Hi, On Fri, Aug 12, 2016 at 05:18:55PM +0200, Salvatore Bonaccorso wrote: > Source: rails > Version: 2:4.1.8-1 > Severity: important > Tags: security upstream patch > > Hi, > > the following vulnerability was published for rails. > > CVE-2016-6316[0]: > Possible XSS Vulnerability in Action View > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2016-6316 > [1] http://seclists.org/oss-sec/2016/q3/260 > [2] > https://groups.google.com/forum/#!msg/rubyonrails-security/I-VWr034ouk/gGu2FrCwDAAJ > > Please adjust the affected versions in the BTS as needed.
AFAICT you got the versions right already. This issue affects stable, while the other does not. For stable, I have prepared a security update, have successfully tested it on a sample application based on the upstream advisory description. Attached you will find both the debdiff (rails.diff) and the actual backported patch (CVE-2016-6316.patch); the later is easier to read than the diff-in-diff part of the former. For unstable, both issues will be fixed by 2:4.2.7.1-1 (being uploaded RSN)
diff --git a/debian/changelog b/debian/changelog
index aa08ba6..2e09ba0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+rails (2:4.1.8-1+deb8u3) jessie-security; urgency=high
+
+ * Security update
+ * CVE-2016-6316: Possible XSS Vulnerability in Action View
+ (Closes: Bug#834155)
+
+ -- Antonio Terceiro <terce...@debian.org> Mon, 22 Aug 2016 13:35:11 -0300
+
rails (2:4.1.8-1+deb8u2) jessie-security; urgency=high
* Security updates:
diff --git a/debian/patches/CVE-2016-6316.patch b/debian/patches/CVE-2016-6316.patch
new file mode 100644
index 0000000..4381974
--- /dev/null
+++ b/debian/patches/CVE-2016-6316.patch
@@ -0,0 +1,45 @@
+From: Andrew Carpenter <and...@criticaljuncture.org>
+Date: Thu, 28 Jul 2016 16:12:21 -0700
+Subject: ensure tag/content_tag escapes " in attribute vals
+
+Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
+
+CVE-2016-6316
+
+Author: Andrew Carpenter <and...@criticaljuncture.org>
+Backported-by: Antonio Terceiro <terce...@debian.org>
+---
+ actionview/lib/action_view/helpers/tag_helper.rb | 2 +-
+ actionview/test/template/tag_helper_test.rb | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+--- a/actionview/lib/action_view/helpers/tag_helper.rb
++++ b/actionview/lib/action_view/helpers/tag_helper.rb
+@@ -169,7 +169,7 @@ module ActionView
+ def tag_option(key, value, escape)
+ value = value.join(" ") if value.is_a?(Array)
+ value = ERB::Util.h(value) if escape
+- %(#{key}="#{value}")
++ %(#{key}="#{value.gsub(/"/, '"'.freeze)}")
+ end
+ end
+ end
+--- a/actionview/test/template/tag_helper_test.rb
++++ b/actionview/test/template/tag_helper_test.rb
+@@ -116,6 +116,16 @@ class TagHelperTest < ActionView::TestCa
+ end
+ end
+
++ def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
++ assert_dom_equal '<p title=""">content</p>',
++ content_tag('p', "content", title: '"'.html_safe)
++ end
++
++ def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
++ assert_dom_equal '<p data-title=""">content</p>',
++ content_tag('p', "content", data: { title: '"'.html_safe })
++ end
++
+ def test_skip_invalid_escaped_attributes
+ ['&1;', 'dfa3;', '& #123;'].each do |escaped|
+ assert_equal %(<a href="#{escaped.gsub(/&/, '&')}" />), tag('a', :href => escaped)
diff --git a/debian/patches/series b/debian/patches/series
index 2712fbb..5ecf424 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ CVE-2016-0752.patch
CVE-2016-0753.patch
CVE-2016-2097.patch
CVE-2016-2098.patch
+CVE-2016-6316.patch
From: Andrew Carpenter <and...@criticaljuncture.org>
Date: Thu, 28 Jul 2016 16:12:21 -0700
Subject: ensure tag/content_tag escapes " in attribute vals
Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))`
CVE-2016-6316
Author: Andrew Carpenter <and...@criticaljuncture.org>
Backported-by: Antonio Terceiro <terce...@debian.org>
---
actionview/lib/action_view/helpers/tag_helper.rb | 2 +-
actionview/test/template/tag_helper_test.rb | 18 ++++++++++++++++++
2 files changed, 19 insertions(+), 1 deletion(-)
--- a/actionview/lib/action_view/helpers/tag_helper.rb
+++ b/actionview/lib/action_view/helpers/tag_helper.rb
@@ -169,7 +169,7 @@ module ActionView
def tag_option(key, value, escape)
value = value.join(" ") if value.is_a?(Array)
value = ERB::Util.h(value) if escape
- %(#{key}="#{value}")
+ %(#{key}="#{value.gsub(/"/, '"'.freeze)}")
end
end
end
--- a/actionview/test/template/tag_helper_test.rb
+++ b/actionview/test/template/tag_helper_test.rb
@@ -116,6 +116,16 @@ class TagHelperTest < ActionView::TestCa
end
end
+ def test_tag_does_not_honor_html_safe_double_quotes_as_attributes
+ assert_dom_equal '<p title=""">content</p>',
+ content_tag('p', "content", title: '"'.html_safe)
+ end
+
+ def test_data_tag_does_not_honor_html_safe_double_quotes_as_attributes
+ assert_dom_equal '<p data-title=""">content</p>',
+ content_tag('p', "content", data: { title: '"'.html_safe })
+ end
+
def test_skip_invalid_escaped_attributes
['&1;', 'dfa3;', '& #123;'].each do |escaped|
assert_equal %(<a href="#{escaped.gsub(/&/, '&')}" />), tag('a', :href => escaped)
signature.asc
Description: PGP signature
