[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: ruby-loofah 2.2.3-1+deb10u2

Hi Daniel,

On 13/03/2023 23:18, Daniel Leidert wrote:

Hi there,

I prepared my first LTS update. You can find it here:

https://salsa.debian.org/lts-team/packages/ruby-loofah

When I ran some test cases to see if all the vulnerabilities are fixed,
I discovered that there is a slight behavioral change:

As part of the fix for CVE-2022-23516, loofah will no longer remove
nested <script> sections, but escape the tags instead. They also
adjusted their tests for that. To demonstrate:

This:

<div><script><script>alert(1);</script></script></div>

resulted in:

<div>alert(1);</div>

and now it results in:

<div>&lt;script&gt;&lt;script&gt;alert(1);&lt;/script&gt;&lt;/script&gt;</div>

What do you think? I wonder if that is an acceptable change?


Without looking in detail, my question would be:
Is the output change likely to cause issues to loofah users? If not, then keep the patch.
Otherwise: is that a necessary change to fix the recursion? If so, then it is acceptable, but you may want to include a note in the DLA or in NEWS.Debian. If not, then it may be better to fix this in a way that doesn't change the output. 

Cheers,
Emilio
Reply to: