, and 2.3.18.


Solution
Update or upgrade to version 3.2.13, 3.1.12, or 2.3.18 or apply patches (please see the vendor's 
advisory for details).

Provided and/or discovered by
The vendor credits:
1, 3) Ben Murphy
2) Charlie Somerville
4) Alan Jenkins.

Original Advisory
Ruby on Rails:
http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/
https://groups.google.com/forum/#!topic/ruby-security-ann/o0Dsdk2WrQ0
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI
Comment 1 Agostino Sarubbo gentoo-dev 2013-03-20 12:51:10 UTC
*** Bug 462474 has been marked as a duplicate of this bug. ***
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-03-20 23:37:32 UTC
CVE-2013-1857 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1857):
  The sanitize helper in
  lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action
  Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before
  3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon)
  characters in URLs, which makes it easier for remote attackers to conduct
  cross-site scripting (XSS) attacks via a crafted scheme name, as
  demonstrated by including a &#x3a; sequence.

CVE-2013-1856 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1856):
  The ActiveSupport::XmlMini_JDOM backend in
  lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby
  on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby
  is used, does not properly restrict the capabilities of the XML parser,
  which allows remote attackers to read arbitrary files or cause a denial of
  service (resource consumption) via vectors involving (1) an external DTD or
  (2) an external entity declaration in conjunction with an entity reference.

CVE-2013-1855 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1855):
  The sanitize_css method in
  lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action
  Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before
  3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline)
  characters, which makes it easier for remote attackers to conduct cross-site
  scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token
  sequences.

CVE-2013-1854 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1854):
  The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x
  before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by
  converting hash keys to symbols, which allows remote attackers to cause a
  denial of service via crafted input to a where method.
Comment 3 Hans de Graaff gentoo-dev 2013-03-31 07:48:22 UTC
Rails 3.2.13, 3.1.12, and 2.3.18 are now in the tree. Rails 2.3.x is still the only stable series and can be marked stable:

=dev-ruby/activesupport-2.3.18
=dev-ruby/activeresource-2.3.18
=dev-ruby/actionpack-2.3.18
=dev-ruby/actionmailer-2.3.18
=dev-ruby/activerecord-2.3.18
=dev-ruby/rails-2.3.18
Comment 4 Agostino Sarubbo gentoo-dev 2013-04-01 14:48:34 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-04-01 14:50:47 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-04-01 14:52:09 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-04-01 14:53:31 UTC
ppc64 stable
Comment 8 Sean Amoss gentoo-dev Security 2013-09-03 21:22:42 UTC
Added to existing GLSA draft, ready for review.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-12-14 20:36:21 UTC
This issue was resolved and addressed in
 GLSA 201412-28 at http://security.gentoo.org/glsa/glsa-201412-28.xml
by GLSA coordinator Sean Amoss (ackle).