Bug 963326 - (CVE-2015-7578) VUL-0: CVE-2015-7578: rubygem-rails-html-sanitizer: XSS vulnerability via attributes
(CVE-2015-7578)
VUL-0: CVE-2015-7578: rubygem-rails-html-sanitizer: XSS vulnerability via att...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2015-7578:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-23 19:37 UTC by Andreas Stieger
Modified: 2018-07-19 15:05 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-01-23 19:37:47 UTC
Created attachment 662970 [details]
1-0-sanitize_data_attributes.patch

EMBARGOED via distros
CRD: 2016-01-15

bundled in: OBS, Portus

Possible XSS vulnerability in rails-html-sanitizer

There is a possible XSS vulnerability in rails-html-sanitizer. This
vulnerability has been assigned the CVE identifier CVE-2015-7578.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     1.0.3

Impact
------
There is a possible XSS vulnerability in rails-html-sanitizer.  Certain
attributes are not removed from tags when they are sanitized, and these
attributes can lead to an XSS attack on target applications.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 1-0-sanitize_data_attributes.patch - Patch for 1.0 series

Credits
-------
Thanks to Ben Murphy and Marien for reporting this
Comment 1 Swamp Workflow Management 2016-01-23 23:00:15 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2016-01-25 14:59:36 UTC
CRD: 2016-01-25
Comment 4 Andreas Stieger 2016-01-26 07:24:07 UTC
public at http://seclists.org/oss-sec/2016/q1/204
Comment 5 Jordi Massaguer 2016-01-27 10:34:32 UTC
regarding openSUSE, this package is in Leap
Comment 6 Andreas Stieger 2016-01-27 12:56:56 UTC
Jürgen, I saw your submission https://build.opensuse.org/request/show/356270

Could you check if fix for bug 963327 and bug 963328 are missing?
Comment 7 Jürgen Löhel 2016-01-27 13:02:01 UTC
Hello Andreas,

yes, they are missing. I will add this two patches the package and update my request.
Comment 9 Jordi Massaguer 2016-01-28 09:31:00 UTC
This is the submission for openSUSE

https://build.opensuse.org/request/show/356287
Comment 10 Jordi Massaguer 2016-01-28 09:31:24 UTC
all submissions done. Assigning to security team.
Comment 11 Swamp Workflow Management 2016-02-07 16:11:21 UTC
openSUSE-SU-2016:0356-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 963326,963327,963328
CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580
Sources used:
openSUSE Leap 42.1 (src):    rubygem-rails-html-sanitizer-1.0.2-5.1
Comment 12 Swamp Workflow Management 2016-02-09 13:12:43 UTC
SUSE-SU-2016:0391-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 963326,963327,963328
CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580
Sources used:
SUSE Enterprise Storage 2.1 (src):    rubygem-rails-html-sanitizer-1.0.2-7.1
Comment 13 Marcus Meissner 2016-03-22 15:46:16 UTC
released i think
Comment 14 Swamp Workflow Management 2016-04-25 18:08:02 UTC
SUSE-SU-2016:1146-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 963326,963327,963328,963563,963604,963608,963617,963625,963627,969943
CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7578,CVE-2015-7579,CVE-2015-7580,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753,CVE-2016-2098
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    portus-2.0.3-2.4