Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: stretch Severity: normal
Hiya, rails seemed to be affected by CVE-2020-5267. This has been fixed in Sid and Jessie already. Here's the debdiff: 8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------ diff -Nru rails-4.2.7.1/debian/changelog rails-4.2.7.1/debian/changelog --- rails-4.2.7.1/debian/changelog 2019-04-18 20:21:20.000000000 +0530 +++ rails-4.2.7.1/debian/changelog 2020-03-22 18:05:32.000000000 +0530 @@ -1,3 +1,11 @@ +rails (2:4.2.7.1-1+deb9u2) stretch; urgency=high + + * Team upload. + * Add patch to fix possible XSS vector in JS escape helper. + (Fixes: CVE-2020-5267) (Closes: #954304) + + -- Utkarsh Gupta <utka...@debian.org> Sun, 22 Mar 2020 18:05:32 +0530 + rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium * CVE-2018-16476 (Closes: #914847) diff -Nru rails-4.2.7.1/debian/patches/CVE-2020-5267.patch rails-4.2.7.1/debian/patches/CVE-2020-5267.patch --- rails-4.2.7.1/debian/patches/CVE-2020-5267.patch 1970-01-01 05:30:00.000000000 +0530 +++ rails-4.2.7.1/debian/patches/CVE-2020-5267.patch 2020-03-22 18:05:00.000000000 +0530 @@ -0,0 +1,48 @@ +Description: Fix possible XSS vector in JS escape helper + This commit escapes dollar signs and backticks to prevent + JS XSS issues when using the `j` or `javascript_escape` helper +Author: Aaron Patterson <aaron.patter...@gmail.com> +Author: Utkarsh Gupta <utka...@debian.org> +Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1 +Bug-Debian: https://bugs.debian.org/954304 +Last-Update: 2020-03-19 + +--- a/actionview/lib/action_view/helpers/javascript_helper.rb ++++ b/actionview/lib/action_view/helpers/javascript_helper.rb +@@ -10,7 +10,9 @@ + "\n" => '\n', + "\r" => '\n', + '"' => '\\"', +- "'" => "\\'" ++ "'" => "\\'", ++ "`" => "\\`", ++ "$" => "\\$" + } + + JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] = '
' +@@ -24,7 +26,7 @@ + # $('some_element').replaceWith('<%=j render 'some/element_template' %>'); + def escape_javascript(javascript) + if javascript +- result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {|match| JS_ESCAPE_MAP[match] } ++ result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) + javascript.html_safe? ? result.html_safe : result + else + '' +--- a/actionview/test/template/javascript_helper_test.rb ++++ b/actionview/test/template/javascript_helper_test.rb +@@ -33,6 +33,14 @@ + assert_equal %(dont <\\/close> tags), j(%(dont </close> tags)) + end + ++ def test_escape_backtick ++ assert_equal "\\`", escape_javascript("`") ++ end ++ ++ def test_escape_dollar_sign ++ assert_equal "\\$", escape_javascript("$") ++ end ++ + def test_escape_javascript_with_safebuffer + given = %('quoted' "double-quoted" new-line:\n </closed>) + expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>) diff -Nru rails-4.2.7.1/debian/patches/series rails-4.2.7.1/debian/patches/series --- rails-4.2.7.1/debian/patches/series 2019-04-18 20:18:04.000000000 +0530 +++ rails-4.2.7.1/debian/patches/series 2020-03-22 18:04:25.000000000 +0530 @@ -4,3 +4,4 @@ 0005-relax-json.patch 006-CVE-2018-16476.patch 007-CVE-2019-5418_CVE-2019-5419.patch +CVE-2020-5267.patch 8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------ Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=> Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
