Bug#954664: stretch-pu: package rails/2:4.2.7.1-1+deb9u2
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal
Hiya,
rails seemed to be affected by CVE-2020-5267.
This has been fixed in Sid and Jessie already.
Here's the debdiff:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------
diff -Nru rails-4.2.7.1/debian/changelog rails-4.2.7.1/debian/changelog
--- rails-4.2.7.1/debian/changelog 2019-04-18 20:21:20.000000000 +0530
+++ rails-4.2.7.1/debian/changelog 2020-03-22 18:05:32.000000000 +0530
@@ -1,3 +1,11 @@
+rails (2:4.2.7.1-1+deb9u2) stretch; urgency=high
+
+ * Team upload.
+ * Add patch to fix possible XSS vector in JS escape helper.
+ (Fixes: CVE-2020-5267) (Closes: #954304)
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Sun, 22 Mar 2020 18:05:32 +0530
+
rails (2:4.2.7.1-1+deb9u1) stretch; urgency=medium
* CVE-2018-16476 (Closes: #914847)
diff -Nru rails-4.2.7.1/debian/patches/CVE-2020-5267.patch
rails-4.2.7.1/debian/patches/CVE-2020-5267.patch
--- rails-4.2.7.1/debian/patches/CVE-2020-5267.patch 1970-01-01
05:30:00.000000000 +0530
+++ rails-4.2.7.1/debian/patches/CVE-2020-5267.patch 2020-03-22
18:05:00.000000000 +0530
@@ -0,0 +1,48 @@
+Description: Fix possible XSS vector in JS escape helper
+ This commit escapes dollar signs and backticks to prevent
+ JS XSS issues when using the `j` or `javascript_escape` helper
+Author: Aaron Patterson <aaron.patterson@gmail.com>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1
+Bug-Debian: https://bugs.debian.org/954304
+Last-Update: 2020-03-19
+
+--- a/actionview/lib/action_view/helpers/javascript_helper.rb
++++ b/actionview/lib/action_view/helpers/javascript_helper.rb
+@@ -10,7 +10,9 @@
+ "\n" => '\n',
+ "\r" => '\n',
+ '"' => '\\"',
+- "'" => "\\'"
++ "'" => "\\'",
++ "`" => "\\`",
++ "$" => "\\$"
+ }
+
+ JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!]
= '
'
+@@ -24,7 +26,7 @@
+ # $('some_element').replaceWith('<%=j render
'some/element_template' %>');
+ def escape_javascript(javascript)
+ if javascript
+- result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u)
{|match| JS_ESCAPE_MAP[match] }
++ result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u,
JS_ESCAPE_MAP)
+ javascript.html_safe? ? result.html_safe : result
+ else
+ ''
+--- a/actionview/test/template/javascript_helper_test.rb
++++ b/actionview/test/template/javascript_helper_test.rb
+@@ -33,6 +33,14 @@
+ assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
+ end
+
++ def test_escape_backtick
++ assert_equal "\\`", escape_javascript("`")
++ end
++
++ def test_escape_dollar_sign
++ assert_equal "\\$", escape_javascript("$")
++ end
++
+ def test_escape_javascript_with_safebuffer
+ given = %('quoted' "double-quoted" new-line:\n </closed>)
+ expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
diff -Nru rails-4.2.7.1/debian/patches/series
rails-4.2.7.1/debian/patches/series
--- rails-4.2.7.1/debian/patches/series 2019-04-18 20:18:04.000000000 +0530
+++ rails-4.2.7.1/debian/patches/series 2020-03-22 18:04:25.000000000 +0530
@@ -4,3 +4,4 @@
0005-relax-json.patch
006-CVE-2018-16476.patch
007-CVE-2019-5418_CVE-2019-5419.patch
+CVE-2020-5267.patch
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------
Best,
Utkarsh
---
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=>
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: