Bug#954664: marked as done (stretch-pu: package rails/2:4.2.7.1-1+deb9u2)

Debian Bug Tracking System Sat, 18 Jul 2020 05:13:01 -0700

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 
<b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.ca...@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #954664,
regarding stretch-pu: package rails/2:4.2.7.1-1+deb9u2
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
954664: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954664
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Hiya,

rails seemed to be affected by CVE-2020-5267.
This has been fixed in Sid and Jessie already.

Here's the debdiff:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------

diff -Nru rails-4.2.7.1/debian/changelog rails-4.2.7.1/debian/changelog
--- rails-4.2.7.1/debian/changelog    2019-04-18 20:21:20.000000000 +0530
+++ rails-4.2.7.1/debian/changelog    2020-03-22 18:05:32.000000000 +0530
@@ -1,3 +1,11 @@
+rails (2:4.2.7.1-1+deb9u2) stretch; urgency=high
+
+  * Team upload.
+  * Add patch to fix possible XSS vector in JS escape helper.
+    (Fixes: CVE-2020-5267) (Closes: #954304)
+
+ -- Utkarsh Gupta <utka...@debian.org>  Sun, 22 Mar 2020 18:05:32 +0530
+
 rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium

   * CVE-2018-16476 (Closes: #914847)
diff -Nru rails-4.2.7.1/debian/patches/CVE-2020-5267.patch
rails-4.2.7.1/debian/patches/CVE-2020-5267.patch
--- rails-4.2.7.1/debian/patches/CVE-2020-5267.patch    1970-01-01
05:30:00.000000000 +0530
+++ rails-4.2.7.1/debian/patches/CVE-2020-5267.patch    2020-03-22
18:05:00.000000000 +0530
@@ -0,0 +1,48 @@
+Description: Fix possible XSS vector in JS escape helper
+ This commit escapes dollar signs and backticks to prevent
+ JS XSS issues when using the `j` or `javascript_escape` helper
+Author: Aaron Patterson <aaron.patter...@gmail.com>
+Author: Utkarsh Gupta <utka...@debian.org>
+Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1
+Bug-Debian: https://bugs.debian.org/954304
+Last-Update: 2020-03-19
+
+--- a/actionview/lib/action_view/helpers/javascript_helper.rb
++++ b/actionview/lib/action_view/helpers/javascript_helper.rb
+@@ -10,7 +10,9 @@
+         "\n"    => '\n',
+         "\r"    => '\n',
+         '"'     => '\\"',
+-        "'"     => "\\'"
++        "'"     => "\\'",
++        "`"     => "\\`",
++        "$"     => "\\$"
+       }
+
+       JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!]
= '&#x2028;'
+@@ -24,7 +26,7 @@
+       #   $('some_element').replaceWith('<%=j render
'some/element_template' %>');
+       def escape_javascript(javascript)
+         if javascript
+-          result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u)
{|match| JS_ESCAPE_MAP[match] }
++          result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u,
JS_ESCAPE_MAP)
+           javascript.html_safe? ? result.html_safe : result
+         else
+           ''
+--- a/actionview/test/template/javascript_helper_test.rb
++++ b/actionview/test/template/javascript_helper_test.rb
+@@ -33,6 +33,14 @@
+     assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
+   end
+
++  def test_escape_backtick
++    assert_equal "\\`", escape_javascript("`")
++  end
++
++  def test_escape_dollar_sign
++    assert_equal "\\$", escape_javascript("$")
++  end
++
+   def test_escape_javascript_with_safebuffer
+     given = %('quoted' "double-quoted" new-line:\n </closed>)
+     expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
diff -Nru rails-4.2.7.1/debian/patches/series
rails-4.2.7.1/debian/patches/series
--- rails-4.2.7.1/debian/patches/series    2019-04-18 20:18:04.000000000 +0530
+++ rails-4.2.7.1/debian/patches/series    2020-03-22 18:04:25.000000000 +0530
@@ -4,3 +4,4 @@
 0005-relax-json.patch
 006-CVE-2018-16476.patch
 007-CVE-2019-5418_CVE-2019-5419.patch
+CVE-2020-5267.patch

8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------


Best,
Utkarsh
---

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---

Bug#954664: marked as done (stretch-pu: package rails/2:4.2.7.1-1+deb9u2)

Reply via email to