Re: [Secure-testing-commits] r7301 - data/CVE
On Thu, 15 Nov 2007 03:00:03 +0100, Nico Golde wrote:
> Hi,
> * micah@alioth.debian.org
> <micah@alioth.debian.org> [2007-11-15
> 00:34]:
>> Author: micah
>> Date: 2007-11-14 23:32:02 +0000 (Wed, 14 Nov 2007) New Revision: 7301
>>
>> Modified:
>> data/CVE/list
>> Log:
>> complete fix for rails exists in 1.2.5-1
>>
>> Modified: data/CVE/list
>> =================================================================== ---
>> data/CVE/list 2007-11-14 21:14:11 UTC (rev 7300) +++ data/CVE/
list
>> 2007-11-14 23:32:02 UTC (rev 7301) @@ -7255,7 +7255,7 @@
>> CVE-2007-3228 (PHP remote file inclusion vulnerability in ...)
>> NOT-FOR-US: Sitellite CMS
>> CVE-2007-3227 (Cross-site scripting (XSS) vulnerability in the to_json
>> ...)
>> - - rails 1.2.4-1 (bug #429177)
>> + - rails 1.2.5-1 (bug #429177)
>
> [...]
> Is this really the case? From what I see we ship in debian/patches:
> changeset_r6894 and changeset_r6893.1_2_3_modified and the 1.2.5 release
> fixes some additional regressions. These changesets are in the 1.2.4
> package and the patches are those changesets which closed the bug in
> upstreams trac.
The changelog in the debian package indicates that the fixes that went
into 1.2.4 weren't enough to resolve the problems, specifically it says
that the CVE "is really closed now", when it wasn't before:
rails (1.2.5-1) unstable; urgency=high
* This is a new upstream release that addresses problems not
corrected in 1.2.4 or regressions.
+ to_json XSS [CVE-2007-3227] is really closed now
+ Potential Information Disclosure or DoS with Hash#from_xml
[CVE-2007-5379]
+ Session Fixation attacks. [CVE-2007-5380] URL based sessions are
now disabled by default. Session ids are only accepted from
cookies by default now.
rails (1.2.4-1) unstable; urgency=low
* New upstream release. Fixes at least 2 XSS bugs.
+ Secure #sanitize, #strip_tags, and #strip_links helpers against
xss attacks. Upstream changeset 7589
+ to_json did not escape values which allows for XSS. Applied
upstream changesets 6893, 6894. This bug as also been assigned
designation CVE-2007-3227 (closes: #429177)
* Add dependency on Sqlite3 as ActiveRecord supports this DB as
well
* Add dependency on libmocha which is needed by some unit tests
I looked at the actual patches contained in each debian/patches
directory, but there was no differences, in fact there are no differences
between the two debian diff.gz's however there is a minor version number
bump, and I figured that the maintainer had a valid reason to believe
this issue wasn't fixed in the patch included in 1.2.4, my guess is that
it has to do with the regressions that were introduced in 1.2.4[1]. If
you look at the differences between 1.2.4 and 1.2.5 there are a number of
json related changes. I can't seem to find the details of the
vulnerability to really nail this down, and I dont know ruby that well to
really tell but these differences seem to be adding 4 new escaped values,
which weren't there before:
Only in rails-1.2.4/activesupport/test: json.rb
Only in rails-1.2.5/activesupport/test: json_test.rb
diff -ur rails-1.2.4/activesupport/lib/active_support/json/encoders/
core.rb rails-1.2.5/activesupport/lib/active_support/json/encoders/core.rb
--- rails-1.2.4/activesupport/lib/active_support/json/encoders/core.rb
2007-10-09 13:52:25.000000000 -0400
+++ rails-1.2.5/activesupport/lib/active_support/json/encoders/core.rb
2007-10-14 21:58:22.000000000 -0400
@@ -23,12 +23,14 @@
"\n" => '\n',
"\r" => '\r',
"\t" => '\t',
- '"' => '\"',
- '\\' => '\\\\'
+ '"' => '\"',
+ '\\' => '\\\\',
+ '<' => '\\074',
+ '>' => '\\076'
}
define_encoder String do |string|
- '"' + string.gsub(/[\010\f\n\r\t"\\]/) { |s|
+ '"' + string.gsub(/[\010\f\n\r\t"\\<>]/) { |s|
ESCAPED_CHARS[s]
}.gsub(/([\xC0-\xDF][\x80-\xBF]|
[\xE0-\xEF][\x80-\xBF]{2}|
1. http://groups.google.com/group/rubyonrails-security/browse_thread/
thread/034c7766ca4d5505
Reply to: