Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: buster Severity: normal
Hiya, rails seemed to be affected by CVE-2020-5267. This has been fixed in Sid and Jessie already. Here's the debdiff: 8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------ diff -Nru rails-5.2.2.1+dfsg/debian/changelog rails-5.2.2.1+dfsg/debian/changelog --- rails-5.2.2.1+dfsg/debian/changelog 2019-03-17 17:44:07.000000000 +0530 +++ rails-5.2.2.1+dfsg/debian/changelog 2020-03-22 18:47:31.000000000 +0530 @@ -1,3 +1,11 @@ +rails (2:5.2.2.1+dfsg-1+deb10u1) buster; urgency=high + + * Team upload. + * Add patch to fix possible XSS vector in JS escape helper. + (Fixes: CVE-2020-5267) (Closes: #954304) + + -- Utkarsh Gupta <utka...@debian.org> Sun, 22 Mar 2020 18:47:31 +0530 + rails (2:5.2.2.1+dfsg-1) unstable; urgency=medium * Team upload diff -Nru rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch --- rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch 1970-01-01 05:30:00.000000000 +0530 +++ rails-5.2.2.1+dfsg/debian/patches/CVE-2020-5267.patch 2020-03-22 18:47:04.000000000 +0530 @@ -0,0 +1,48 @@ +Description: Fix possible XSS vector in JS escape helper + This commit escapes dollar signs and backticks to prevent + JS XSS issues when using the `j` or `javascript_escape` helper +Author: Aaron Patterson <aaron.patter...@gmail.com> +Author: Utkarsh Gupta <utka...@debian.org> +Origin: https://www.openwall.com/lists/oss-security/2020/03/19/1/1 +Bug-Debian: https://bugs.debian.org/954304 +Last-Update: 2020-03-19 + +--- a/actionview/lib/action_view/helpers/javascript_helper.rb ++++ b/actionview/lib/action_view/helpers/javascript_helper.rb +@@ -12,7 +12,9 @@ + "\n" => '\n', + "\r" => '\n', + '"' => '\\"', +- "'" => "\\'" ++ "'" => "\\'", ++ "`" => "\\`", ++ "$" => "\\$" + } + + JS_ESCAPE_MAP["\342\200\250".dup.force_encoding(Encoding::UTF_8).encode!] = "
" +@@ -26,7 +28,7 @@ + # $('some_element').replaceWith('<%= j render 'some/element_template' %>'); + def escape_javascript(javascript) + if javascript +- result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] } ++ result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) + javascript.html_safe? ? result.html_safe : result + else + "" +--- a/actionview/test/template/javascript_helper_test.rb ++++ b/actionview/test/template/javascript_helper_test.rb +@@ -32,6 +32,14 @@ + assert_equal %(dont <\\/close> tags), j(%(dont </close> tags)) + end + ++ def test_escape_backtick ++ assert_equal "\\`", escape_javascript("`") ++ end ++ ++ def test_escape_dollar_sign ++ assert_equal "\\$", escape_javascript("$") ++ end ++ + def test_escape_javascript_with_safebuffer + given = %('quoted' "double-quoted" new-line:\n </closed>) + expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>) diff -Nru rails-5.2.2.1+dfsg/debian/patches/series rails-5.2.2.1+dfsg/debian/patches/series --- rails-5.2.2.1+dfsg/debian/patches/series 2019-03-17 17:44:07.000000000 +0530 +++ rails-5.2.2.1+dfsg/debian/patches/series 2020-03-22 18:46:39.000000000 +0530 @@ -1,2 +1,3 @@ 0001-Be-careful-with-that-bundler.patch 0002-disable-uglify-in-activestorage-rollup-config-js.patch +CVE-2020-5267.patch 8<------8<------8<------8<------8<------8<------8<------8<------8<------8<------ Best, Utkarsh --- -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
