Bug 963328 - (CVE-2015-7580) VUL-0: CVE-2015-7580: rubygem-rails-html-sanitizer: XSS via whitelist sanitizer
VUL-0: CVE-2015-7580: rubygem-rails-html-sanitizer: XSS via whitelist sanitizer
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-01-23 19:37 UTC by Andreas Stieger
Modified: 2018-07-19 15:05 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

test/reproducer (852 bytes, application/x-ruby)
2016-01-27 10:25 UTC, Jordi Massaguer

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-01-23 19:37:55 UTC
Created attachment 662972 [details]

EMBARGOED via distros
CRD: 2016-01-15

bundled in: OBS, Portus

Possible XSS vulnerability in rails-html-sanitizer

There is a possible XSS vulnerability in the white list sanitizer in the
rails-html-sanitizer gem. This vulnerability has been assigned the CVE
identifier CVE-2015-7580.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     v1.0.3

Carefully crafted strings can cause user input to bypass the sanitization in
the white list sanitizer which will can lead to an XSS attack.

Vulnerable code will look something like this:

  <%= sanitize user_input, tags: %w(em) %>

All users running an affected release should either upgrade or use one of the
workarounds immediately.

The FIXED releases are available at the normal locations.

Putting the following monkey patch in an initializer can help to mitigate the

class Rails::Html::PermitScrubber
  alias :old_scrub :scrub
  alias :old_skip_node? :skip_node?

  def scrub(node)
    if node.cdata?
      text = node.document.create_text_node node.text
      node.replace text
      return CONTINUE
    old_scrub node

  def skip_node?(node); node.text?; end

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 1-0-whitelist_sanitizer_xss.patch - Patch for 1.0 series

Thanks to Arnaud Germis, Nate Clark, and John Colvin for reporting this issue.
Comment 1 Swamp Workflow Management 2016-01-23 23:00:39 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2016-01-25 15:00:44 UTC
CRD: 2016-01-25
Comment 3 Jordi Massaguer 2016-01-25 15:09:29 UTC
what does CRD mean?
Comment 4 Andreas Stieger 2016-01-26 07:30:00 UTC
Public at http://seclists.org/oss-sec/2016/q1/208

(In reply to Jordi Massaguer from comment #3)
> what does CRD mean?

Coordinated Release Date, as part of the responsible disclosure procedure where vendors will be given advance notice of a vulnerability to get them into a position of having a security response ready, while keeping the patches/issue details embargoed during this period. on the CRD date upstream will make the issue public and vendors can publish updates, thus reducing the time a user may be exposed to a particular vulnerability.
Comment 5 Jordi Massaguer 2016-01-27 10:25:20 UTC
Created attachment 663376 [details]
Comment 6 Jordi Massaguer 2016-01-27 10:34:43 UTC
regarding openSUSE, this package is in Leap
Comment 7 Andreas Stieger 2016-01-27 12:56:57 UTC
Jürgen, I saw your submission https://build.opensuse.org/request/show/356270

Could you check if fix for bug 963327 and bug 963328 are missing?
Comment 8 Bernhard Wiedemann 2016-01-27 14:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (963328) was mentioned in
https://build.opensuse.org/request/show/356287 42.1 / rubygem-rails-html-sanitizer
Comment 10 Jordi Massaguer 2016-01-28 09:29:47 UTC
all submissions done. Assigning to security team.
Comment 11 Swamp Workflow Management 2016-02-07 16:11:46 UTC
openSUSE-SU-2016:0356-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 963326,963327,963328
CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580
Sources used:
openSUSE Leap 42.1 (src):    rubygem-rails-html-sanitizer-1.0.2-5.1
Comment 12 Swamp Workflow Management 2016-02-09 13:13:03 UTC
SUSE-SU-2016:0391-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 963326,963327,963328
CVE References: CVE-2015-7578,CVE-2015-7579,CVE-2015-7580
Sources used:
SUSE Enterprise Storage 2.1 (src):    rubygem-rails-html-sanitizer-1.0.2-7.1
Comment 13 Marcus Meissner 2016-03-22 15:47:11 UTC
Comment 14 Swamp Workflow Management 2016-04-25 18:08:20 UTC
SUSE-SU-2016:1146-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 963326,963327,963328,963563,963604,963608,963617,963625,963627,969943
CVE References: CVE-2015-7576,CVE-2015-7577,CVE-2015-7578,CVE-2015-7579,CVE-2015-7580,CVE-2015-7581,CVE-2016-0751,CVE-2016-0752,CVE-2016-0753,CVE-2016-2098
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    portus-2.0.3-2.4