Hi all,
On 18-03-22 17:21:15, Georg Faerber wrote:
> I would like to fix CVE-2018-8048, which is currently present in
> ruby-loofah 2.0.3-2 in stretch. Do you prefer an "straight" upload done
> by you, or should this be instead an upload via stretch-pu?
>
> In any case, I'll prepare a patch.
I've prepared the upload. Changes pushed to git in branch
debian/stretch, see below for the debdiff and some notes:
--
$ debdiff ruby-loofah_2.0.3-2.dsc ruby-loofah_2.0.3-2+deb9u1.dsc
diff -Nru ruby-loofah-2.0.3/debian/changelog ruby-loofah-2.0.3/debian/changelog
--- ruby-loofah-2.0.3/debian/changelog 2016-01-07 14:22:29.000000000 +0100
+++ ruby-loofah-2.0.3/debian/changelog 2018-03-24 16:13:55.000000000 +0100
@@ -1,3 +1,10 @@
+ruby-loofah (2.0.3-2+deb9u1) stretch-security; urgency=high
+
+ * Introduce upstream patch to address a potential cross-site scripting
+ vulnerability caused by libxml >= 2.9.2. (Closes: #893596) (CVE-2018-8048)
+
+ -- Georg Faerber <georg@riseup.net> Sat, 24 Mar 2018 16:13:55 +0100
+
ruby-loofah (2.0.3-2) unstable; urgency=medium
* fix-tests-assert.patch: Patch to fix test failures (Closes: #808449)
diff -Nru ruby-loofah-2.0.3/debian/patches/CVE-2018-8048.patch ruby-loofah-2.0.3/debian/patches/CVE-2018-8048.patch
--- ruby-loofah-2.0.3/debian/patches/CVE-2018-8048.patch 1970-01-01 01:00:00.000000000 +0100
+++ ruby-loofah-2.0.3/debian/patches/CVE-2018-8048.patch 2018-03-24 16:13:55.000000000 +0100
@@ -0,0 +1,55 @@
+--- a/lib/loofah.rb
++++ b/lib/loofah.rb
+@@ -6,6 +6,7 @@
+ require 'loofah/elements'
+
+ require 'loofah/html5/whitelist'
++require 'loofah/html5/libxml2_workarounds'
+ require 'loofah/html5/scrub'
+
+ require 'loofah/scrubber'
+--- /dev/null
++++ b/lib/loofah/html5/libxml2_workarounds.rb
+@@ -0,0 +1,12 @@
++require 'set'
++module Loofah
++ module LibxmlWorkarounds
++ BROKEN_ESCAPING_ATTRIBUTES = Set.new %w[
++ href
++ action
++ src
++ name
++ ]
++ BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG = {"name" => "a"}
++ end
++end
+--- a/lib/loofah/html5/scrub.rb
++++ b/lib/loofah/html5/scrub.rb
+@@ -54,6 +54,7 @@
+ node.attribute_nodes.each do |attr_node|
+ node.remove_attribute(attr_node.name) if attr_node.value !~ /[^[:space:]]/
+ end
++ force_correct_attribute_escaping! node
+ end
+
+ def scrub_css_attribute node
+@@ -89,6 +90,19 @@
+ style = clean.join(' ')
+ end
+
++ private
++ def force_correct_attribute_escaping! node
++ return unless Nokogiri::VersionInfo.instance.libxml2?
++ node.attribute_nodes.each do |attr_node|
++ next unless LibxmlWorkarounds::BROKEN_ESCAPING_ATTRIBUTES.include?(attr_node.name)
++ tag_name = LibxmlWorkarounds::BROKEN_ESCAPING_ATTRIBUTES_QUALIFYING_TAG[attr_node.name]
++ next unless tag_name.nil? || tag_name == node.name
++ encoding = attr_node.value.encoding
++ attr_node.value = attr_node.value.gsub(/[ "]/) do |m|
++ '%' + m.unpack('H2' * m.bytesize).join('%').upcase
++ end.force_encoding(encoding)
++ end
++ end
+ end
+
+ end
diff -Nru ruby-loofah-2.0.3/debian/patches/series ruby-loofah-2.0.3/debian/patches/series
--- ruby-loofah-2.0.3/debian/patches/series 2016-01-07 14:18:08.000000000 +0100
+++ ruby-loofah-2.0.3/debian/patches/series 2018-03-24 16:13:55.000000000 +0100
@@ -1,2 +1,3 @@
+CVE-2018-8048.patch
fix-tests-assert.patch
dont_require_lib_files.patch
--
Some notes (doing this for the first time..):
- AFAIK, the delta should be kept as small as possible, that's why I
didn't added a description for the patch.
- I've closed the bug targeted at unstable via the changelog, again. Not
sure if this is the correct way? I've used this approach to keep all
information in one place, which is a good thing, IMHO.
- The packages builds fine; I've tested autopkgtest as well.
- I'm not using this package myself, therefore I would be happy to get
especially feedback from someone using this on stretch.
- Please review this. Find the upstream commit at [1].
Thanks,
cheers,
Georg
[1] https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116
Attachment:
signature.asc
Description: Digital signature