Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650966 (CVE-2018-8048) - <dev-ruby/loofah-2.2.1: XSS Vulnerability
Summary: <dev-ruby/loofah-2.2.1: XSS Vulnerability
Status: RESOLVED FIXED
Alias: CVE-2018-8048
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/flavorjones/loofah...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 631974
Blocks:
  Show dependency tree
 
Reported: 2018-03-20 09:29 UTC by Hans de Graaff
Modified: 2018-05-15 15:46 UTC (History)
1 user (show)

See Also:
Package list:
dev-ruby/loofah-2.2.1
Runtime testing required: ---
stable-bot: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2018-03-20 09:29:28 UTC 
CVE-2018-8048 - Loofah XSS Vulnerability

This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team.


Severity

Medium (6.7)


Description

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.


Affected Versions

Loofah < 2.2.1, but only:

    when running on MRI or RBX,
    in combination with libxml2 >= 2.9.2.

Please note: JRuby users are not affected.


Mitigation

Upgrade to Loofah 2.2.1.
Comment 1 Hans de Graaff gentoo-dev Security 2018-03-20 09:30:21 UTC 
Loofah 2.2.1 has been added to the tree.
Comment 2 Hans de Graaff gentoo-dev Security 2018-03-20 09:34:36 UTC 
Added amd64 for a stable bug and arm for keywording (bug 631974).
Comment 3 Stabilization helper bot gentoo-dev 2018-03-20 11:27:08 UTC 
An automated check of this bug failed - repoman reported dependency errors (51 lines truncated): 

> dependency.bad dev-ruby/loofah/loofah-2.2.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['=dev-ruby/crass-1.0*[ruby_targets_ruby22]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby22]', '=dev-ruby/crass-1.0*[ruby_targets_ruby23]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby23]']
> dependency.bad dev-ruby/loofah/loofah-2.2.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['=dev-ruby/crass-1.0*[ruby_targets_ruby22]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby22]', '=dev-ruby/crass-1.0*[ruby_targets_ruby23]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby23]']
> dependency.badindev dev-ruby/loofah/loofah-2.2.1.ebuild: DEPEND: arm(default/linux/arm/13.0/armv4) ['=dev-ruby/crass-1.0*[ruby_targets_ruby22]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby22]', '=dev-ruby/crass-1.0*[ruby_targets_ruby23]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby23]']
Comment 4 Hans de Graaff gentoo-dev Security 2018-03-23 05:39:40 UTC 
amd64 stable
Comment 5 Stabilization helper bot gentoo-dev 2018-03-23 06:00:37 UTC 
An automated check of this bug failed - repoman reported dependency errors (51 lines truncated): 

> dependency.bad dev-ruby/loofah/loofah-2.2.1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['=dev-ruby/crass-1.0*[ruby_targets_ruby22]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby22]', '=dev-ruby/crass-1.0*[ruby_targets_ruby23]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby23]']
> dependency.bad dev-ruby/loofah/loofah-2.2.1.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['=dev-ruby/crass-1.0*[ruby_targets_ruby22]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby22]', '=dev-ruby/crass-1.0*[ruby_targets_ruby23]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby23]']
> dependency.badindev dev-ruby/loofah/loofah-2.2.1.ebuild: DEPEND: arm(default/linux/arm/13.0/armv4) ['=dev-ruby/crass-1.0*[ruby_targets_ruby22]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby22]', '=dev-ruby/crass-1.0*[ruby_targets_ruby23]', '>=dev-ruby/crass-1.0.2[ruby_targets_ruby23]']
Comment 6 Hans de Graaff gentoo-dev Security 2018-04-12 05:28:19 UTC 
vulnerable versions have been removed.
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2018-05-15 15:46:22 UTC 
GLSA Vote: No