Bugzilla – Bug 864433
CVE-2014-0081: VUL-0: rubygem-actionpack-3_2: XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human
Last modified: 2014-06-17 10:05:34 UTC
Created attachment 578969 [details] patch for 3.2 XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human There is an XSS vulnerability in the number_to_currency, number_to_percentage and number_to_human helpers in Ruby on Rails. Versions Affected: All. Fixed Versions: 4.1.0.beta2, 4.0.3, 3.2.17. Impact ------ These helpers allows users to nicely format a numeric value. Some of the parameters to the helper (format, negative_format and units) are not escaped correctly. Application which pass user controlled data as one of these parameters are vulnerable to an XSS attack. All users passing user controlled data to these parameters of the number helpers should either upgrade or use one of the workarounds immediately. Releases -------- The 4.1.0.rc1, 4.0.3 and 3.2.17 releases are available at the normal locations. Workarounds ----------- The workaround for this issue is to escape the value passed to the parameter. For example, replace code like this: ``` <%= number_to_currency(1.02, format: params[:format]) %> ``` With code like this ``` <%= number_to_currency(1.02, format: h(params[:format])) %> ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 4-1-beta-number_helpers_xss.patch - Patch for 4.1-beta series * 4-0-number_helpers_xss.patch - Patch for 4.0 series * 3-2-number_helpers_xss.patch - Patch for 3.2 series Please note that only the 4.0.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Kevin Reintjes for reporting the issue to us.
bugbot adjusting priority
The SWAMPID for this issue is 56293. This issue was rated as moderate. Please submit fixed packages until 2014-03-05. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
This is an autogenerated message for OBS integration: This bug (864433) was mentioned in https://build.opensuse.org/request/show/223116 12.3 / rubygem-actionpack-3_2 https://build.opensuse.org/request/show/223117 13.1 / rubygem-actionpack-3_2
This is an autogenerated message for OBS integration: This bug (864433) was mentioned in https://build.opensuse.org/request/show/223357 12.3 / rubygem-actionpack-3_2 https://build.opensuse.org/request/show/223358 13.1 / rubygem-actionpack-3_2
assigning back to security
This is an autogenerated message for OBS integration: This bug (864433) was mentioned in https://build.opensuse.org/request/show/223722 12.3 / rubygem-actionpack-3_2 https://build.opensuse.org/request/show/223723 13.1 / rubygem-actionpack-3_2
openSUSE-SU-2014:0295-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 864431,864433 CVE References: CVE-2014-0081,CVE-2014-0082 Sources used: openSUSE 13.1 (src): rubygem-actionpack-3_2-3.2.13-2.15.1 openSUSE 12.3 (src): rubygem-actionpack-3_2-3.2.12-1.19.1
Update released for: rubygem-actionpack-2_3 Products: SUSE-CLOUD 3.0 (x86_64)
SUSE-SU-2014:0457-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 864433,864873 CVE References: CVE-2014-0081 Sources used: SUSE Cloud 3 (src): rubygem-actionpack-2_3-2.3.17-0.15.2
This is an autogenerated message for OBS integration: This bug (864433) was mentioned in https://build.opensuse.org/request/show/230058 Factory / rubygem-actionpack-3_2
Update released for: rubygem-actionpack-2_3 Products: SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SUSE-CLOUD 2.0 (x86_64)
SUSE-SU-2014:0457-2: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 864433,864873 CVE References: CVE-2014-0081 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): rubygem-actionpack-2_3-2.3.17-0.15.2 SUSE Cloud 2.0 (src): rubygem-actionpack-2_3-2.3.17-0.15.2
Update released for: rubygem-actionpack-3_2, rubygem-actionpack-3_2-doc Products: SLE-SLMS 1.3 (x86_64) SLE-STUDIOONSITE 1.3 (x86_64) SLE-WEBYAST 1.3 (i386, ia64, ppc64, s390x, x86_64)
SUSE-SU-2014:0756-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 864431,864433,864873,876714 CVE References: CVE-2014-0081,CVE-2014-0082,CVE-2014-0130 Sources used: WebYaST 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.15.1 SUSE Studio Onsite 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.15.1 SUSE Lifecycle Management Server 1.3 (src): rubygem-actionpack-3_2-3.2.12-0.15.1
all relevant packages were fixed