Bug#954714: buster-pu: package rails/2:5.2.2.1+dfsg-1+deb10u1
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal
Hiya,
rails seemed to be affected by CVE-2020-5267.
This has been fixed in Sid and Jessie already.
Here's the debdiff:
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------
diff -Nru rails-5.2.2.1+dfsg/debian/changelog
rails-5.2.2.1+dfsg/debian/changelog
--- rails-5.2.2.1+dfsg/debian/changelog 2019-03-17 17:44:07.000000000 +0530
+++ rails-5.2.2.1+dfsg/debian/changelog 2020-03-22 18:47:31.000000000 +0530
@@ -1,3 +1,11 @@
+rails (2:5.2.2.1+dfsg-1+deb10u1) buster; urgency=high
+
+ * Team upload.
+ * Add patch to fix possible XSS vector in JS escape helper.
+ (Fixes: CVE-2020-5267) (Closes: #954304)
+
+ -- Utkarsh Gupta <utkarsh@debian.org> Sun, 22 Mar 2020 18:47:31 +0530
+
rails (2:5.2.2.1+dfsg-1) unstable; urgency=medium
* Team upload
diff -Nru rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
--- rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
1970-01-01 05:30:00.000000000 +0530
+++ rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch
2020-03-22 18:47:04.000000000 +0530
@@ -0,0 +1,48 @@
+Description: Fix possible XSS vector in JS escape helper
+ This commit escapes dollar signs and backticks to prevent
+ JS XSS issues when using the `j` or `javascript_escape` helper
+Author: Aaron Patterson <aaron.patterson@gmail.com>
+Author: Utkarsh Gupta <utkarsh@debian.org>
+Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1
+Bug-Debian: https://bugs.debian.org/954304
+Last-Update: 2020-03-19
+
+--- a/actionview/lib/action_view/helpers/javascript_helper.rb
++++ b/actionview/lib/action_view/helpers/javascript_helper.rb
+@@ -12,7 +12,9 @@
+ "\n" => '\n',
+ "\r" => '\n',
+ '"' => '\\"',
+- "'" => "\\'"
++ "'" => "\\'",
++ "`" => "\\`",
++ "$" => "\\$"
+ }
+
+ JS_ESCAPE_MAP["\342\200\250".dup.force_encoding(Encoding::UTF_8).encode!]
= "
"
+@@ -26,7 +28,7 @@
+ # $('some_element').replaceWith('<%= j render
'some/element_template' %>');
+ def escape_javascript(javascript)
+ if javascript
+- result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {
|match| JS_ESCAPE_MAP[match] }
++ result =
javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u,
JS_ESCAPE_MAP)
+ javascript.html_safe? ? result.html_safe : result
+ else
+ ""
+--- a/actionview/test/template/javascript_helper_test.rb
++++ b/actionview/test/template/javascript_helper_test.rb
+@@ -32,6 +32,14 @@
+ assert_equal %(dont <\\/close> tags), j(%(dont </close> tags))
+ end
+
++ def test_escape_backtick
++ assert_equal "\\`", escape_javascript("`")
++ end
++
++ def test_escape_dollar_sign
++ assert_equal "\\$", escape_javascript("$")
++ end
++
+ def test_escape_javascript_with_safebuffer
+ given = %('quoted' "double-quoted" new-line:\n </closed>)
+ expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
diff -Nru rails-5.2.2.1+dfsg/debian/patches/series
rails-5.2.2.1+dfsg/debian/patches/series
--- rails-5.2.2.1+dfsg/debian/patches/series 2019-03-17
17:44:07.000000000 +0530
+++ rails-5.2.2.1+dfsg/debian/patches/series 2020-03-22
18:46:39.000000000 +0530
@@ -1,2 +1,3 @@
0001-Be-careful-with-that-bundler.patch
0002-disable-uglify-in-activestorage-rollup-config-js.patch
+CVE-2020-5267.patch
8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------
Best,
Utkarsh
---
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: