Date: Fri, 02 Mar 2012 17:25:04 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Mo Morsi <mmorsi@...hat.com>, Vít Ondruch <vondruch@...hat.com> Subject: Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws On 03/02/2012 04:34 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > as noted in: >  > http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released > > Issue #A: > ---------- > A cross-site scripting (XSS) flaw was found in the way the String class, > used > in Ruby on Rails, performed HTML escaping of SafeBuffer objects, when such > objects were manipulated directly via '' method or other methods, also > returning new instances of SafeBuffer object. By using these methods, such > newly returned SafeBuffer instances would be inadvertently marked as > HTML safe. > If a Ruby on Rails application used SafeBuffer objects this way, a remote > attacker could provide a specially-crafted input, which once processed > by such > SafeBuffer instance would pass the HTML escaping test without further > filtering, possibly leading to arbitrary HTML or webscript execution. > > References: > [2A] > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913 > > [3A] https://bugs.gentoo.org/show_bug.cgi?id=406547 > [4A] https://bugzilla.redhat.com/show_bug.cgi?id=799275 > > Proposed upstream patches: > [5A] > http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-0-safe-buffer-slice.patch?part=3 > > (against v3.0 branch) > > [6A] > http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-1-safe-buffer-slice.patch?part=4 > > (against v3.1 branch) > > [7A] > http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-2-safe-buffer-slice.patch?part=5 > > > (against v3.2 branch) Please use CVE-2012-1098 for this issue. > Issue #B: > ---------- > A cross-site scripting (XSS) flaw was found in the way 'select' helper > method > of the Ruby on Rails performed HTML escaping of 'select' HTML tag > options, when > the tags were created manually. In this case, the select tag values > might end > up unescaped. A remote-attacker could provide a specially-crafted input > to Ruby > on Rails application, using select tags this way, which potentially > resulted > into arbitrary HTML or webscript execution. > > References: > [2B] > http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664 > > [3B] https://bugs.gentoo.org/show_bug.cgi?id=406547 > [4B] https://bugzilla.redhat.com/show_bug.cgi?id=799276 > > Proposed upstream patches: > [5B] > http://groups.google.com/group/rubyonrails-security/attach/6fca4f5c47705488/3-0-select_options.patch?part=3 > > (against v3.0 branch) > > [6B] > http://groups.google.com/group/rubyonrails-security/attach/6fca4f5c47705488/3-1-select_options.patch?part=4 > > (against v3.1 branch) > > [7B] > http://groups.google.com/group/rubyonrails-security/attach/6fca4f5c47705488/3-2-select_options.patch?part=5 > > (against v3.2 branch) > > Could you allocate CVE ids for these? > > Thank you && Regards, Jan. > -- > Jan iankko Lieskovsky / Red Hat Security Response Team Please use CVE-2012-1099 for this issue. Summary: different researchers so two CVE's. CVE-2012-1098 Ruby on rails 3.0.11 string class XSS vulnerability CVE-2012-1099 Ruby on rails 3.0.11 'select' helper method XSS vulnerability -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.