Re: RFC: ruby-loofah 2.2.3-1+deb10u2
Am Freitag, dem 17.03.2023 um 04:58 +0530 schrieb Utkarsh Gupta:
> On Thu, Mar 16, 2023 at 7:06 PM Utkarsh Gupta
> <guptautkarsh2102@gmail.com> wrote:
> > Please hold off on the update for a while. I have something to add wrt
> > ruby-rails-html-sanitizer. I just haven't had the time to write it
> > down, I'll get back in another ~7h.
>
> In order to fix the CVEs of ruby-rails-html-sanitizer (also in
> dla-needed), we need to ensure that the newer methods that the library
> uses from newer loofah are backported. Some of these methods would've
> been backported by you already (as a part of fixing the CVEs in
> ruby-loofah) and there might be some remaining.
Well, in short here is what has changed in loofah:
- CVE-2022-23514: just programmatical change; shouldn't affect anybody
- CVE-2022-23515: data:svg+xml no longer allowed
- CVE-2022-23516: there is a behavioral change (see the thread) - that
needs probably the most care
I'm not quite sure how much code duplication there actually is, or if
the issues are fixed by fixing loofah. I would have looked myself, but
I haven't been assigned any official hours yet :)
> I could do a thorough review of your patches if you'd like?
Sure, please do so.
> (let me
> know) and make sure that we have everything that we might need for
> ruby-rails-html-sanitizer, too. I also propose that we release the two
> around the same time (after
> smoke-testing, ensuring that the two work well with each other).
So far it still builds and tests successfully. Please let me know if
you see any issues.
> I
> suppose everyone using rails-html-sanitizer should be using loofah,
> too, so it's important we fix both and test them well. :)
I agree. Please let me know of your results.
Regards, Daniel
Reply to: