Bug 963327 - (CVE-2015-7579) VUL-0: CVE-2015-7579: rubygem-rails-html-sanitizer: XSS vulnerability in rails-html-sanitizer
(CVE-2015-7579)
VUL-0: CVE-2015-7579: rubygem-rails-html-sanitizer: XSS vulnerability in rail...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2015-7579:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-23 19:37 UTC by Andreas Stieger
Modified: 2018-07-19 15:05 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
test/reproducer (287 bytes, application/x-ruby)
2016-01-27 10:25 UTC, Jordi Massaguer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-01-23 19:37:51 UTC
Created attachment 662971 [details]
Do-not-unescape-already-escaped-HTML-entities.patch

EMBARGOED via distros
CRD: 2016-01-15

bundled in: OBS, Portus

XSS vulnerability in rails-html-sanitizer

There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.

Versions Affected:  1.0.2
Not affected:       1.0.0, 1.0.1
Fixed Versions:     1.0.3

Impact
------
Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's `strip_tags`
these entities will be unescaped what may cause a XSS attack if used in combination
with `raw` or `html_safe`.

For example:

    strip_tags("<script>alert('XSS')</script>")

Would generate:

    <script>alert('XSS')</script>

After the fix it will generate:

    &lt;script&gt;alert('XSS')&lt;/script&gt;

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:

```
$ cat config/initializers/strip_tags_fix.rb
class ActionView::Base
  def strip_tags(html)
    self.class.full_sanitizer.sanitize(html)
  end
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist
of a single changeset.

* Do-not-unescape-already-escaped-HTML-entities.patch

Credits
-------
Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
reporting the problem and working with us to fix it.
Comment 1 Swamp Workflow Management 2016-01-23 23:00:27 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2016-01-25 15:00:41 UTC
CRD: 2016-01-25
Comment 3 Andreas Stieger 2016-01-26 07:25:56 UTC
public at http://seclists.org/oss-sec/2016/q1/205
Comment 4 Jordi Massaguer 2016-01-27 10:25:03 UTC
Created attachment 663375 [details]
test/reproducer
Comment 5 Jordi Massaguer 2016-01-27 10:34:38 UTC
regarding openSUSE, this package is in Leap
Comment 6 Andreas Stieger 2016-01-27 12:56:55 UTC
Jürgen, I saw your submission https://build.opensuse.org/request/show/356270

Could you check if fix for bug 963327 and bug 963328 are missing?
Comment 7 Bernhard Wiedemann 2016-01-27 14:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (963327) was mentioned in
https://build.opensuse.org/request/show/356287 42.1 / rubygem-rails-html-sanitizer
Comment 9 Jordi Massaguer 2016-01-28 09:29:05 UTC
all submissions done. Assigning to security-team.
Comment 10 Swamp Workflow Management 2016-02-07 16:11:33 UTC
openSUSE-SU-2016:0356-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 963326,963327,963328
CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580
Sources used:
openSUSE Leap 42.1 (src):    rubygem-rails-html-sanitizer-1.0.2-5.1
Comment 11 Swamp Workflow Management 2016-02-09 13:12:53 UTC
SUSE-SU-2016:0391-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 963326,963327,963328
CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580
Sources used:
SUSE Enterprise Storage 2.1 (src):    rubygem-rails-html-sanitizer-1.0.2-7.1
Comment 12 Marcus Meissner 2016-03-22 15:47:02 UTC
released
Comment 13 Swamp Workflow Management 2016-04-25 18:08:11 UTC
SUSE-SU-2016:1146-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 963326,963327,963328,963563,963604,963608,963617,963625,963627,969943
CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7578,CVE-2015-7579,CVE-2015-7580,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753,CVE-2016-2098
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    portus-2.0.3-2.4